Help debugging standard Gateway configuration problem

Question

Gavin Lawrie Author

Level 2

425 points

Help debugging standard Gateway configuration problem

I've got a Mac Pro running Lion Server.

It connects to a fixed IP / direct connection to the Internet on Ethernet 1.

The machine, and the services it supports all have good access to the Internet.

It is configured to support a LAN from Ethernet 2. Wifi connection is disabled.

I used the Gateway Assistant to set up, and:

Ethernet 2 is configured at 192.168.2.1, with DNS set manually to OpenDNS values. These are the same values as used on Ethernet 1's fixed IP connection (which works fine).
NAT is set to IP Forwarding and Network Address Translation, External Interface is Ethernet 1, and Port Mapping Protocol is enabled.
DHCP is set to distribute values to en1 (which is Ethernet 2) in range 192.168.2.2 to 192.168.2.127. DNS is set to 192.168.2.1.

The problem I have is, is that although client connections to Ethernet 2 set up pefectly, the connected machines have no connection to the internet: unable to see fqdns or ping IPs directly.

I must be doing something wrong... but can't see it. Hopefully someone else can... 🙂

Thanks in advance for whatever help anyone can provide.

Mac Pro, Mac OS X (10.6.8), 9Gbytes - OS X Server

Posted on Mar 14, 2012 3:08 PM

Reply

Answer 1

Mar 14, 2012 4:36 PM in response to Gavin Lawrie

Hi,

Is the address at en0 static? To check the settings provided by your dhcp server open up a terminal on your client machine and type ifconfig. Maybe a simple typo at the gateway address is the answer. Try to (tmp) disable the firewall and check if your server resloves dnslookups.

From time to time i have the same issue that no packets goes through the connection sharing. -> Restart fixed that

Reply

Answer 2

Gavin Lawrie Author

Level 2

425 points

Mar 14, 2012 6:37 PM in response to Brettermeier

Hi

Thanks for the suggestions.

en0 is manually set to a static address, and works fine.

I have been through the gateway assistant several times, and you don't actually type anything in (except the VPN secret if you want VPN). But I checked and everything appears to be working with regard to DHCP - the right gateway is being set (192.168.2.1) and a correct / legit IP assigned (192.168.2.2) and the gateway is being set as the DNS. Manually setting the DNS to OpenDNS at various points (e.g. At en1, at DHCP, on laptop) doesn't help. IPs can't be tracerouted from laptop - the first step is shown (going to 192.168.2.1) but thereafter nothing.

I'm at a loss to know what to do... This is basic stuff (it even appears in a diagram in the SLS getting started guide). So it is odd that it simply doesn't work.

Reply

Answer 3

Mar 15, 2012 3:02 AM in response to Gavin Lawrie

Does your server answers dns querys from the clients?

Reply

Answer 4

Gavin Lawrie Author

Level 2

425 points

Mar 15, 2012 5:07 AM in response to Brettermeier

Hard to say (given my level of ability) but I think the answer is "No".

LAN connected machine can see and can connect to the server by its local network name (in this case "Server"), but cannot resolve any fqdn via traceroute or ping. I don't know whether the machine is getting the local server name via DNS or bonjour - suspect the latter. Just to be clear, the server itself has DNS working for its ownard connection to internet (so you can ping, traceroute fqdns no problem - and open safari etc.). It is just the connected machine that cannot do this.

Reply

Answer 5

Mar 15, 2012 5:31 AM in response to Gavin Lawrie

Could you please paste the output from an serverside "ifconfig" and a "nslookup yourserverip" from your server and client.

Reply

Answer 6

Gavin Lawrie Author

Level 2

425 points

Mar 15, 2012 10:12 AM in response to Brettermeier

Here are the outputs: hope they are informative 🙂

Server - ifconfig

lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384

options=3<RXCSUM,TXCSUM>

inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1

inet 127.0.0.1 netmask 0xff000000

inet6 ::1 prefixlen 128

gif0: flags=8010<POINTOPOINT,MULTICAST> mtu 1280

stf0: flags=0<> mtu 1280

en0: flags=8963<UP,BROADCAST,SMART,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500

options=2b<RXCSUM,TXCSUM,VLAN_HWTAGGING,TSO4>

ether 00:17:f2:00:8e:06

inet6 fe80::217:f2ff:fe00:8e06%en0 prefixlen 64 scopeid 0x4

inet 46.33.146.45 netmask 0xfffffff8 broadcast 46.33.146.47

inet 46.33.146.46 netmask 0xfffffff8 broadcast 46.33.146.47

media: autoselect (1000baseT <full-duplex,flow-control>)

status: active

en1: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500

options=2b<RXCSUM,TXCSUM,VLAN_HWTAGGING,TSO4>

ether 00:17:f2:00:8e:07

inet6 fe80::217:f2ff:fe00:8e07%en1 prefixlen 64 scopeid 0x5

inet 192.168.2.1 netmask 0xffffff00 broadcast 192.168.2.255

media: autoselect (100baseTX <full-duplex,flow-control>)

