User profile for user: Erik H.
Erik H. Author
User level: Level 1
0 points

Server can access Internet, CLIENTS CANNOT, but can connect on intranet?

Hi,

I have a similar problem to the one that Philip Rice had, which I will proceed to quote as background.

"Okay, I'm stumped. I've got local DNS up and running (forward and reverse lookups work). My server is on a static IP through en0 (internet connection) and I am serving up clients on a private network through en1.

The problem is the server can connect to the internet but none of the clients can. I've looked through other people's posts on DNS problems but can seem to find a fix.

Anyone have an suggestions?

Cheers,

Phil"

Phil's answer, given by Camelot, follows:

"Are you saying this is a DNS issue, or a networking issue?

It isn't clear from your description where your internal clients sit. Are they connected to en1 and you're using the server as the gateway to the outside world?

Or are the internal systems connected to a router of some description and are just using the server for name resolution?

To answer the question you really need to test some sites from the internal network without using DNS. There are two tests you need to perform from an internal host

1) Can the internal hosts get to http://17.254.0.91/
2) Can the internal host run nslookup www.apple.com in a terminal window.

The 17.254.0.91 is www.apple.com without DNS. If they can get there then it's a DNS problem, indeed. If they can't get there then it's a network/routing issue.
If they can run the nslookup command and get a result then your DNS is working and it's a networking/routing issue.

You have enabled connection sharing on the server, right?"


I have about the exact same issue: I can perform the nslookup command with success, and the server gets on the Internet via en1, but all of my clients on en0 cannot connect to the Internet. Nor can they access http://17.254.0.91. The intranet works, with my local webserver serving a calendar program to all of the client computers, as well as being able to share volumes and printers. The only thing that is failing is for clients to be able to get through the server to the Internet.

I ran the Gateway Assistant. After it finished, I had kill the Firewall temporarily to configure my en1 to get on the Internet via DHCP from the DSL modem. I will restart the Firewall and set up rules after I can get my clients to connect.

My setup is: DSL modem to Server on en1 via PCI ethernet card. My LAN connects to the built-in ethernet port, en0, via a LinkSys 24-port 10/100 Ethernet switch (the server is in port 1, and my 3 clients are in ports 2-4. The reason I have a PCI ethernet card is because this G5 came with 1 gigabit ethernet port and one modem port. I have no router anywhere on the network, because I didn't think it was needed any longer. I was hoping the G5 server could handle my DHCP needs, so that I can have more control over the services that each client can access or be denied in the future (we are a school, so we don't want full Internet access for the students, but just the staff and teachers).

You mentioned enabling sharing for the internet connection. Where would I specifically do this? Am I correct in stating that this is not a DNS issue, but rather a networking issue? I have IP Forwarding and NAT running on my en1 (external network interface) port. Is this what is meant by enabling internet sharing? It seems like the server is not passing any Internet requests through from en0 to en1. Have I stated the problem correctly?

I tried the solution that worked for Philip, namely removing all static maps under DHCP, but this had no effect.

I'm out of ideas and I feel like a networking failure. Can anyone help?

Thanks in advance,

-Erik

PowerMac G5, Mac OS X (10.4.4), Server

Posted on Jan 24, 2006 3:19 PM

Reply
15 replies
User profile for user: Community User
Community User

Jan 25, 2006 4:17 PM in response to Erik H.

You're correct that the machine isn't passing packets from en0 to en1. Internet sharing, which is on the network panel of system prefs, quite possibly would fix things. TBH, I know how to make it work, but I don't know the GUI way to do it.

I usually edit /etc/hostconfig and set IPFORWARDING=-YES-
add net.inet.ip.forwarding=1 to /etc/sysctl.conf and do
sudo sysctl -w net.inet.ip.forwarding=1
and I've got routing.

Roger
Reply
User profile for user: Erik H.
Erik H. Author
User level: Level 1
0 points

Jan 25, 2006 5:12 PM in response to Community User

Hi Roger,

Thanks for replying, but "Internet Sharing" under the Sharing tab of System Preferences does not exist under Mac OS X Server. The only thing that shows up is "Services", whereby you can choose Remote Login, Apple Remote Desktop, or Remote Apple Events. This must be a Tiger client only feature.

My /etc/hostconfig file already contains IPFORWARDING=-YES- in it.

