11 Replies Latest reply: Mar 16, 2012 8:05 AM by Brettermeier
Gavin Lawrie Level 2 Level 2 (395 points)

I've got a Mac Pro running Lion Server.

 

It connects to a fixed IP / direct connection to the Internet on Ethernet 1.

 

The machine, and the services it supports all have good access to the Internet.

 

It is configured to support a LAN from Ethernet 2.  Wifi connection is disabled.

 

I used the Gateway Assistant to set up, and:

 

  • Ethernet 2 is configured at 192.168.2.1, with DNS set manually to OpenDNS values.  These are the same values as used on Ethernet 1's fixed IP connection (which works fine).
  • NAT is set to IP Forwarding and Network Address Translation, External Interface is Ethernet 1, and Port Mapping Protocol is enabled.
  • DHCP is set to distribute values to en1 (which is Ethernet 2) in range 192.168.2.2 to 192.168.2.127.  DNS is set to 192.168.2.1.

 

The problem I have is, is that although client connections to Ethernet 2 set up pefectly, the connected machines have no connection to the internet: unable to see fqdns or ping IPs directly.

 

I must be doing something wrong... but can't see it.  Hopefully someone else can...

 

Thanks in advance for whatever help anyone can provide.


Mac Pro, Mac OS X (10.6.8), 9Gbytes - OS X Server
  • Brettermeier Level 1 Level 1 (25 points)

    Hi,

     

    Is the address at en0 static? To check the settings provided by your dhcp server open up a terminal on your client machine and type ifconfig. Maybe a simple typo at the gateway address is the answer. Try to (tmp) disable the firewall and check if your server resloves dnslookups.

     

    From time to time i have the same issue that no packets goes through the connection sharing. -> Restart fixed that

  • Gavin Lawrie Level 2 Level 2 (395 points)

    Hi

     

    Thanks for the suggestions. 

     

    en0 is manually set to a static address, and works fine.

     

    I have been through the gateway assistant several times, and you don't actually type anything in (except the VPN secret if you want VPN).  But I checked and everything appears to be working with regard to DHCP - the right gateway is being set (192.168.2.1) and a correct / legit IP assigned (192.168.2.2) and the gateway is being set as the DNS.  Manually setting the DNS to OpenDNS at various points (e.g. At en1, at DHCP, on laptop) doesn't help.  IPs can't be tracerouted from laptop - the first step is shown (going to 192.168.2.1) but thereafter nothing.

     

    I'm at a loss to know what to do...  This is basic stuff (it even appears in a diagram in the SLS getting started guide).  So it is odd that it simply doesn't work.

  • Brettermeier Level 1 Level 1 (25 points)

    Does your server answers dns querys from the clients?

  • Gavin Lawrie Level 2 Level 2 (395 points)

    Hard to say (given my level of ability) but I think the answer is "No".

     

    LAN connected machine can see and can connect to the server by its local network name (in this case "Server"), but cannot resolve any fqdn via traceroute or ping.  I don't know whether the machine is getting the local server name via DNS or bonjour - suspect the latter.  Just to be clear, the server itself has DNS working for its ownard connection to internet (so you can ping, traceroute fqdns no problem - and open safari etc.).  It is just the connected machine that cannot do this.

  • Brettermeier Level 1 Level 1 (25 points)

    Could you please paste the output from an serverside "ifconfig" and a "nslookup yourserverip" from your server and client.

  • Gavin Lawrie Level 2 Level 2 (395 points)

    Here are the outputs: hope they are informative

     

    Server - ifconfig

    lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384

              options=3<RXCSUM,TXCSUM>

              inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1

              inet 127.0.0.1 netmask 0xff000000

              inet6 ::1 prefixlen 128

    gif0: flags=8010<POINTOPOINT,MULTICAST> mtu 1280

    stf0: flags=0<> mtu 1280

    en0: flags=8963<UP,BROADCAST,SMART,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500

              options=2b<RXCSUM,TXCSUM,VLAN_HWTAGGING,TSO4>

              ether 00:17:f2:00:8e:06

              inet6 fe80::217:f2ff:fe00:8e06%en0 prefixlen 64 scopeid 0x4

              inet 46.33.146.45 netmask 0xfffffff8 broadcast 46.33.146.47

              inet 46.33.146.46 netmask 0xfffffff8 broadcast 46.33.146.47

              media: autoselect (1000baseT <full-duplex,flow-control>)

              status: active

    en1: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500

              options=2b<RXCSUM,TXCSUM,VLAN_HWTAGGING,TSO4>

              ether 00:17:f2:00:8e:07

              inet6 fe80::217:f2ff:fe00:8e07%en1 prefixlen 64 scopeid 0x5

              inet 192.168.2.1 netmask 0xffffff00 broadcast 192.168.2.255

              media: autoselect (100baseTX <full-duplex,flow-control>)

