HT200188: Lion Server: How to configure NAT and DHCP with a custom range of IP addresses

Learn about Lion Server: How to configure NAT and DHCP with a custom range of IP addresses
alexr
Level 1 (0 points)

Q: Broke in 10.7.4?

This worked fine for me until I finally caved and left Software Update install 10.7.4.

 

The pf.anchors/com.apple file changed during the update, so I made the corresponding edits again. (There's a new scrub-anchor rule as well.)

 

However, NAT's not working.

 

pf logging looks like it might offer a clue, but I haven't wrapped my head around pf enough to get it enabled. Any recipe for getting that going?

 

Any other debug tips?

Mac OS X (10.7.4)

Posted on Jul 15, 2012 2:40 AM

by alexr,Solvedanswer
alexr alexr
Level 1 (0 points)
A:

Turns out that loading seems broken. In the KB article, if you take the rules you're adding to exampleNATRules and place them up in /etc/pf.conf in the proper spot (after the nat-anchor and rdr-anchor rules), then it'll work again.

Posted on Jul 21, 2012 5:51 PM

Close
alexr

Q: Broke in 10.7.4?

  • All replies
  • Helpful answers

  • by alexr,Solvedanswer

    alexr alexr Jul 21, 2012 5:51 PM in response to alexr
    Level 1 (0 points)
    Jul 21, 2012 5:51 PM in response to alexr

    Turns out that loading seems broken. In the KB article, if you take the rules you're adding to exampleNATRules and place them up in /etc/pf.conf in the proper spot (after the nat-anchor and rdr-anchor rules), then it'll work again.

  • by J Cobb,

    J Cobb J Cobb Jul 22, 2012 1:48 PM in response to alexr
    Level 1 (5 points)
    Jul 22, 2012 1:48 PM in response to alexr

    I found that this was not necessary on my machine. In fact, putting

     

        nat on en3 from 192.168.2.1/24 to any -> (en3)

        pass from {lo0, 192.168.2.1/24} to any keep state

     

    at the end of /etc/pf.conf resulted in it not working and the following error showing up in Console.app:

     

        7/22/12 1:28:00.036 PM com.apple.pfctl: /etc/pf.conf:25: Rules must be in order: options, normalization, queueing, translation, filtering


  • by alexr,

    alexr alexr Jul 22, 2012 5:03 PM in response to J Cobb
    Level 1 (0 points)
    Jul 22, 2012 5:03 PM in response to J Cobb

    They have to be placed in the proper spot in pf.conf. Put them right after the existing rdr-anchor rule and before the anchor and load-anchor rules.

     

    You can use "sudo pfctl -v -n -f /etc/pf.conf" to verify the syntax.

  • by J Cobb,

    J Cobb J Cobb Jul 22, 2012 5:04 PM in response to alexr
    Level 1 (5 points)
    Jul 22, 2012 5:04 PM in response to alexr

    Ahhh. I put them at the end after the existing load anchor rule.

     

    Regardless, they seem to be loading just fine as per the original KB article for me.