As you suggested, I did create a sysctl.conf file and put
"net.inet.ip.forwarding=1" in it (without the quotes, of course). I then ran the command, "sudo sysctl -w net.inet.ip.forwarding=1", which gave me the result:
net.inet.ip.forwarding: 1 -> 1

All to no avail, unfortunately. Still stuck with the same problem.

Another interesting aside is that when I try to set up my server as a DNS server, it throws out my manually set LAN IP address (192.168.0.4) every time I restart the DNS service, and instead changes it to 127.0.0.1. I then tried deleting the named.conf file and reentering all of my DNS info, but it rejected the changes again when I started DNS service up.

Bizarre, and unfortunately for me, hard to figure out, since I am a novice to Server administration. I've used Mac for 18 yrs. and Unix for 9 yrs., but not on the admin side so much. I feel confident to set up user accounts and the physical network, it's just getting the software side and config files to work together and talk to each other that is stumping me.
Reply
User profile for user: Community User
Community User

Jan 26, 2006 4:14 PM in response to Erik H.

I just set one of my XServers up as a router, doing exactly what I told you. Except for a goof when I changed my machine to use it as a router, it went smoothly. Because of that, I would bet that the client machine doesn't have 192.168.0.4 as it's default router/gateway.

Roger
Reply
User profile for user: David_x
David_x
User level: Level 4
3,011 points

Jan 26, 2006 5:18 PM in response to Erik H.

Erik, I've found the NAT services very reliable in 10.4 so I also would not presume it is a problem there. A couple of things I would check...

Make sure that in Preference-> network-> Port Configurations, that the required WAN port is actually at the top of the list (this is the default sharing port).

If you have been having trouble with your GUI DNS, then the GUI may have hosed the /etc/named.conf file (I've experienced this myself). It particularly seems to delete the localhost references which I understand are necessary for some system funtions. A default /etc/named.conf file contains the following zone references...

zone "." IN {
type hint;
file "named.ca";
};
zone "localhost" IN {
type master;
file "localhost.zone";
allow-update { none; };
};
zone "0.0.127.in-addr.arpa" IN {
type master;
file "named.local";
allow-update { none; };
};

I don't think the GUI recreates this file if you delete it and I've ommitted other stuff from this file, so if you need a full listing, just ask.

-david





Reply
User profile for user: Erik H.
Erik H. Author
User level: Level 1
0 points

Jan 27, 2006 2:32 PM in response to David_x

Hi David,

Thanks a lot for responding to my query. I would be very grateful if you could include an entire named.conf file, since mine does seem to be incomplete. The DNS service that I am trying to set up is just for a private DNS server, to help with Open Directory Services, etc. If it is not too much of a burden, could you tell me where to put the following information into my new named.conf file? My site-specific settings are:

Server's LAN IP address/Router address/Nameserver address will be: 192.168.0.4

DNS zone will be: eca.private

I also want to have client's requests for external DNS services forwarded to my ISP's domain name servers, at IP #'s: 12.32.34.32 and 12.32.34.33

My server's localhost name is: server1

Is there anything I am forgetting? (I have tried to enter portions of this info into my named.conf file, like the forwarding clause, based on other postings on the Discussions forums, but I think my named.conf is too hacked up to work, plus having the GUI overwrite it and delete stuff doesn't help either. If this file is at the root of my problems, I just want to get the whole thing right, then back it up, and then try going live with the correct version/syntax.)

I also checked, and I did have my WAN ethernet port (en1) at the top of my Network Preferences/Port Configs list.

Will I have trouble with Gateway Services because this is a G5 PowerMac with 1 built-in ethernet port and 1 PCI ethernet card, rather than it being an Xserve with dual built-in ethernet ports? I saw that Roger has this working on an Xserve, but we are going with an existing G5 PowerMac instead. I doubt this is the problem, but you never know!

Thank you again for your kind assistance.

-Erik
Reply
User profile for user: David_x
David_x
User level: Level 4
3,011 points

Jan 27, 2006 3:15 PM in response to Erik H.

Below, default named.zone file with a forwarders statement ready to edit with your external DNS IPs.

Your best action, in my opinion, is to delete your own zone files in /var/named, leaving just the default...

named.ca
named.local
localhost.zone

...and try again using the GUI. The GUI does work if you stick to it alone - just don't be tempted to edit manually and then try something in the GUI when it doesn't load the edited files correctly. Take it slowly, add something to the GUI and then test that you get the expected results with the 'dig' command in Terminal or via lookup in Network Utility.

