Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

User profile for user: Yggdrasill
Yggdrasill Author
User level: Level 1
0 points

Os X Lion Server, NAT and DHCP.

Hi *,



for month now, I'm using a Mac Pro with Mac Os X Server Snow Leopard as the default gateway for my "Apple" subnet.

With the Lion release, I upgrade my Mac.

First of all, I was really disappointed to see the migration totally screwed up my configuration. During the install, the Installer told me migration failed or was skipped.

Indeed, after the first boot, all my servers settings where gone. Hum.


So I made a reinstall, and configured everything from scratch.

I followed the Apple documentation for Lion Server but with this Mac Os release, I'm unable to configure DHCP or NAT with my network settings.

All the time I start Internet Sharing, NAT or simply IP forwarding, the server change his ip settings for the internal interface and use 192.168.2.x/24 address.

My whole subnet is in 172.16.84.0/27. How can I fix it and force Os X Server to use _my_ ip settings and not default one?

Is this a way to get "advanced" configuration instead of "3click-and-make-it-run" ?

I can see in the Preferences Panel that all my IP settings are fine, but an ifconfig in cli only returns me an IP in the wrong range and there is no connectivity with my real network.


The problem is the same for DHCP.

If I configure the DHCP service with my subnets, I declare my ranges,... exactly as I did in Snow Leopard (and which was working perfectly).
But, from times to times, the configuration is erased (even if I don't use the Gateway Setup Assistant).
I often see a new range added in the 192.168.2.0/24 subnet, which keep coming even if I remove it.

Even with all references removed to this range, service restarted, the server continues granting leases in the 192.168.2.0/24. And nothing for the subnets I declared.

This server is also the DHCP server for Time Capsule client. Indeed, my TC is bridged on the network and there is no DHCP running except on the Server.


I also tried to let the Gateway Setup Assistant do his work and after, edit settings by hands via Server Admin, same problem.

The Server doesn't care about my settings and NAT/DNS/DHCP doesn't work.


A little quick draw to make things more obvious :



--- Internet ---- Firewall ---- DMZ ---- Mac Pro ---- Apple_Lan --- TimeCapsule


Mac Pro en0 : 172.16.83.1/29

Mac Pro en1 : 172.16.84.30/27



Does anybody has anything in mind to help me ? any tracks ? feedback ?


Cheers,



Yggdrasill.

Mac Pro, Mac OS X (10.7), Mac Os X 10.7 Server

Posted on Jul 25, 2011 2:05 AM

Reply
33 replies
User profile for user: jmelaragni
jmelaragni
User level: Level 1
5 points

Jul 25, 2011 2:22 PM in response to Yggdrasill

I have/had the same problem. Comparible setup running Lion Server GM. The natd service fires off the InternetSharing service from the prefspane instead of the regular natd service. This is verifiable by entries in the system log as well as the lack of the natd process running. Below are my findings from research/experimentation; please understand that this is what I have done to get it working, it is DEFINITELY not best practices and I'm sure not supported by Apple. I'm just conveying what I think is happening and how I dealt with it.


Natd - Executing the binary referenced in the launchctl job directly launches the InternetSharing service on Lion server. This does NOT act this way in SL server, where it works as expected. Replacing the Lion binaries with The SL ones results in natd working as expected: nat_start and nat_stop in /usr/libexec. In short, if you replace the Lion binaries with the ones from SL, it-s a drop-in fix. Natd isn't your only problem though...


Dns/named - It appears that Apple has limited named to binding on the loopback adapter only by default on Lion. Adding a listen-on clause to named.conf with the appropriate bindings will fix this. I'm assuming you're running natd, named and dhcpd on the same box...


Dhcpd - Works fine. It appears broken only because the InternetSharing service is replacing natd (why?!?) and it has a built-in dhcpd server (dumbed down 192.168.2.0 subnet). Once you fix natd, this runs as expected.


Firewall/ipfw - Gotta have this running so that natd will do translation. Remember to open the dhcp ports to allow the clients to get leases...


I hope this helps, I'm sticking with SL until these issues are worked out...

Reply
User profile for user: jmelaragni
jmelaragni
User level: Level 1
5 points

Jul 25, 2011 2:41 PM in response to Yggdrasill

Also, you can get around replacing the binaries by launching natd directly from the console and adding the divert rule into ipfw. The problem is it's not perm and if you access the firewall service in SA you'll overwrite your divert rule...


You'll want the natd.conf.apple file from /etc/nat on your SL box. Then do the following as root:


ipfw add 00010 divert natd ip from any to any via (ext int name here)

/usr/sbin/natd -config /path/to/SL/natd.conf.apple


The rule number MUST be 00010. Ext int name can be found using ifconfig...

Reply
User profile for user: ronbeltek
ronbeltek
User level: Level 1
0 points

Oct 30, 2011 7:28 PM in response to ivanberton

I have been struggling with getting port forwarding to work under Lion (not server) for my media mac to an AVR connected by wire.

Getting the AVR to see the internet was no problem, just configuring the net interfaces (internal must be 192.168.2.0 until apple fixes that bug) and turning on InternetSharing.

But port forwarding for the AVR's control port was not working after trying all sorts of things.

I realized that InternetSharing sets rules to PF once it starts, under the anchors that are predefined in /etc/pf.anchors/com.apple. (BTW, InternetSharing also enables pf )


If you probe with pfctl after starting InternetSharing, you can see the rules and new anchors that it created.

One of the anchors was 'natpmp'.

I used this command to set my rules and it worked!

pfctl -a com.apple/100.InternetSharing/natpmp -f 910.onkyo

(obviously rules are in 910.onkyo. man pf.conf for rule syntax)


So, I did not set my own anchor (which didn't work). It only worked when I associated my rules with that anchor.

This has to be done after InternetSharing is started, of course.


HTH!

Ron

Reply
User profile for user: arcusak
arcusak
User level: Level 1
9 points

Dec 14, 2011 9:31 PM in response to Yggdrasill

same issue.


i was using a 172.16.x.x network in 10.6 ... once transferred and upgraded to 10.7... NAT will not start.


does anyone have a working suggestion that doesn't involve using 10.6 binaries or completely redoing everything from scratch to work in stupid 192.168.x.x address space? i'd rather continue using 10.6 than do that.


it is just getting a bit annoying not being able to run 10.7 Server as 10.6 Software Update Server won't host 10.7 updates and i am getting more and more 10.7 machines...


thanks.

Reply

Os X Lion Server, NAT and DHCP.

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.
Learn more Sign up