Previous 1 2 Next 16 Replies Latest reply: Nov 16, 2014 3:32 PM by Franco Borgo
OZone. Level 1 (0 points)

I have a home wired Ethernet network ( One of the macs in this network is a mac mini Server ( Another device ( provides some valuable service which I want to use outside over the internet. My ISP gives me internet access through bridge connection at some routing device connected to the same Ethernet network (bridge, no IP). mac mini Server dials PPPoE to ISP and gets its static public 91.122.XXX.XXX IP. mac mini Server uses InternetConectionSharing (switched to start from to give internet to the rest of Ethernet network. With InternetConnection switched on, mac mini Server gets another one local IP.

At mac mini Server I have set up VPN to start from Then I dial VPN to my 91.122.XXX.XXX server from my cellular network (90.30.XXX.XXX) having no access to my home network.

I can use services from that iPhone. But I can not connect to any other device on home network except mac mini Server

When I look at tcpdump it shows:

  • PPPoE 90.30.XXX.XXX > 91.122.XXX.XXX packet
  • TCP > SYN packet
  • TCP > SYN ACK packet
  • So, TCP SYN ACK does not get transmitted back from server over VPN.

How to deal with it? Please help me. Any clue? How to troubleshoot why response does not get back for all devices except server?

91.122.XXX.XXX:~ me$ sudo netstat -r -n -f inet

Routing tables


Destination        Gateway            Flags        Refs      Use   Netif Expire

default           UGSc           79    21465    ppp0

default            link#11            UCSI            0        0 bridge1

default            UGScI           0        0    ppp1

1.1.1/24           link#11            UC              8        0 bridge1            UHS             2      756     lo0          link#11            UHLWI           0        5 bridge1          91.122.XXX.XXX     UHr             4      263    ppp1          bridge100:cb.2b.64 UHLS2           0        0 bridge1         91.122.XXX.XXX     UHr            79        0    ppp0

127                UCS             0        0     lo0          UH             18    30108     lo0

91.122.XXX.XXX:~ me$ ifconfig

lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384


          inet6 ::1 prefixlen 128

          inet netmask 0xff000000

          inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1

          nd6 options=1<PERFORMNUD>

gif0: flags=8010<POINTOPOINT,MULTICAST> mtu 1280

stf0: flags=0<> mtu 1280



          ether 10:dd:b1:bc:dd:f6

          nd6 options=1<PERFORMNUD>

          media: autoselect (1000baseT <full-duplex,flow-control,energy-efficient-ethernet>)

          status: active


          ether 28:cf:e9:02:36:15

          nd6 options=1<PERFORMNUD>

          media: autoselect (<unknown type>)

          status: inactive



          ether 32:00:11:e8:d5:a0

          media: autoselect <full-duplex>

          status: inactive


          lladdr 44:fb:42:ff:fe:1e:8d:5a

          media: autoselect <full-duplex>

          status: inactive

bridge0: flags=8822<BROADCAST,SMART,SIMPLEX,MULTICAST> mtu 1500


          ether 12:dd:b1:cb:2b:00


                    id 0:0:0:0:0:0 priority 0 hellotime 0 fwddelay 0

                    maxage 0 holdcnt 0 proto stp maxaddr 100 timeout 1200

                    root id 0:0:0:0:0:0 priority 0 ifcost 0 port 0

                    ipfilter disabled flags 0x2

          member: en2 flags=3<LEARNING,DISCOVER>

                  ifmaxaddr 0 port 6 priority 0 path cost 0

          media: <unknown type>

          status: inactive

p2p0: flags=8802<BROADCAST,SIMPLEX,MULTICAST> mtu 2304

          ether 0a:cf:e9:02:36:15

          media: autoselect

          status: inactive

ppp0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1492

          inet 91.122.XXX.XXX --> netmask 0xff000000

utun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1380

          inet6 fe80::a9b3:1267:b54b:3c55%utun0 prefixlen 64 scopeid 0xe

          inet6 fd18:123a:86a6:4f5f:a9b3:1267:b54b:3c55 prefixlen 64

          nd6 options=1<PERFORMNUD>



          ether 12:dd:b1:cb:2b:64

          inet netmask 0xffffff00 broadcast


                    id 0:0:0:0:0:0 priority 0 hellotime 0 fwddelay 0

                    maxage 0 holdcnt 0 proto stp maxaddr 100 timeout 1200

                    root id 0:0:0:0:0:0 priority 0 ifcost 0 port 0

                    ipfilter disabled flags 0x2

          member: en0 flags=3<LEARNING,DISCOVER>

                  ifmaxaddr 0 port 4 priority 0 path cost 0

          media: autoselect

          status: active

ppp1: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1272

          inet 91.122.XXX.XXX --> netmask 0xff000000

OS X Mavericks (10.9.2), Xcode 5
  • piperspace Level 2 (305 points)

    I use OpenVPN in my routers. With that package you use a directive called "push route" on the VPN server to open a path between VPN client and other devices on your internal LAN.


    I don't know if Apple VPN has this directive or not.

  • piperspace Level 2 (305 points)

    Looks like the equivalent directive in Apple VPN is "offeredroutes".


    See the man page for vpnd and this discussion:


  • OZone. Level 1 (0 points)

    In there is a list of routes that will be provided to VPN clients. But I think that the problem is not on the client side, because client succeedes passing the packet through VPN to server. I think it has something to do with server routing.

    I have added Private route and it changed nothing. Still VPN client's packets gets to server PPPoE 90.33.XXX.XXX > 91.121.XXX.XXX, then it is unpacked and transmitted over the local network >, then, server responds to > over that local network and still they doesn't pack to PPPoE for transmission over the VPN back.