Re the 2 NICs, this is fine in a G5.

Good luck!

-david


//
// Include keys file
//
include "/etc/rndc.key";
// Declares control channels to be used by the rndc utility.
//
// It is recommended that 127.0.0.1 be the only address used.
// This also allows non-privileged users on the local host to manage
// your name server.
//
// Default controls
//
controls {
inet 127.0.0.1 port 54 allow {any;} keys {
"rndc-key";
};
};
options {
directory "/var/named";
allow-transfer {none;};
recursion true;
forwarders { dnsAddress1; dnsAddress2 };
/*
* If there is a firewall between you and nameservers you want
* to talk to, you might need to uncomment the query-source
* directive below. Previous versions of BIND always asked
* questions using port 53, but BIND 8.1 uses an unprivileged
* port by default.
*/
// query-source address * port 53;
};
//
// a caching only nameserver config
//
zone "." IN {
type hint;
file "named.ca";
};
zone "localhost" IN {
type master;
file "localhost.zone";
allow-update { none; };
};
zone "0.0.127.in-addr.arpa" IN {
type master;
file "named.local";
allow-update { none; };
};
logging {
category default {
defaultlog;
};
channel defaultlog {
file "/Library/Logs/named.log";
severity info;
print-time yes;
};
};

Reply
User profile for user: Community User
Community User

Jan 27, 2006 4:33 PM in response to Erik H.

Erik,

Routing and DNS are separate issues. Did you try setting the default router/gateway on a client to 192.168.0.4 ? If that didn't work, could you post the results of these commands, please?

On the server:

netstat -r -n
sudo sysctl -a | egrep forward
ifconfig -a

And on your test client box:

ifconfig -a
netstat -r -n

Roger
Reply
User profile for user: Erik H.
Erik H. Author
User level: Level 1
0 points

Jan 29, 2006 9:55 PM in response to Community User

Hi Roger (and David),

Still struggling here. Router on all clients is coming up correctly/is set to 192.168.0.4. Here are the results of the commands you asked me to run:

Server: netstat -r -n

Routing tables

Internet:
Destination Gateway Flags Refs Use Netif Expire
default 192.168.1.1 UGSc 207 147 en1
127 127.0.0.1 UCS 0 0 lo0
127.0.0.1 127.0.0.1 UH 19 1359284 lo0
169.254 link#5 UCS 0 0 en1
192.168.0 link#4 UCS 3 0 en0
192.168.0.4 127.0.0.1 UHS 1 1506 lo0
192.168.0.6 0:d:93:3c:13:28 UHLW 0 3980 en0 1082
192.168.0.7 0:14:51:8:2f:7a UHLW 3 5844627 en0 533
192.168.0.8 0:14:51:13:3f:7c UHLW 1 627 en0 533
192.168.1 link#5 UCS 1 0 en1
192.168.1.1 0:a0:c5:47:5b:c6 UHLW 68 0 en1 1036
192.168.1.101 127.0.0.1 UHS 0 1413 lo0

Internet6:
Destination Gateway Flags Netif Expire
::1 link#1 UHL lo0
fe80::%lo0/64 fe80::1%lo0 Uc lo0
fe80::1%lo0 link#1 UHL lo0
fe80::%en0/64 link#4 UC en0
fe80::20a:95ff:fe96:cd6%en0 0:a:95:96:c:d6 UHL lo0
fe80::214:51ff:fe08:2f7a%en0 0:14:51:8:2f:7a UHLW en0
fe80::%en1/64 link#5 UC en1
fe80::208:54ff:fe40:6dde%en1 0:8:54:40:6d:de UHL lo0
ff01::/32 ::1 U lo0
ff02::/32 ::1 UC lo0
ff02::/32 link#4 UC en0
ff02::/32 link#5 UC en1

Server : sysctl -a | egrep forward
net.inet.ip.forwarding: 1
net.inet.ip.fastforwarding: 0
net.inet6.ip6.forwarding: 0

