Yggdrasill

Q: Os X Lion Server, NAT and DHCP.

Hi *,

 

 

for month now, I'm using a Mac Pro with Mac Os X Server Snow Leopard as the default gateway for my "Apple" subnet.

With the Lion release, I upgrade my Mac.

First of all, I was really disappointed to see the migration totally screwed up my configuration. During the install, the Installer told me migration failed or was skipped.

Indeed, after the first boot, all my servers settings where gone. Hum.

 

So I made a reinstall, and configured everything from scratch.

I followed the Apple documentation for Lion Server but with this Mac Os release, I'm unable to configure DHCP or NAT with my network settings.

All the time I start Internet Sharing, NAT or simply IP forwarding, the server change his ip settings for the internal interface and use 192.168.2.x/24 address.

My whole subnet is in 172.16.84.0/27. How can I fix it and force Os X Server to use _my_ ip settings and not default one?

Is this a way to get "advanced" configuration instead of "3click-and-make-it-run" ?

I can see in the Preferences Panel that all my IP settings are fine, but an ifconfig in cli only returns me an IP in the wrong range and there is no connectivity with my real network.

 

The problem is the same for DHCP.

If I configure the DHCP service with my subnets, I declare my ranges,... exactly as I did in Snow Leopard (and which was working perfectly).
But, from times to times, the configuration is erased (even if I don't use the Gateway Setup Assistant).
I often see a new range added in the 192.168.2.0/24 subnet, which keep coming even if I remove it.

Even with all references removed to this range, service restarted, the server continues granting leases in the 192.168.2.0/24. And nothing for the subnets I declared.

This server is also the DHCP server for Time Capsule client. Indeed, my TC is bridged on the network and there is no DHCP running except on the Server.

 

I also tried to let the Gateway Setup Assistant do his work and after, edit settings by hands via Server Admin, same problem.

The Server doesn't care about my settings and NAT/DNS/DHCP doesn't work.

 

A little quick draw to make things more obvious :

 

 

--- Internet ---- Firewall ---- DMZ ---- Mac Pro ---- Apple_Lan --- TimeCapsule

 

Mac Pro en0 : 172.16.83.1/29

Mac Pro en1 : 172.16.84.30/27

 

 

Does anybody has anything in mind to help me ? any tracks ? feedback ?

 

Cheers,

 

 

Yggdrasill.

Mac Pro, Mac OS X (10.7), Mac Os X 10.7 Server

Posted on Jul 25, 2011 2:05 AM

Close

Q: Os X Lion Server, NAT and DHCP.

  • All replies
  • Helpful answers

Previous Page 2 of 3 last Next
  • by J Cobb,

    J Cobb J Cobb Feb 1, 2012 10:58 PM in response to Yggdrasill
    Level 1 (5 points)
    Feb 1, 2012 10:58 PM in response to Yggdrasill

    Does anyone know if this is fixed in 10.7.3?

  • by AnrDaemon,

    AnrDaemon AnrDaemon Feb 2, 2012 7:08 AM in response to J Cobb
    Level 1 (0 points)
    Feb 2, 2012 7:08 AM in response to J Cobb

    Gonna check the next week, but my bet is "no" with good degree of certainlty.

    "Seriously, if it works, who care?" (c) Apple

  • by Olivier Ducrot - ACTC,

    Olivier Ducrot - ACTC Olivier Ducrot - ACTC Feb 2, 2012 9:37 AM in response to Yggdrasill
    Level 1 (35 points)
    Feb 2, 2012 9:37 AM in response to Yggdrasill

    I can confirm it's not !

    I wonder if they really tale care of this.

  • by Olivier Ducrot - ACTC,

    Olivier Ducrot - ACTC Olivier Ducrot - ACTC Feb 8, 2012 2:13 PM in response to Yggdrasill
    Level 1 (35 points)
    Feb 8, 2012 2:13 PM in response to Yggdrasill

    Hi Yggdrasill

     

    Can you be more verbose about your solution.