    What could be wrong? What additional steps should be performed besides default for server routing to behave well in described environment?

  • MrHoffman Level 6 (14,000 points)

    For a NAT'd network, please utilize one of the designated private IP address blocks (a subnet within, or, and out of real and routable public IP address space; if your routes should leak out — hopefully your ISP is configured to prevent that from happening — then your network activity could get very much more interesting.  Your remote access via VPN may well be running into a routing issue, if there's a better IP route to available elsewhere, too.  There won't be a public route to one of the private blocks.

  • piperspace Level 2 (305 points)

    I agree - it does sound like the server is failing to recognize LAN packets directed to your VPN client and route them.


    My only other suggestion is to consider using one of the usual private IP ranges on your LAN.


    10.x.x.x or 192.168.x.x instead of 1.1.x.x.


    The range you are using could be confusing to the server's routing logic. It may be sending them to the internet instead of your VPN client.


    Just a suggestion

  • OZone. Level 1 (0 points)

    Replaced to Everything is the same both without and with additional VPN client route.

    Why UNIX stuff is so broken?! Things can't negotiate with each other. Why every step to UNIX from Windows is so painfull and slow? One problem gets behind the other. I can't see them ended. And I'm seriously considering switching back to Windows Server. It is a no way to go. Please, help me, any clue? How UNIX makes its descisions what to do with a network packet? Why does it silently discards it and not transmit via exiting VPN tunnel?

  • piperspace Level 2 (305 points)

    Computers of all kinds are often frustrating. If you like windows by all means use it.


    Others are able to use the service you are having problems with. Something specific about your set up is defeating VPN.


    Like a firewall issue or conflict on a port needed by VPN.


    This might be a clue:


    "OS X Server VPN service, Back to My Mac. Note: Configuring Back to My Mac on an AirPort Base Station or Time Capsule in NAT mode will impede connectivity to an OS X Server VPN service behind that NAT."


    See this link:



    Good luck.

  • MrHoffman Level 6 (14,000 points)

    If Microsoft Windows better meets your needs, then by all means use it.   Windows Server is a very capable server operating system environment, and very widely deployed.


    I see you're using Internet connection sharing.  I prefer to avoid that — trying to get OS X to act as a NAT router has been a longstanding issue, and having it exposed in this fashion tends to allow remote folks to poke directly at it. Short of fairly involved ccommand line configuration sequences, here are very few controls over that capability, as well.  Given you're entirely public addresses and with no NAT, I'd tend to expect routing problems with trying to reach that NAT'd network.


    In general, I'd have a firewall-gateway-router-NAT box connected to your ISP bridge, and having that handling NAT and either with an embedded VPN server, or with VPN pass-through.


    if you don't want to configure that, then you'll probably want to get a second public static (routable) IP address from your ISP, and assign that to your target box.  You can then connect directly, without NAT, using that IP address.  No passthrough, no NAT.


    At least so far, nothing discussed here is specific to Windows or to OS X, either.  All of what's being discussed are IP and DNS networking configuration details, and the usual hassles that are VPNs.  (I also generally don't prefer to use VPN passthrough, as I've found it to be fussy around NAT.)


    VPNs generally do not require specification of routes, though I've had a few cases where I've had to specify one due to the local network and target configuration:  Here's an example of adding a route, but this applies to reaching the target network via a working NAT box:

    sudo route add -interface ppp0
  • OZone. Level 1 (0 points)

    There is no firewalls or NATs between OS X Server and  internet. Direct connection through bridge. I can see all the packets going into server. They does not go to VPN back.

  • MrHoffman Level 6 (14,000 points)

    OZone. wrote:


    There is no firewalls or NATs between OS X Server and  internet. Direct connection through bridge. I can see all the packets going into server. They does not go to VPN back.


    I'd either use NAT (and preferably a valid private block), or get a few more public addresses from the ISP network provider.   I'd not use the block, as that block is a real and routable IPv6 block, and was assigned to APNIC in 2010.


    I'd get a firewall in general, as I don't trust OS X Server to keep all of its ports secure against remote probes. 


    With a firewall (preferably with an embedded VPN server) there's little reason not to use NAT.  Well, not unless additional public static IP addresses are available, and available sufficiently cheaply. 


    NAT also usually expects use of one of the three private address blocks (,, or, and properly-functioning routers will generally prevent those blocks from being presented as routable.

  • piperspace Level 2 (305 points)

    In effect you are using a Mac mini as a router. More often folks use an airport or similar device with NAT as their primary connection. Your problem seems to arise from a conflict between internet connection sharing and vpn on the Mac.


    I can't find much documentation on how internet connection sharing works under the covers.


    I think you have two choices:


    1) acquire a router and put it in front of you Mac. Turn off internet connection sharing.


    2) figure out how to override this not well documented feature of osx.


    Here are some links that may help




    Good luck

  • Franco Borgo Level 1 (50 points)

    not sure why you activated  internet sharing on the mac mini ? From what to what. I did tried it a couple of time but now I have a wireless router and no need for it. 


    Have you solve your problem ?

  • OZone. Level 1 (0 points)

    Nope. I need my mac to be a router, so it is exposed directly to external network. Otherwise it won't have the public IP.

  • Franco Borgo Level 1 (50 points)

    I use to have a Mac pro with two ethernet port configure to be expose to public network


    Now, I much prefer to have a router between my Mac and the external network. Mac Server use to a have much more fine control over the firewall. Now I use the router for it. The server does not need to have a public IP,  only the router, and forward the service you want to the machine you want.


    The Mac Mini only has one ethernet port.

    Internet sharing only work from one network interface to another, what do you use,  as a second port for internet sharing ?

Previous 1 2 Next