Internet Sharing using Snow Leopard Server

Discussion in 'Mac OS X Server, Xserve, and Networking' started by jw2002, Mar 4, 2010.

  1. macrumors 6502

    Joined:
    Feb 23, 2008
    #1
    I cannot get the equivalent of "Internet Sharing" to work right using Snow Leopard server. What I would like to do is have the Snow Leopard Server share its en0 with the fw0 interface -- or more accurately bridge the two network interfaces such that traffic can pass both ways.

    The ethernet interface is the primary interface used in my Server set up, and is plugged into my Time Capsule, and serves out both DHCP and DNS for any clients connected wirelessly or through one of the time capsule's remaining ethernet ports (behind and not exposed to the WAN). The firewire interface is just connected to a mac mini in hopes of having a low latency network connection that I plan to use for some multiprocessing experiments. Things work almost correctly in that the fw0 client machine on subnet 192.168.2.* can talk to all the clients on the 192.168.1.* en0 subnet and vice versa. However, DNS is not successfully being served to the fw0 client. Furthermore, things like ``ping'' are not traversing the network en0/fw0 successfully, suggesting that the interfaces are not correctly bridged.

    I took a look at the Gateway Configuration Assistant, but that feature appears to make too many bad assumptions, does much in the way of user controls, and clobbers already established parameters that I had set up. I tried it once, and it made a royal mess of various settings. It just seems that if this is a 1-click step in OS X, it shouldn't be so hard to do in Snow Leopard Server. Even under linux it's just a matter of an ifconfig command with bridge related command line options to achieve this.

    Can anyone suggest what I might be missing or perhaps point me to the script that is behind the Gateway Configuration Assistant? Maybe I could parse that script to suss out the missing step that I need to take. Thanks.
     
  2. thread starter macrumors 6502

    Joined:
    Feb 23, 2008
    #2
    Okay, found one small improvement. The following extremely obscure and undocumented setting at least allows pings to traverse the network interfaces in both directions. This was issued on the Snow Leopard Server box:

    Code:
    sudo sysctl -w net.inet.ip.scopedroute=0
    Prior to the above command, I would get the following ping fails (from a host located at 192.168.2.47):

    Code:
    [b]% ping 192.168.1.20[/b]
    PING 192.168.1.20 (192.168.1.20): 56 data bytes
    Request timeout for icmp_seq 0
    Request timeout for icmp_seq 1
    Request timeout for icmp_seq 2
    ^C
    
    And after issuing the above command, the pings work:

    Code:
    [b]% ping 192.168.1.20[/b]
    PING 192.168.1.20 (192.168.1.20): 56 data bytes
    64 bytes from 192.168.1.20: icmp_seq=0 ttl=64 time=441.023 ms
    64 bytes from 192.168.1.20: icmp_seq=1 ttl=64 time=302.703 ms
    64 bytes from 192.168.1.20: icmp_seq=2 ttl=64 time=1.997 ms
    ^C
    And here is a successful traceroute command that will shed light on how the machines are arranged:

    Code:
    [b]% traceroute 192.168.1.20[/b]
    traceroute to 192.168.1.20 (192.168.1.20), 64 hops max, 52 byte packets
     1  192.168.2.1 (192.168.2.1)  1.090 ms  0.180 ms  0.158 ms
     2  192.168.1.20 (192.168.1.20)  376.223 ms  1.020 ms  0.839 ms
    
    However, DNS queries still aren't working on the 192.168.2.* side. The snow leopard server has its DNS server configured and all clients on the 192.168.1.* side refer to it at 192.168.1.6 and have no problem resolving local or external hosts. However, on the 192.168.2 side, it's not working. I have explicitly tried setting their DNS server values to 192.168.1.6 and to 192.168.2.1 (the IP address of the SL server's fw interface), but no dice.
     
  3. macrumors 65816

    Joined:
    Jan 1, 2008
    #3
    For what it's worth, the DNS service configuration in Snow Leopard Server does come with an access list of what networks to accept recursive queries from - might be worth a peek.

    A.
     
  4. thread starter macrumors 6502

    Joined:
    Feb 23, 2008
    #4
    Thanks, but I don't think that's it because "localnets" are already allowed by default when DNS is first configured. In addition, adding the 192.168.2.1/24 netblock there explicitly had no effect.

    I am starting to think that this might be a NAT/Firewall interaction issue. There is a cryptic message in the networking documentation stating that Snow Leopard NAT works only when the firewall is active. I don't have the firewall active because it is denying all traffic whenever active. I suspect that is due to the Gateway Configuration Manager hosing it up.
     
  5. macrumors newbie

    Joined:
    Jan 24, 2008
    #5
    Internet Sharing using Snow Leopard Server

    The firewall is definitely required to use the NAT service on Snow Leopard server. It is the divert rule in the firewall configuration that diverts any packet on the external interface to the natd port (8668) so the NAT engine can work.
     
  6. macrumors newbie

    Joined:
    Sep 7, 2010
    #6
    Yoicks. I found that over at discussions.apple.com as well, but it only works for about 15 minutes for me, and then the box stops routing. Have you found any more documentation about this?
     
  7. macrumors newbie

    Joined:
    Sep 7, 2010
    #7
    See that discussion- setting it in sysctl.conf and then running "applejack auto restart"
     
  8. blouis79, Dec 4, 2011
    Last edited: Dec 4, 2011

    macrumors member

    Joined:
    Jun 7, 2005
    #8
    Have got SLS running on laptop. (Learning purposes and home use.) Trying to share a hotel broadband connection over airport to IOS clients. After much hunting for a solution, it's finally working, thought not as simple as setting up SL client.

    Basically:
    a. use airport to create a computer-to-computer network.
    b. set up SLS to be a gateway running DHCP, NAT, firewall.

    Mac_OSX_Server_v10.6_Getting_Started describes the process on page 37 without enough detail for a non-network expert to do the job.

    ServerAdmin>NAT>Overview>Gateway setup assistant doesn't quite set it all up correctly.

    Instructions on how to fix it are here http://support.apple.com/kb/TS3887 "Unable to connect to the Internet after running NAT Gateway Setup Assistant".

    Airport icon shows only a computer-to-computer network, but SLS is taking care of the internet gateway function.

    BTW, if sharing with non-Apple devices (eg PS3), one has to enter a WEP key as hexadecimal, because different people have different WEP key algorithms. I use WEPKeymaker to generate the hex version and one has to enter the HEX key on all machines including the machine doing the internet sharing.
     

Share This Page