              status: active

    en2: flags=8823<UP,BROADCAST,SMART,SIMPLEX,MULTICAST> mtu 1500

              ether 00:19:e3:0a:41:ae

              media: autoselect (<unknown type>)

              status: inactive

    fw0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 2030

              lladdr 00:16:cb:ff:fe:6c:6f:f6

              media: autoselect <full-duplex>

              status: inactive

    vnic0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500

              options=3<RXCSUM,TXCSUM>

              ether 00:1c:42:00:00:08

              inet 10.211.55.2 netmask 0xffffff00 broadcast 10.211.55.255

              media: autoselect

              status: active

    vnic1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500

              options=3<RXCSUM,TXCSUM>

              ether 00:1c:42:00:00:09

              inet 10.37.129.2 netmask 0xffffff00 broadcast 10.37.129.255

              media: autoselect

              status: active

     

    Server - nslookup

    Server:
    208.67.220.220
    Address:208.67.220.220#53

     

    Non-authoritative answer:

    45.146.33.46.in-addr.arpaname = www.2gc.org.

     

    Laptop / LAN - ifconfig

    lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384

              options=3<RXCSUM,TXCSUM>

              inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1

              inet 127.0.0.1 netmask 0xff000000

              inet6 ::1 prefixlen 128

              inet6 fd77:51b9:835:a2f3:62c5:47ff:fe08:7d12 prefixlen 128

    gif0: flags=8010<POINTOPOINT,MULTICAST> mtu 1280

    stf0: flags=0<> mtu 1280

    en0: flags=8823<UP,BROADCAST,SMART,SIMPLEX,MULTICAST> mtu 1500

              ether 60:c5:47:08:7d:12

              media: autoselect (<unknown type>)

              status: inactive

    p2p0: flags=8802<BROADCAST,SIMPLEX,MULTICAST> mtu 2304

              ether 02:c5:47:08:7d:12

              media: autoselect

              status: inactive

    en2: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500

              options=4<VLAN_MTU>

              ether 58:55:ca:22:9a:af

              inet6 fe80::5a55:caff:fe22:9aaf%en2 prefixlen 64 scopeid 0x7

              inet 192.168.2.2 netmask 0xffffff00 broadcast 192.168.2.255

              media: autoselect (100baseTX <full-duplex,flow-control>)

              status: active

     

    Laptop - nslookup

    Server:
    192.168.2.1
    Address:192.168.2.1#53

     

    45.146.33.46.in-addr.arpaname = www.2gc.org.
  • ProtocolGeek Level 1 Level 1 (0 points)

    Firebind has a test that can let you know whether the Bonjour TCP and UDP ports listed in the Apple Support FAQ are being blocked or not.


    http://www.firebind.com/bonjour


    It will test TCP 5297 and 5298 as well as UDP 5298 and 5353 to confirm there is no firewall blocking them.

     

    If you have other ports you want to test besides the Bonjour ports then you can enter custom port ranges as well through their Applet client.


    - ProtocolGeek

  • Gavin Lawrie Level 2 Level 2 (395 points)

    Thanks - looks like a useful tool / site.  The server in question passes the test no problem.  The problem persists even if you turn off the firewall completely.

  • Brettermeier Level 1 Level 1 (25 points)

    I'm a little bit confused about your serverside en0. En0 has 2 ip addresses 46.33.146.45 and 46.33.146.46. Is that a dual port nic with load balancing activated or a VLAN? If its no problem try to disable the second nic port (or VLAN) so that en0 uses only 1 ip.  Make sure that nat uses the right external nic (en0).

  • Gavin Lawrie Level 2 Level 2 (395 points)

    Hi - sorry, should have explained about the two IPs.  The en0 has two IPs based on simply duplicating the connection in the "network" system preferences - the '45' IP is used for Lion Server itself, the 46 for a standalone mail server package running on same machine.  The arrangement owes more to history than design - the mail server used to run on second stand-alone mac mini, and the IP was kept when merged onto single machine - has been working perfectly well for about four years now (previously on a Mac Mini).  Do you think it has any relevance for this issue?

     

    In my many attempts to fix this, I have tried disabling the second IP on en0 (by 'setting service to inactive' in the network bit of system preferences).  Made no difference.

     

    I'm sure the NAT is set to use en0 to connect to internet, and en1 for communicating with LAN.

     

    Oh and yes - the en0 is the connection used to connect the server to the Internet.

  • Brettermeier Level 1 Level 1 (25 points)

    One machine with 2 ip adresses in the same subnet could end up in a routing problem. Im not sure if NAT can handle that. Try to temp disable the mail service, delete VLAN2 on en0 (.46) restart the server and use the gateway assistant again with en0 (45) as your external device.