PDA

View Full Version : Internet Sharing using Snow Leopard Server




jw2002
Mar 5, 2010, 01:47 AM
I cannot get the equivalent of "Internet Sharing" to work right using Snow Leopard server. What I would like to do is have the Snow Leopard Server share its en0 with the fw0 interface -- or more accurately bridge the two network interfaces such that traffic can pass both ways.

The ethernet interface is the primary interface used in my Server set up, and is plugged into my Time Capsule, and serves out both DHCP and DNS for any clients connected wirelessly or through one of the time capsule's remaining ethernet ports (behind and not exposed to the WAN). The firewire interface is just connected to a mac mini in hopes of having a low latency network connection that I plan to use for some multiprocessing experiments. Things work almost correctly in that the fw0 client machine on subnet 192.168.2.* can talk to all the clients on the 192.168.1.* en0 subnet and vice versa. However, DNS is not successfully being served to the fw0 client. Furthermore, things like ``ping'' are not traversing the network en0/fw0 successfully, suggesting that the interfaces are not correctly bridged.

I took a look at the Gateway Configuration Assistant, but that feature appears to make too many bad assumptions, does much in the way of user controls, and clobbers already established parameters that I had set up. I tried it once, and it made a royal mess of various settings. It just seems that if this is a 1-click step in OS X, it shouldn't be so hard to do in Snow Leopard Server. Even under linux it's just a matter of an ifconfig command with bridge related command line options to achieve this.

Can anyone suggest what I might be missing or perhaps point me to the script that is behind the Gateway Configuration Assistant? Maybe I could parse that script to suss out the missing step that I need to take. Thanks.



jw2002
Mar 5, 2010, 11:41 AM
Okay, found one small improvement. The following extremely obscure and undocumented setting at least allows pings to traverse the network interfaces in both directions. This was issued on the Snow Leopard Server box:

sudo sysctl -w net.inet.ip.scopedroute=0

Prior to the above command, I would get the following ping fails (from a host located at 192.168.2.47):

% ping 192.168.1.20
PING 192.168.1.20 (192.168.1.20): 56 data bytes
Request timeout for icmp_seq 0
Request timeout for icmp_seq 1
Request timeout for icmp_seq 2
^C


And after issuing the above command, the pings work:

% ping 192.168.1.20
PING 192.168.1.20 (192.168.1.20): 56 data bytes
64 bytes from 192.168.1.20: icmp_seq=0 ttl=64 time=441.023 ms
64 bytes from 192.168.1.20: icmp_seq=1 ttl=64 time=302.703 ms
64 bytes from 192.168.1.20: icmp_seq=2 ttl=64 time=1.997 ms
^C

And here is a successful traceroute command that will shed light on how the machines are arranged:

% traceroute 192.168.1.20
traceroute to 192.168.1.20 (192.168.1.20), 64 hops max, 52 byte packets
1 192.168.2.1 (192.168.2.1) 1.090 ms 0.180 ms 0.158 ms
2 192.168.1.20 (192.168.1.20) 376.223 ms 1.020 ms 0.839 ms


However, DNS queries still aren't working on the 192.168.2.* side. The snow leopard server has its DNS server configured and all clients on the 192.168.1.* side refer to it at 192.168.1.6 and have no problem resolving local or external hosts. However, on the 192.168.2 side, it's not working. I have explicitly tried setting their DNS server values to 192.168.1.6 and to 192.168.2.1 (the IP address of the SL server's fw interface), but no dice.

Alrescha
Mar 5, 2010, 01:06 PM
DNS queries still aren't working on the 192.168.2.* side.

For what it's worth, the DNS service configuration in Snow Leopard Server does come with an access list of what networks to accept recursive queries from - might be worth a peek.

A.

jw2002
Mar 6, 2010, 12:45 AM
For what it's worth, the DNS service configuration in Snow Leopard Server does come with an access list of what networks to accept recursive queries from - might be worth a peek.


Thanks, but I don't think that's it because "localnets" are already allowed by default when DNS is first configured. In addition, adding the 192.168.2.1/24 netblock there explicitly had no effect.

I am starting to think that this might be a NAT/Firewall interaction issue. There is a cryptic message in the networking documentation stating that Snow Leopard NAT works only when the firewall is active. I don't have the firewall active because it is denying all traffic whenever active. I suspect that is due to the Gateway Configuration Manager hosing it up.

landrew4
Mar 11, 2010, 05:44 PM
The firewall is definitely required to use the NAT service on Snow Leopard server. It is the divert rule in the firewall configuration that diverts any packet on the external interface to the natd port (8668) so the NAT engine can work.

TheBee
Sep 7, 2010, 02:35 PM
Okay, found one small improvement. The following extremely obscure and undocumented setting at least allows pings to traverse the network interfaces in both directions. This was issued on the Snow Leopard Server box:

sudo sysctl -w net.inet.ip.scopedroute=0


Yoicks. I found that over at discussions.apple.com as well, but it only works for about 15 minutes for me, and then the box stops routing. Have you found any more documentation about this?

TheBee
Sep 9, 2010, 12:10 PM
Yoicks. I found that over at discussions.apple.com as well, but it only works for about 15 minutes for me, and then the box stops routing. Have you found any more documentation about this?

See that discussion- setting it in sysctl.conf and then running "applejack auto restart"

blouis79
Dec 4, 2011, 02:34 PM
Have got SLS running on laptop. (Learning purposes and home use.) Trying to share a hotel broadband connection over airport to IOS clients. After much hunting for a solution, it's finally working, thought not as simple as setting up SL client.

Basically:
a. use airport to create a computer-to-computer network.
b. set up SLS to be a gateway running DHCP, NAT, firewall.

Mac_OSX_Server_v10.6_Getting_Started describes the process on page 37 without enough detail for a non-network expert to do the job.

ServerAdmin>NAT>Overview>Gateway setup assistant doesn't quite set it all up correctly.

Instructions on how to fix it are here http://support.apple.com/kb/TS3887 "Unable to connect to the Internet after running NAT Gateway Setup Assistant".

Airport icon shows only a computer-to-computer network, but SLS is taking care of the internet gateway function.

BTW, if sharing with non-Apple devices (eg PS3), one has to enter a WEP key as hexadecimal, because different people have different WEP key algorithms. I use WEPKeymaker to generate the hex version and one has to enter the HEX key on all machines including the machine doing the internet sharing.