Internet Sharing using Snow Leopard Server

Discussion in 'Mac OS X Server, Xserve, and Networking' started by jw2002, Mar 4, 2010.

  1. jw2002 macrumors 6502

    Feb 23, 2008
    I cannot get the equivalent of "Internet Sharing" to work right using Snow Leopard server. What I would like to do is have the Snow Leopard Server share its en0 with the fw0 interface -- or more accurately bridge the two network interfaces such that traffic can pass both ways.

    The ethernet interface is the primary interface used in my Server set up, and is plugged into my Time Capsule, and serves out both DHCP and DNS for any clients connected wirelessly or through one of the time capsule's remaining ethernet ports (behind and not exposed to the WAN). The firewire interface is just connected to a mac mini in hopes of having a low latency network connection that I plan to use for some multiprocessing experiments. Things work almost correctly in that the fw0 client machine on subnet 192.168.2.* can talk to all the clients on the 192.168.1.* en0 subnet and vice versa. However, DNS is not successfully being served to the fw0 client. Furthermore, things like ``ping'' are not traversing the network en0/fw0 successfully, suggesting that the interfaces are not correctly bridged.

    I took a look at the Gateway Configuration Assistant, but that feature appears to make too many bad assumptions, does much in the way of user controls, and clobbers already established parameters that I had set up. I tried it once, and it made a royal mess of various settings. It just seems that if this is a 1-click step in OS X, it shouldn't be so hard to do in Snow Leopard Server. Even under linux it's just a matter of an ifconfig command with bridge related command line options to achieve this.

    Can anyone suggest what I might be missing or perhaps point me to the script that is behind the Gateway Configuration Assistant? Maybe I could parse that script to suss out the missing step that I need to take. Thanks.
  2. jw2002 thread starter macrumors 6502

    Feb 23, 2008
    Okay, found one small improvement. The following extremely obscure and undocumented setting at least allows pings to traverse the network interfaces in both directions. This was issued on the Snow Leopard Server box:

    sudo sysctl -w net.inet.ip.scopedroute=0
    Prior to the above command, I would get the following ping fails (from a host located at

    [b]% ping[/b]
    PING ( 56 data bytes
    Request timeout for icmp_seq 0
    Request timeout for icmp_seq 1
    Request timeout for icmp_seq 2
    And after issuing the above command, the pings work:

    [b]% ping[/b]
    PING ( 56 data bytes
    64 bytes from icmp_seq=0 ttl=64 time=441.023 ms
    64 bytes from icmp_seq=1 ttl=64 time=302.703 ms
    64 bytes from icmp_seq=2 ttl=64 time=1.997 ms
    And here is a successful traceroute command that will shed light on how the machines are arranged:

    [b]% traceroute[/b]
    traceroute to (, 64 hops max, 52 byte packets
     1 (  1.090 ms  0.180 ms  0.158 ms
     2 (  376.223 ms  1.020 ms  0.839 ms
    However, DNS queries still aren't working on the 192.168.2.* side. The snow leopard server has its DNS server configured and all clients on the 192.168.1.* side refer to it at and have no problem resolving local or external hosts. However, on the 192.168.2 side, it's not working. I have explicitly tried setting their DNS server values to and to (the IP address of the SL server's fw interface), but no dice.
  3. Alrescha macrumors 68020

    Jan 1, 2008
    For what it's worth, the DNS service configuration in Snow Leopard Server does come with an access list of what networks to accept recursive queries from - might be worth a peek.

  4. jw2002 thread starter macrumors 6502

    Feb 23, 2008
    Thanks, but I don't think that's it because "localnets" are already allowed by default when DNS is first configured. In addition, adding the netblock there explicitly had no effect.

    I am starting to think that this might be a NAT/Firewall interaction issue. There is a cryptic message in the networking documentation stating that Snow Leopard NAT works only when the firewall is active. I don't have the firewall active because it is denying all traffic whenever active. I suspect that is due to the Gateway Configuration Manager hosing it up.
  5. landrew4 macrumors newbie

    Jan 24, 2008
    Internet Sharing using Snow Leopard Server

    The firewall is definitely required to use the NAT service on Snow Leopard server. It is the divert rule in the firewall configuration that diverts any packet on the external interface to the natd port (8668) so the NAT engine can work.
  6. TheBee macrumors newbie

    Sep 7, 2010
    Yoicks. I found that over at as well, but it only works for about 15 minutes for me, and then the box stops routing. Have you found any more documentation about this?
  7. TheBee macrumors newbie

    Sep 7, 2010
    See that discussion- setting it in sysctl.conf and then running "applejack auto restart"
  8. blouis79, Dec 4, 2011
    Last edited: Dec 4, 2011

    blouis79 macrumors member

    Jun 7, 2005
    Have got SLS running on laptop. (Learning purposes and home use.) Trying to share a hotel broadband connection over airport to IOS clients. After much hunting for a solution, it's finally working, thought not as simple as setting up SL client.

    a. use airport to create a computer-to-computer network.
    b. set up SLS to be a gateway running DHCP, NAT, firewall.

    Mac_OSX_Server_v10.6_Getting_Started describes the process on page 37 without enough detail for a non-network expert to do the job.

    ServerAdmin>NAT>Overview>Gateway setup assistant doesn't quite set it all up correctly.

    Instructions on how to fix it are here "Unable to connect to the Internet after running NAT Gateway Setup Assistant".

    Airport icon shows only a computer-to-computer network, but SLS is taking care of the internet gateway function.

    BTW, if sharing with non-Apple devices (eg PS3), one has to enter a WEP key as hexadecimal, because different people have different WEP key algorithms. I use WEPKeymaker to generate the hex version and one has to enter the HEX key on all machines including the machine doing the internet sharing.

Share This Page