    I tried to copy /usr/libexec/nat_start and nat_stop from à brand new 10.6.8 server to m'y Lion Server, but Internet Sharing still launches when I start NAT with Server Admin or the serveradmin cli.

     

    Did yu copy the InternetSharong binary too ?

     

    I think that everybody following this thread would be glad of your shares.

    I personnaly spent à lot of time on this subject, since thé first beta of Lion Server.

     

    Thx

     

    Olivier

  • by Martyin,

    Martyin Martyin Feb 27, 2012 4:14 AM in response to Olivier Ducrot - ACTC
    Level 1 (15 points)
    Feb 27, 2012 4:14 AM in response to Olivier Ducrot - ACTC

    What is the exact issue here ?

    Do you just want to enable routing between the two networks ?

    Or do you want to share internet etc... ?

     

    If just routing then you might want to "just enable" ipforwarding... correct?

    If you have setup the both nics correctly in the multihomed Mac then

    you might try to issue: sysctl -w net.inet.ip.forwarding=1

    test if that's what you want...

    If so, make it more permanent by issuing :

    net.inet.ip.forwarding=1 to /etc/sysctl.conf

    Then it still works after a reboot.

     

    Martin

  • by Olivier Ducrot - ACTC,

    Olivier Ducrot - ACTC Olivier Ducrot - ACTC Feb 27, 2012 5:40 AM in response to Martyin
    Level 1 (35 points)
    Feb 27, 2012 5:40 AM in response to Martyin

    Thanks for your answer. I've already done this and it works, but it was not the pupose.

    The thread is about NAT and my question was about Yggdrasill's post saying : "replace the binaries".

     

    I finaly got it working with a little hack to prevent Server Admin starting Internet Sharing.

     

    Olivier

  • by AnrDaemon,

    AnrDaemon AnrDaemon Feb 27, 2012 10:51 AM in response to Martyin
    Level 1 (0 points)
    Feb 27, 2012 10:51 AM in response to Martyin

    @Martyin, once you enable NAT service, it automatically enables DHCP server somewhere inside OS, that can not be configured nor seen anywhere in server tools.

    Any attempt to enable separate DHCP service (bootpd) will result in abrupt disfunction of ServerAdmin, until you take the DHCP service down and never start it again.

    I'm unsure about your suggestion to "just enable forwarding", as I need address translation as well.

  • by Olivier Ducrot - ACTC,

    Olivier Ducrot - ACTC Olivier Ducrot - ACTC Feb 27, 2012 12:23 PM in response to AnrDaemon
    Level 1 (35 points)
    Feb 27, 2012 12:23 PM in response to AnrDaemon

    You can prevent launching Internet Sharing with Server Admin by changing riights to the piste file :

     

    cd /Library/Preferences/SystemConfiguration/

     

    chmod 400 com.apple.nat.plist

    chflags uchg com.apple.nat.plist

     

    It's à hack, but ... It works.

     

    To launch natd, you can create à simple LaunchDaemon item :

     

     

    <?xml version="1.0" encoding="UTF-8"?>

    <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

    <plist version="1.0">

    <dict>

            <key>Label</key>

            <string>fr.easymac.natd</string>

            <key>RunAtLoad</key>

            <true/>

            <key>ProgramArguments</key>

            <array>

                    <string>/usr/sbin/natd</string>

                    <string>-f</string>

                    <string>/etc/nat/natd.conf.apple</string>

            </array>

    </dict>

    </plist>

     

    And, as said in à few posts before, /etc/nat/natd.conf.apple is thé same file as in 10.6 server

     

     

    cat /etc/nat/natd.conf.apple

    # This file is reserved for configuration automatically generated by the Server Admin app.

    # Generated: 2012-02-10 09:44:22 +0100.

    #

    interface en0

    natportmap_interface en0

    enable_natportmap yes

    dynamic yes

    log yes

    log_denied no

    deny_incoming no

    use_sockets yes

    same_ports yes

    unregistered_only yes

    reverse no

    proxy_only no

    clamp_mss yes

  • by arcusak,

    arcusak arcusak Feb 29, 2012 8:10 PM in response to Olivier Ducrot - ACTC
    Level 1 (5 points)
    Feb 29, 2012 8:10 PM in response to Olivier Ducrot - ACTC

    hmm... were there additional steps needed?