Server: ifconfig -a
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
inet 127.0.0.1 netmask 0xff000000
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1
gif0: flags=8010<POINTOPOINT,MULTICAST> mtu 1280
stf0: flags=0 mtu 1280
en0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
inet6 fe80::20a:95ff:fe96:cd6%en0 prefixlen 64 scopeid 0x4
inet 192.168.0.4 netmask 0xffffff00 broadcast 192.168.0.255
ether 00:0a:95:96:0c:d6
media: autoselect (100baseTX <full-duplex>) status: active
supported media: none autoselect 10baseT/UTP <half-duplex> 10baseT/UTP <full-duplex> 10baseT/UTP <full-duplex,hw-loopback> 100baseTX <half-duplex> 100baseTX <full-duplex> 100baseTX <full-duplex,hw-loopback> 1000baseT <full-duplex> 1000baseT <full-duplex,hw-loopback> 1000baseT <full-duplex,flow-control> 1000baseT <full-duplex,flow-control,hw-loopback>
en1: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
inet6 fe80::208:54ff:fe40:6dde%en1 prefixlen 64 scopeid 0x5
inet 192.168.1.101 netmask 0xffffff00 broadcast 192.168.1.255
ether 00:08:54:40:6d:de
media: autoselect (100baseTX <full-duplex>) status: active
supported media: 10baseT/UTP <half-duplex> 10baseT/UTP <full-duplex> 100baseTX <half-duplex> 100baseTX <full-duplex> 1000baseT <full-duplex> autoselect
fw0: flags=8822<BROADCAST,SMART,SIMPLEX,MULTICAST> mtu 4078
lladdr 00:0a:95:ff:fe:96:0c:d6
media: autoselect <full-duplex> status: inactive
supported media: autoselect <full-duplex>

Client: ifconfig -a
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
inet6 ::1 prefixlen 128
inet 127.0.0.1 netmask 0xff000000
gif0: flags=8010<POINTOPOINT,MULTICAST> mtu 1280
stf0: flags=0 mtu 1280
en0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
inet6 fe80::214:51ff:fe08:2f7a%en0 prefixlen 64 scopeid 0x4
inet 192.168.0.7 netmask 0xffffff00 broadcast 192.168.0.255
ether 00:14:51:08:2f:7a
media: autoselect (100baseTX <full-duplex>) status: active
supported media: none autoselect 10baseT/UTP <half-duplex> 10baseT/UTP <full-duplex> 10baseT/UTP <full-duplex,hw-loopback> 100baseTX <half-duplex> 100baseTX <full-duplex> 100baseTX <full-duplex,hw-loopback>
fw0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 2030
lladdr 00:14:51:ff:fe:08:2f:7a
media: autoselect <full-duplex> status: inactive
supported media: autoselect <full-duplex>


Client: netstat -r -n
Routing tables

Internet:
Destination Gateway Flags Refs Use Netif Expire
default 192.168.0.4 UGSc 7 10 en0
127 127.0.0.1 UCS 0 0 lo0
127.0.0.1 127.0.0.1 UH 10 97546 lo0
169.254 link#4 UCS 0 0 en0
192.168.0 link#4 UCS 4 0 en0
192.168.0.4 0:a:95:96:c:d6 UHLW 9 19223155 en0 43
192.168.0.6 0:d:93:3c:13:28 UHLW 0 1284 en0 593
192.168.0.7 127.0.0.1 UHS 0 164 lo0
192.168.0.8 0:14:51:13:3f:7c UHLW 0 139 en0 43
192.168.0.255 link#4 UHLWb 1 1148 en0

Internet6:
Destination Gateway Flags Netif Expire
::1 ::1 UH lo0
fe80::%en0/64 link#4 UC en0
fe80::20a:95ff:fe96:cd6%en0 0:a:95:96:c:d6 UHLW en0
fe80::214:51ff:fe08:2f7a%en0 0:14:51:8:2f:7a UHL lo0
ff01::/32 ::1 U lo0
ff02::/32 ::1 UC lo0
ff02::/32 link#4 UC en0

I hope these make some sense to you! I can see where the contents of this could have an effect, but I don't know where to make settings to change the output of these commands to the correct data, nor what exactly needs to be changed.

I agree that routing and DNS are separate issues. I also don't see why I would necessarily even need DNS running to enable client connectivity through the server to the Internet.

In case David is still reading this discussion, I turned off DNS in the Server Admin. Then I made my named.conf file read just as he posted, changing only the DNS forwarders to their correct IP's. I backed this file up for safekeeping. I then started DNS, which would only flash green for a second and turn itself back off. I checked and my named.conf file was obliterated, with no contents whatsoever. I then entered my zone name in DNS GUI "eca.private", my Server name "server1", and my server IP "192.168.0.4". I checked Zone Transfers and Recursion, and started DNS service. This time, it started up, but it removed my server name "server1" and replaced it with nothing, it left my zone name alone "eca.private", and changed my server IP address from 192.168.0.4 to "127.0.0.1".

