Specific Firewall Settings For NAT To Work

Found how to enable all traffic for the internal network (I think)
Under >Firewall >Settings >Services >Edit Services for: 192.168.1-net

"Allow all traffic for "192.168.1-net" is checked but still the client cannot connect to the net.

Obviously there's something I've missed - any suggestions?

Hi Leif,

Thanks for your reply but I think your suggestions were a bit out of my league - I'm just a lowly designer that got sucked into Apple's marketing on their site, things like: "You don’t need to be a UNIX guru to take advantage of Mac OS X Server and its full complement of services" and "Stable, compatible & easy to use". Believe it or not, I found Windows Small Business Server 2003 easier to setup.

Anyway, I think I understood some of your suggestions...

First remove any ip number from router field for en0
- keep only ip number and netmask for LAN (no DNS and
"stuff").

I wasn't sure if you meant the server or the client machine so I did it on both - no change, server could still connect to the internet and the client machine couldn't.

Try in Terminal on LAN client: ipconfig getpacket en0
(reveals what you get from the DHCP server). Try
pinging an ip number on Internet.

This is what I get - looked good to me (edited the sname)...
op = BOOTREPLY
htype = 1
dp_flags = 0
hlen = 6
hops = 0
xid = 1223146714
secs = 0
ciaddr = 192.168.1.2
yiaddr = 192.168.1.2
siaddr = 192.168.1.1
giaddr = 0.0.0.0
chaddr = 0:a:95:aa:e8:7c
sname = 000-00-00-000.dsl.clear.net.nz
file =
options:
Options count is 9
dhcp messagetype (uint8): ACK 0x5
server_identifier (ip): 192.168.1.1
lease_time (uint32): 0xdec
subnet_mask (ip): 255.255.255.0
router (ip_mult): {192.168.1.1}
domain nameserver (ip_mult): {192.168.1.1}
domain_name (string):
ldap_url (string):
end (none):

Could you post your ipfw list ("disguise" any public
IPs)?

Not sure if I did this right - I tried in the terminal "ipfw list" and "ipfw show" "ipfw set show" - this is what I got...

/Users/administrator root# ipfw list
00001 allow udp from any 626 to any dst-port 626
00010 divert 8668 ip from any to any via en0
01000 allow ip from any to any via lo0
01010 deny ip from any to 127.0.0.0/8
01020 deny ip from 224.0.0.0/4 to any in
01030 deny tcp from any to 224.0.0.0/4 in
12300 allow tcp from any to any established
12301 allow tcp from any to any out
12302 allow tcp from any to any dst-port 22
12302 allow udp from any to any dst-port 22
12303 allow udp from any to any out keep-state
12304 allow udp from any to any in frag
12305 allow tcp from any to any dst-port 311
12306 allow tcp from any to any dst-port 625
12307 allow udp from any to any dst-port 626
12308 allow icmp from any to any icmptypes 8
12309 allow icmp from any to any icmptypes 0
12310 allow igmp from any to any
12311 allow udp from any to any dst-port 500
12312 allow udp from any to any dst-port 1701
12313 allow esp from any to any
12314 allow tcp from any to any dst-port 687
12315 allow tcp from any to any dst-port 53 out keep-state
12315 allow udp from any to any dst-port 53 out keep-state
12316 allow udp from any to any dst-port 4500
12317 allow tcp from any to any dst-port 660
12318 allow ip from 192.168.1.0/24 to any via en0 keep-state
12319 allow udp from any 68 to any dst-port 67 via en0
65534 deny ip from any to any
65535 allow ip from any to any

