Mac – Routing traffic back and forth through a Mac mini server with 2 network interfaces

internetinternet-sharingmac-miniNetworkrouter

I have my office network that looks like this:

networking scheme

My office network looks like this:

  • the office network (wifi and wired) has the subnetwork 192.168.88.0.
  • I have some server machines on the subnetwork 192.168.2.0 (NODE_1,…. NODE_10).
  • I have a machine (it is a Mac mini) with 2 subnetwork interfaces that acts as:
    • the gateway for all machines in subnetwork 192.168.2.0.
    • exposes a VPN service (the Mac server app default one)
    • and provides extra services, such as a DNS)

The Mac mini configuration is my big problem. This is how it looks:

Ethernet interface en0

  • address: 192.168.88.10
  • netmask: 255.255.255.0
  • gateway: 192.168.88.1

Ethernet interface en2

  • address: 192.168.2.1
  • netmask: 255.255.255.0
  • gateway: 192.168.88.10

I need routing from machines in 192.168.88.0 to those in 192.168.2.0.

To do so I have activated the "Internet sharing" feature of Mac OS: actually I do not know what happens under the hood, but the machines NODE_1NODE_10 go to internet.

Then, when I'm connected to the office network, so that I get an IP such as: 192.168.88.33 I add a routing rule such as:

 sudo route -n add 192.168.2.0/24 -gateway 192.168.88.10

So far so good: everything works fine!!!!!

The big problem is when I connect through the VPN.

VPN Connection

I connect successfully to the VPN exposed at: 192.168.88.10, then I add the routing rule.

 sudo route -n add 192.168.2.0/24 -gateway 192.168.88.10

I'm not able to reach the machines in subnet 192.168.2.0.

Sniffing the packets I see that the packets follow the hops:

  1. -> 192.168.88.10
  2. -> 192.168.2.1
  3. -> 192.168.2.110
  4. <- 192.168.2.1
  5. <- 192.168.88.1

The packet goes to the gateway 192.168.88.1 instead of the 192.168.88.10. Looking into the Mac mini routing tables I see:

192.168.88.202     192.168.88.10      UH              2       93    ppp1
192.168.88.202     40:6c:8f:3:d5:e7   UHLS2           0        0     en0

40:6c:8f:3:d5:e7 is the mac address of 192.168.88.1.

I would like to change the routing without using the internet sharing in order to allow internet access for 192.168.2.0, and cover both the VPN and local scenario, but I don't know the steps I need to do, and how to hand write the rules.

Thanks a lot.

Best Answer

It should be possible to create a bridge with en0 and en2 and enable net.inet.ip.forwarding to get rid of all routing problems. The bridge acts more or less as another switch between en0 and en2.

  • Disable Internet Sharing
  • remove the gateway in the en2 settings of the Mac mini and change the IP-address to an available one in 192.168.88.0/24 (e.g. 192.168.88.11)
  • remove all additional static routes
  • Check for bridge interfaces with ifconfig

  • On the server create a file bridge:

    sudo mkdir -p /usr/local/bin/ #only if the folder is missing
sudo nano /usr/local/bin/bridge

    with the content

    #!/bin/bash

sysctl -w net.inet.ip.forwarding=1
ifconfig bridge create
ifconfig bridge0 addm en0 addm en2 up #use the first available bridge number here and the proper interface device names
  • enter sudo chmod +x nano /usr/local/bin/bridge

  • Create a launch daemon usr.bridge.plist:

    sudo nano /Library/LaunchDaemons/usr.bridge.plist

    with the content

    <?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>Label</key>
    <string>usr.bridge</string>
    <key>ProgramArguments</key>
    <array>
        <string>/bin/sh</string>
        <string>-c</string>
        <string>/usr/local/bin/bridge</string>
    </array>
    <key>RunAtLoad</key>
    <true/>
    <key>StandardErrorPath</key>
    <string>/tmp/usr.bridge.err</string>
    <key>StandardOutPath</key>
    <string>/tmp/usr.bridge.out</string>
</dict>
</plist>

  • Load the plist 

    sudo launchctl load /Library/LaunchDaemons/usr.bridge.plist
  • Change the IP-addresses of node_1 and node_10 to available ones in 192.168.88.0/24 (e.g. 192.168.88.101 and 192.168.88.110). Change their default gateways to 192.168.88.1 and the DNS server to 192.168.88.10.
Related Question