I feel like taking a very long nap...

-Erik
Reply
User profile for user: Erik H.
Erik H. Author
User level: Level 1
0 points

Jan 29, 2006 10:26 PM in response to Erik H.

Hi Roger and David,

SUCCESS!

I tried to simplify my setup and try a few last-ditch efforts before a reinstall of Tiger and Server. Although Firewall service has been off this whole time, I began to wonder if maybe the server was blocking NAT services due to not having the Firewall at least turned on. So I went in and allowed all denied services under the "Advanced" tab on Firewall, and selectively enabled certain services that seemed related to my problem under the "Services" tab. I then started up Firewall service (which had previously stopped my WAN port from connecting to my DSL modem), and Whango!, the Internet began to work on all of my clients.

Why this happened, I am not sure. I hope it is a permanent change. I will now begin to read up on Firewall service and set appropriate rules.

Any other thoughts you may have, related to either my initial problem, or anything critical that I should set under Firewall services, I would be very grateful to receive.

Thanks very much for all of your posts and responsiveness to this hugely frustrating problem. My co-workers are happy now too!

-Erik
Reply
User profile for user: Alex Hargreaves
Alex Hargreaves
User level: Level 1
30 points

Jan 29, 2006 11:00 PM in response to Erik H.

Hi there,

Just on looking for answers to my problem when I found your thread. I seem to be having the exact same issue you as you were, so if you've found a solution or if anyone knows how to fix this, please let me know.

I have our DSL hooked into my server (Mac OS X 10.4) through the built-in ethernet (en0), and our home's switch hooked in through the PCI ethernet card (en1). En0 is at the top of the network list in System Prefs/Network, sees the internet, connects fine, etc. The client machines connected through en1 can all see the server and communicate with one-another. Under DHCP in ServerAdmin all the machines have been provided an IP address. I also have the firewall enabled with allow any to any (basically on but not doing anything, the way I want it) and NAT enabled, which I modified the conf file so that the external interface is ppp0 instead of en1 (which is the only thing it would allow via the GUI). My friend, who's a networking major and more knowledgeable than I, says it's a "natd/ipfw" issue, as the client machines are also seeing the DNS servers provided by our ISP through the server.

If you can think of anything I might have missed, or what might be causing this problem, please let me know!

Thanks in advance,

Alex H
Reply
User profile for user: Erik H.
Erik H. Author
User level: Level 1
0 points

Jan 30, 2006 12:01 AM in response to Alex Hargreaves

Hi Alex,

A few things come to mind. First off, the External Interface under NAT should be (en0), not en1 or ppp0, since your DSL is hooked into en0. (Why the GUI won't let you choose this, I don't know, but check all of the settings and suggestions below and then look at this issue again. Others told me that this is a pivotal point of service denial to clients.) You should have an entry under System Prefs/Network/Network Port Configurations for your PCI Ethernet card. If not, go under the New button and pick it from the list.

Configure your en0 via DHCP, or whatever your DSL requires so that you get a WAN IP address from them and can access the Internet (sounds like this one is already taken care of).

Configure your en1 "Manually", assigning your server an IP address in your subnet, Subnet Mask, and enter your ISP's DNS addresses in the proper field. Leave the "Router" field blank, since your server is the router. (By "in your subnet" I mean that if you are assigning LAN addresses through DHCP that begin with "192.168.1", then your server should be "192.168.1.1" and your available addresses to give to clients should start with 192.168.1.2 and end with 192.168.1.127, leaving open the range from 192.168.1.128-254 for VPN connections. Reply if this is unclear, I don't mean to over-complicate it.)

See my note in my previous post (to Roger & David) regarding how I set the Firewall. There are settings in 2 tabs that need to be changed or enabled/disabled to make sure it is not getting in the way. (This was my problem—NAT seems to want it on for safety? [I guess], but until I know how to configure it, I just disabled the "denied" services so that all info could pass through—immediately thereafter, my clients could finally connect, causing me to believe that the Gateway function wants to see the Firewall "running".)

I don't know if my private DNS configuration is correct, but at least it is not interfering with my client connectivity.

