I would like to port forward from my macOS Sierra computer with IP address of 152.1.2.3 to my NAS which is 192.168.2.3. Specifically I would like to access the HTTP web server on my NAS at 192.168.2.3/Photos. The NAS has all traffic that comes in over HTTP directed to the correct folder (Photos).
I have Internet Sharing turned on and share my Ethernet connection of my macOS computer (152.1.2.3 on Ethernet 2) to my NAS (192.168.2.3 on Ethernet 1)
My NAS can see the internet and get updates.
I can access the webserver locally from my computer by entering 192.168.2.3 and it directs me to the webserver page at 192.168.2.3/Photos.
I just cannot access it from outside the local network.
The easy solution is to connect the NAS directly to the network but I cannot because of local policies.
In Summary:
I would like to type in the following and be redirected to the web server on the NAS –> 152.1.2.3:9999
would the terminal command be:
rdr pass on en2 inet proto tcp from any to any port 9999 -> 198.168.2.3 port 80
Best Answer
Internet Sharing in macOS is (internally) done by creating a bridge device containing two or more interfaces, activating a DHCP server, setting up various pf rules and enabling pf.
To print all rules the following shell script has to be executed:
pfdump.sh:
By default pf is disabled with the following pf dump:
After activating Internet Sharing pf is enabled and a dump looks like this:
Here en1 is the external interface (the one sharing to your internal network) and 192.168.2.0/24 the internal network provided by the DHCP server. Both could differ in your environment.
To expose an internal server to the public with Internet Sharing enabled, you have to forward a port of the external interface to the IP and the service port of the server:
Create rdr rule on the router (your Mac Pro) by entering in Terminal.app:
and the content:
assuming en1 is the external interface, 152.1.2.3:9999 its IP:port and 192.168.2.3:80 the IP:port of the internal server. To get the device identifier (and IP) of your external interface enter
ifconfig
on your Mac Pro.Then create a launch daemon:
with the content:
Launch the daemon with:
This will add a second rdr rule in the com.apple anchor to pf and forward the external port to the internal host.
Since DHCP assigns IP addresses dynamically it's also useful to define a fixed IP for the internal server:
Create a file bootptab on the router (your Mac Pro):
with the content:
Replace the MAC addresses (hwaddr) and the hardware types (hwtype) by the proper ones found in your environment here. You can get the MAC addresses by entering
ifconfig
on the respective host. Reboot your router (Mac Pro) afterwards.Security implications:
By using your Mac Pro as a router it is exposed to the Internet and vulnerable as such. Pf as it runs after enabling Internet Sharing has absolutely no blocking rule. You have to add a whole bunch of additional rules to make it more secure (and working).
The IP you have published belongs to 152.1.0.0/16 - an IP block assigned to the North Carolina State University (NCSU). Your university may have applied security measures in this network which will prevent access from other networks (or the "whole" Internet).