/Users/administrator root# ipfw show
00001 2 158 allow udp from any 626 to any dst-port 626
00010 127 15336 divert 8668 ip from any to any via en0
01000 40242 7982054 allow ip from any to any via lo0
01010 0 0 deny ip from any to 127.0.0.0/8
01020 0 0 deny ip from 224.0.0.0/4 to any in
01030 0 0 deny tcp from any to 224.0.0.0/4 in
12300 2764 1298545 allow tcp from any to any established
12301 87 5028 allow tcp from any to any out
12302 0 0 allow tcp from any to any dst-port 22
12302 0 0 allow udp from any to any dst-port 22
12303 296 39513 allow udp from any to any out keep-state
12304 0 0 allow udp from any to any in frag
12305 56 3360 allow tcp from any to any dst-port 311
12306 0 0 allow tcp from any to any dst-port 625
12307 0 0 allow udp from any to any dst-port 626
12308 0 0 allow icmp from any to any icmptypes 8
12309 0 0 allow icmp from any to any icmptypes 0
12310 2 64 allow igmp from any to any
12311 0 0 allow udp from any to any dst-port 500
12312 0 0 allow udp from any to any dst-port 1701
12313 0 0 allow esp from any to any
12314 0 0 allow tcp from any to any dst-port 687
12315 0 0 allow tcp from any to any dst-port 53 out keep-state
12315 0 0 allow udp from any to any dst-port 53 out keep-state
12316 0 0 allow udp from any to any dst-port 4500
12317 0 0 allow tcp from any to any dst-port 660
12318 104 9174 allow ip from 192.168.1.0/24 to any via en0 keep-state
12319 0 0 allow udp from any 68 to any dst-port 67 via en0
65534 4 882 deny ip from any to any
65535 1576 150057 allow ip from any to any

I would try setting up my own rule (if you want it
working like a regular NAT router - nothing from LAN
-> WAN is stopped):

<free rule number> allow ip from 192.168.0.0/23 to
any in via en0 keep-state

This can be done in the advanced setup "with a bit of
trying" - "in via en0 keep-state" filled in in the
last field.

Couldn't work out how to do this - or didn't understand what I was doing! - could you step me through this?

Thanks a lot for you reply.

Cheers

Sorry, forgot to mention a couple of things...

The client machine cannot ping the ISP's DNS servers but can ping the Static IP of the WAN card on the server.

I'd also enabled "DNS - responses to outbound queries" in the Firewall

Just tried allowing all traffic for "any" in the firewall to se what happened - no change, the client machine still could not connect to the internet.

Does this mean it's not the firewall blocking internet access? or does it mean the Firewall is simply not functioning properly?

Just a quick question re the NAT service...

Under "IP forwarding and network address translation" in the settings tab, there is the following: "External Network Interface: Built-in Ethernet"

Does this mean the server thinks the External Network Interface IS the Built-in Ethernet, or that it is translating FROM: External Network Interface TO: Built-in Ethernet?

Just checking as my External Network Interface is not the Built-in Ethernet Card and there are no other cards in the list.

Cheers

Could it be the DNS service?

We're not running a fully qualified domain on our server, but Gateway setup automatically started the DNS service.

If our server is not configured to be a DNS server but the DNS service is running, does this mean the client machines look to our server for domain names instead of our ISP's server?

I guess it doesn't matter as the client machine can't ping the ISP's DNS server anyway.

Have erased & reinstalled the server server using the built-in ethernet as the Internet connection incase there was something incompatible with the second ethernet card (Assante) but no difference.

Also did not update using software update to see if this was the problem.

Don't know why, but I guess it makes sense.

If I turn on the Web service in Server Admin and enable proxy, then manually enable proxy on the client machine and enter the LAN IP address of the server, the client machine can browse online.

Could anyone tell me if this is the normal way to enable browsing on client machines, or have I compromised the security of the server?

Cheers

Also, the OS X Server Guide states on page 154 under Step 7: Set up NAT service:
"Select the external interface from the External network interface pop-up menu"

Every time I have gone to the NAT service in Server Admin, I can only see the ethernet card connected to the internal LAN, not the External network.

Is this normal, or is the internal LAN the external interface Apple refers to?

Thanks man, I'll try it out tomorrow - sorry i didn't mention PPPoE, I didn't understand it's like a different port.