As for DHCP, make sure that once you change and configure this service on the server, restart the service, and then "renew DHCP lease" on each client in their Network/Ethernet panes. Ensure that the server's LAN IP address shows up as the client's Router, and then manually enter your ISP's primary and secondary DNS IP addresses in the client's DNS server field, along with the server's IP address (if you are running DNS services). You can get your ISP's DNS IP addresses from the server's en0 setup pane, since they are acquired dynamically from your ISP.

Let me know if this works for you.

-Erik
Reply
User profile for user: Alex Hargreaves
Alex Hargreaves
User level: Level 1
30 points

Jan 30, 2006 12:38 AM in response to Erik H.

Hello again.

Thanks for the advice. Turns out I tried running sysctl -w net.inet.ip.forwarding=1 one more time, despite the fact I had ran it before and it came back 1->1, but this time it said 0->1, so it must have got switched off somehow. I then dumped the command into a new file @ /etc/sysctl.conf so it won't shut off again (on restart), and the problem was solved!!

I should have mentioned it in my last post, but I had configured my System Prefs/Network exactly the way you had described before the problem occured.

However, thank you very much for the insight and help, especially so late on a Sunday night.

Alex

PS: For some reason ppp0 is the required setting for my situation, not en0 (this is how it is currently operating as well). I cannot explain this, my friend (who was working on getting this set up for me before he went offline (thus my need to seek other means of help)) told me this is how it had to be set up, but he's taking networking and unfortunately I'm not saavy enough to explain why myself, but it does work now (with that setting). I'll try and remember to ask him then post back here what the precise difference is.
Reply
User profile for user: David_x
David_x
User level: Level 4
3,011 points

Jan 30, 2006 1:26 AM in response to Erik H.

Hi Erik,

Although Firewall service has been off this whole time, I began to wonder if maybe the server was blocking NAT services due to not having the Firewall at least turned on.

Firewall services must be on for NAT services to work. Indeed, Apple state this (twice, once in a big box prefixed "Warning:") on the first page of the NAT section of their Network Services Administration document...
http://www.apple.com/support/macosxserver/networkservices/

You have probably (hopefully) read the documentation before, and it is pretty overwhelming the first time, but it does get clearer after you have worked with the services for the first time. The new documentation is a lot better and clearer than previous ones and well worth re-reading regularly.

To be honest, the Apple server is quite capable of working correctly 'straight out of the box' without any manual tweaking - if I was in your position, I would be reinstalling from scratch, but I appreciate that you are now in a working environment and so this could be problematic. Maybe there is a spare machine you can test things on, meantime?

Regarding the comment re DNS, again the DNS is quite capable of working with just being switched on - but as you have found, if the basic info is not correct from startup and then a bit of manual tweaking takes place, it can quickly denigrate.

I cannot comment too much on the output from your Netstat command, since I am no expert in this (but hopefuly Roger is still around to make comment), but it looks to me like the modem you are connecting to is itself running NAT (the 192.168.1.1 IP), so the NAT/Gateway services in your server is a bit redundant. So maybe the modem/router should just be left to do the NAT (and maybe DHCP) for your LAN - I much prefer this myself but I do not know what your modem is so maybe I'm missing something else.

Anyway, hope you get it all sorted out. Honestly, it does get clearer and easier after you have struggled through things (and reinstalled a few times) - but well worth re-reading the manuals!

-david

Reply
User profile for user: Community User
Community User

Jan 31, 2006 4:10 PM in response to Erik H.

Sorry, I had a Dentist's appointment last night. The settings that you posted from your server and your client are all correct. In this type of setup, you don't need NAT running on the server.

That said, and with your settings being correct, my hunch is that the 192.168.1.1 router doesn't know about your 192.168.0.0/24 network and doesn't know to send packets destined for there to the server. When you switched on the firewall/NAT, the server started rewriting the packet headers so that they look like they originiated from the server's 192.168.1.101 interface which the 192.168.1.1 router can deal with.

Before, the packets were going to the Internet correctly, but the response packets were (probably) being sent back out to the Internet instead of going from 192.168.1.1 to 192.168.1.101 and onto 192.168.0.0/24.

Roger
Reply

This thread has been closed by the system or the community team. You may vote for any posts you find helpful, or search the Community for additional answers.

Server can access Internet, CLIENTS CANNOT, but can connect on intranet?

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.
Learn more Sign up