How to setup the mac (OS X Yosemite) as an internet gateway

firewallNetworkosx-serverserver.app

It should be possible, but I searched for a day and cannot get a decent HowTo. There seemed to be a Gateway Setup Assistant, but the Wikipedia link only goes to the server app now. Maybe it is easier than I think, but I cannot get it to work.

The setup should be:

Router <– USB ethernet –> MAC_GW <– ethernet –> switch <-> internal network

The MAC_GW is a Mac Mini (OS X Yosemite) with an USB ethernet adapter. Internet access is possible from the Mac Mini over this adapter. WiFi is disabled for now.

I installed the server.app and got the DHCP service running, so machines in the internal network get IP addresses assigned. Unfortunately, the server app doesn't show any settings for gateway, NAT, bridging, firewall. The help function is just as helpful as the Apple features website. 🙁

Now for the question:
What do I have to configure, so machines from the internal network get internet access?

Additionally: How can I setup a firewall to control outside access?

UPDATE:
as @Froggard hinted, Internet Sharing worked in giving access to the internal network. However, I have no control over the DHCP addresses given by the server, firewall, user access, etc. The server.app DHCP is turned off now, because it cannot be assigned to the internal network adapter.

Maybe someone can still give details on how to enable firewall or control the components involved?

Best Answer

OS X Yosemite doesn’t have support for natd binary or ipfw anymore. Instead pfctl is used.

I assume the following IP-adresses/netmasks:

Router: 192.168.0.1/24
Mac mini gateway: en0: 192.168.0.2/24 gateway 192.168.0.1 en1: 192.168.1.2/24
Internal network: 192.168.1.0/24

  1. First you have to enable forwarding on your Mac computer with following commands:

    sudo sysctl -w net.inet.ip.forwarding=1

  2. In order to do NAT you have to create a pfctl rule. Create a file called "nat-rules" with the following content:

    nat on en0 from en1 to any -> (en0)

  3. Save the file and now start pfctl using the rule from the file we have created earlier:

    sudo pfctl -d #disables pfctl
sudo pfctl -F all #flushes all pfctl rules
sudo pfctl -f /Path/to/file/nat-rules -e #starts pfctl and loads the rules from the nat-rules file

  4. Now configure a static route on your router:

    192.168.1.0/24 (the internal network) -> 192.168.0.2 (Mac mini IP-address of the external interface connected to the router)

  5. Enable the DHCP-service on your Mac mini gateway:

    • Name: choose a name
    • Network Interface: en1
    • Starting IP address: 192.168.1.10
    • Ending IP address: 192.168.1.100
    • Subnet Netmask: 255.255.255.0
    • Router: 192.168.1.2
    • DNS: some DNS-server (e.g. 8.8.8.8)

  6. Now use pfctl to add rules or get a pfctl-GUI like IceFloor or Murus to configure your firewall. Both apps should also allow you to enable NAT (step 2/3)

Related Question