status: active

en2: flags=8823<UP,BROADCAST,SMART,SIMPLEX,MULTICAST> mtu 1500

ether 00:19:e3:0a:41:ae

media: autoselect (<unknown type>)

status: inactive

fw0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 2030

lladdr 00:16:cb:ff:fe:6c:6f:f6

media: autoselect <full-duplex>

status: inactive

vnic0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500

options=3<RXCSUM,TXCSUM>

ether 00:1c:42:00:00:08

inet 10.211.55.2 netmask 0xffffff00 broadcast 10.211.55.255

media: autoselect

status: active

vnic1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500

options=3<RXCSUM,TXCSUM>

ether 00:1c:42:00:00:09

inet 10.37.129.2 netmask 0xffffff00 broadcast 10.37.129.255

media: autoselect

status: active

Server - nslookup

Server: 208.67.220.220

Address: 208.67.220.220#53

Non-authoritative answer:

45.146.33.46.in-addr.arpa name = www.2gc.org.

Laptop / LAN - ifconfig

lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384

options=3<RXCSUM,TXCSUM>

inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1

inet 127.0.0.1 netmask 0xff000000

inet6 ::1 prefixlen 128

inet6 fd77:51b9:835:a2f3:62c5:47ff:fe08:7d12 prefixlen 128

gif0: flags=8010<POINTOPOINT,MULTICAST> mtu 1280

stf0: flags=0<> mtu 1280

en0: flags=8823<UP,BROADCAST,SMART,SIMPLEX,MULTICAST> mtu 1500

ether 60:c5:47:08:7d:12

media: autoselect (<unknown type>)

status: inactive

p2p0: flags=8802<BROADCAST,SIMPLEX,MULTICAST> mtu 2304

ether 02:c5:47:08:7d:12

media: autoselect

status: inactive

en2: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500

options=4<VLAN_MTU>

ether 58:55:ca:22:9a:af

inet6 fe80::5a55:caff:fe22:9aaf%en2 prefixlen 64 scopeid 0x7

inet 192.168.2.2 netmask 0xffffff00 broadcast 192.168.2.255

media: autoselect (100baseTX <full-duplex,flow-control>)

status: active

Laptop - nslookup

Server: 192.168.2.1

Address: 192.168.2.1#53

45.146.33.46.in-addr.arpa name = www.2gc.org.

Reply

Answer 7

Mar 15, 2012 1:40 PM in response to Gavin Lawrie

Firebind has a test that can let you know whether the Bonjour TCP and UDP ports listed in the Apple Support FAQ are being blocked or not.

http://www.firebind.com/bonjour

It will test TCP 5297 and 5298 as well as UDP 5298 and 5353 to confirm there is no firewall blocking them.

If you have other ports you want to test besides the Bonjour ports then you can enter custom port ranges as well through their Applet client.

- ProtocolGeek

Reply

Answer 8

Gavin Lawrie Author

Level 2

425 points

Mar 15, 2012 5:45 PM in response to ProtocolGeek

Thanks - looks like a useful tool / site. The server in question passes the test no problem. The problem persists even if you turn off the firewall completely.

Reply

Answer 9

Mar 16, 2012 7:33 AM in response to Gavin Lawrie

I'm a little bit confused about your serverside en0. En0 has 2 ip addresses 46.33.146.45 and 46.33.146.46. Is that a dual port nic with load balancing activated or a VLAN? If its no problem try to disable the second nic port (or VLAN) so that en0 uses only 1 ip. Make sure that nat uses the right external nic (en0).

Reply

Answer 10

Gavin Lawrie Author

Level 2

425 points

Mar 16, 2012 7:42 AM in response to Brettermeier

Hi - sorry, should have explained about the two IPs. The en0 has two IPs based on simply duplicating the connection in the "network" system preferences - the '45' IP is used for Lion Server itself, the 46 for a standalone mail server package running on same machine. The arrangement owes more to history than design - the mail server used to run on second stand-alone mac mini, and the IP was kept when merged onto single machine - has been working perfectly well for about four years now (previously on a Mac Mini). Do you think it has any relevance for this issue?

In my many attempts to fix this, I have tried disabling the second IP on en0 (by 'setting service to inactive' in the network bit of system preferences). Made no difference.

I'm sure the NAT is set to use en0 to connect to internet, and en1 for communicating with LAN.

Oh and yes - the en0 is the connection used to connect the server to the Internet.

Reply

Answer 11

Mar 16, 2012 8:05 AM in response to Gavin Lawrie

One machine with 2 ip adresses in the same subnet could end up in a routing problem. Im not sure if NAT can handle that. Try to temp disable the mail service, delete VLAN2 on en0 (.46) restart the server and use the gateway assistant again with en0 (45) as your external device.

Reply