     

    once done the machine stopped booting entirely.

     

    so booted off the 10.6.8 drive... and i noticed the settings to 'com.apple.nat.plist' didn't really stop anything as the OS simply created (and presumably wanted to use) another file called 'com.apple.nat.plist-new' that was not locked.

  • by J Cobb,

    J Cobb J Cobb Feb 29, 2012 9:31 PM in response to Yggdrasill
    Level 1 (5 points)
    Feb 29, 2012 9:31 PM in response to Yggdrasill

    I read somewhere else that in System Preferences->Network you should leave the Router field empty for the LAN ethernet port. I removed the entry I had there (192.168.2.1-same as the IP address) and all seems to be working fine for me now. Unfortunately, I did this right after the 10.7.3 update so I'm not sure which I can attribute it to.

     

    What do you have entered for the LAN router? Can someone else try making that empty and see if it fixes the situation?

  • by AnrDaemon,

    AnrDaemon AnrDaemon Feb 29, 2012 9:38 PM in response to J Cobb
    Level 1 (0 points)
    Feb 29, 2012 9:38 PM in response to J Cobb

    You must have default route empty on LAN interface. Unless you want a ton of headache for yourself, and anyone who would need to work with your network after you, that is.

  • by arcusak,

    arcusak arcusak Feb 29, 2012 9:44 PM in response to J Cobb
    Level 1 (5 points)
    Feb 29, 2012 9:44 PM in response to J Cobb

    i've always had that empty for the DHCP/NAT interface in System Preferences->Network... even in 10.6.8.

     

    just IP address and subnet mask. everything else blank.

     

    my main issue is everything in 10.6 (and before) was made in 172.16.x.x and that no longer works in 10.7. i'm trying to get out of having to scrap all the settings and redo all the DNS / DHCP assignments / etc etc from scratch to put it in the 192.168.2.x address space.

     

    sorta hoping that this is corrected before Mountain Lion Server as i really need Lion Server in order to use Software Update for the 10.7 machines in the office.

     

    so right now it is : continue to run in 10.6 but no local Software Update server (waste of bandwidth and time) or redo the DHCP/DNS/NAT entirely to run in 192.168.2.x ...

     

    a decision that really shouldn't have to exist as i don't see any reason Lion had to be limited to 192.168.2.x address space. removing the option of using the previously-available address spaces in 10.7 is a feature removal with no benefit i can see.

  • by studio212,

    studio212 studio212 Mar 1, 2012 7:31 AM in response to Yggdrasill
    Level 1 (0 points)
    Mar 1, 2012 7:31 AM in response to Yggdrasill

    You can host Lion updates in your Snow Leopard server. You don't need Lion Server to do so. Instructions here: http://support.apple.com/kb/HT4771

  • by Olivier Ducrot - ACTC,

    Olivier Ducrot - ACTC Olivier Ducrot - ACTC Mar 1, 2012 10:27 AM in response to arcusak
    Level 1 (35 points)
    Mar 1, 2012 10:27 AM in response to arcusak

    @arcusak

     

    I looked at my server : I have the -new file too. The two files rights changed to 644 too, but the uchg flags stayer on the orignal com.apple.nat.plist file.

     

    It's probably not necessary make the chmod.

  • by arcusak,

    arcusak arcusak Mar 1, 2012 3:31 PM in response to studio212
    Level 1 (5 points)
    Mar 1, 2012 3:31 PM in response to studio212

    ah good deal. i'll give that a shot later today.

     

    that'll let me hold off on Lion Server a little bit longer at least. would still like to move to it someday though. and without having to basically redo the entire internal network from scratch.

Previous Page 2 of 3 last Next