Using Server 5.0.15 to share internet WITHOUT internet sharing

dnsinternet-sharingNetworkosx-serverrouter

I am running a mid 2010 MacMini as a server. OS X 10.11.3 and Server 5.0.15. I am connecting to the internet on the built in Ethernet (Ethernet) and have a USB to GigaBit Ethernet adapter (Ethernet 2) going to a wireless AP (WAP).

I have DHCP and DNS services configured and enabled. If I turn ICS on in the sharing control panel it ignores the DHCP service from the server, yet allows me to connect to the internet from my clients. This also breaks the local DNS unless I start changing IPs and such. If I turn it off, I get control over the DHCP server, but nothing connects to the internet.

How can I use BOTH? Or at least configure the settings on the server correctly to "bridge" the Ethernet and Ethernet 2 adapters to allow internet access to my clients?

I am looking for a NAT function someplace that is NOT the Internet Connection Sharing on the Sharing Control Panel.

Built in Ethernet config:

IP: DHCP from Cable Modem
Subnet Mask: 255.255.255.0 – DHCP from Cable Modem
DNS: 127.0.0.1 to use the Servers own DNS Service
Search Domain: My FQDN of the server.
Router: DHCP from Cable Modem

USB to GigaBit Adapter Config:

IP: 192.168.3.1
Subnet Mask: 255.255.255.0
DNS: 127.0.0.1
Search Domain: My FQDN of the server.
Router: Address acquired from DHCP for the Built in Ethernet

DHCP:

Name: Home
IP Pool: 192.168.3.2 – 192.168.3.253
Lease: 1 Hour
Interface: USB to GigaBit Adapter
Router: 192.168.3.1 – Must be on the same network as the IP Pool and Interface.
Note: 16+ IP Reservations for devices in the house.

WAP:

IP: 192.168.3.254

DNS:

Permissions: All Networks
Client Lookup: All Clients
Forwarding Servers: 8.8.8.8, 8.8.4.4

Not sure what other information to put in here, it is late and I am tired…

Ask me some questions and let me know if you have any insight into the new 5.0.15 server.app

Best Answer

The newest OS X Server versions don't provide any tools to enable NAT/Routing in OS X.

To get NAT working without using Internet Sharing you have to use a pf rule and create a plist to enable forwarding and load the pf rule:

Below I assume en0: the interface connected to the cable modem and en1: the interface connected to the LAN. DHCP and DNS are set up properly in the internal LAN.

Create a pf NAT rule:

Create a file named nat-rules in /private/etc/ with the following content
```
nat on en0 from en1 to any -> (en0)
```

Create a shell script named nat-pf.sh enabling forwarding and loading the pf rule. I saved it in /usr/local/:

#!/bin/sh

sysctl -w net.inet.ip.forwarding=1
sysctl -w net.inet.ip.fw.enable=1

#disables pfctl
pfctl -d

sleep 1

#flushes all pfctl rules
pfctl -F all

sleep 1

#starts pfctl and loads the rules from the nat-rules file
pfctl -f /private/etc/nat-rules -e

Create a plist named org.user.natpf.plist with the following content and save it in /Library/LaunchDaemons/ to execute the above shell script at start-up:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>Disabled</key>
    <false/>
    <key>KeepAlive</key>
    <dict>
        <key>SuccessfulExit</key>
        <false/>
    </dict>
    <key>Label</key>
    <string>org.user.natpf</string>
    <key>ProgramArguments</key>
    <array>
        <string>/usr/local/nat-pf.sh</string>
    </array>
    <key>RunAtLoad</key>
    <true/>
    <key>StandardErrorPath</key>
    <string>/tmp/org.user.natpf.stderr</string>
    <key>StandardOutPath</key>
    <string>/tmp/org.user.natpf.stdout</string>
</dict>
</plist>

All three files need a trailing empty line so don't simply copy the above code/lines.

Modify ownership and file modes:

sudo chown root:wheel /private/etc/nat-rules
sudo chown root:wheel /usr/local/nat-pf.sh
sudo chmod 755 /usr/local/nat-pf.sh
sudo chown root:wheel /Library/LaunchDaemons/org.user.natpf.plist

Load the launch daemon:

sudo launchctl load /Library/LaunchDaemons/org.user.natpf.plist

After testing everything you can delete the following part in the plist:

    <key>StandardErrorPath</key>
    <string>/tmp/org.user.natpf.stderr</string>
    <key>StandardOutPath</key>
    <string>/tmp/org.user.natpf.stdout</string>

org.user.natpf.stderr provides error messages to debug your plist.

On my local router I had to add a static route:

192.168.3.0/24 (the internal network) -> 192.168.0.2 (Mac mini IP-address of the external interface connected to the router)

This last step may not apply to your network environment!

Related Solutions

IPhone – Internet Sharing: Using the MacBook Pro as a Wifi Modem with its Ethernet Connection for the iPhone, connectivity issues

I use my MacBook Pro to share internet to my iPhone and my friends' iPod Touch.

Make sure that you're using WPA2 to secure your network, not WEP- I have had issues connecting my iPhone to WEP networks, and they're not only less secure but the password is more annoying to type anyway.

Other than that, your IP schemes are also not compatible. You need to set the devices to have the same IP scheme; if your WiFi is set to a 192.168.1.1 address, your iPhone needs to be 192.168.1.2-255. Setting both to DHCP would help a lot here.

For my setup, I just left everything as DHCP and don't have any issues.

MacOS – Internet Sharing handing out wrong DNS server address

The article you reference was indeed correct for when it was published and that's how it works prior to Mavericks. Under Mountain Lion 'named' get's launched when Internet Sharing is active with /etc/com.apple.named.proxy.conf as the config file. This is all observable under Mountain Lion - I verified it.

However, domain name resolution isn't just based on DNS under OS X like it is in other OSen, but instead it's based on Directory Services -- which permits DNS lookups from flat-files, NIS, NetInfo, LDAP, ZeroConfig/Bonjour ... and DNS -- and it's mDNSResponder that's used for resolution of these name turns. (As per its man page mDNSResponder is also the system-wide Unicast DNS Resolver. It's what is (or should) doing the DNS resolution for your Internet Shared clients under Mavericks. (It was odd that they fired up named under Mt Lion rather than using mDNSResponder back then.)

When Internet Sharing is activated either named (pre-Mavericks) or mDNSResponder (Mavericks) is the "DNS server" that should perform name resolution for Internet Sharing, and that correctly makes 192.168.2.1 the DNS server for the NAPT'ed clients of Internet Sharing. So the straight and simple answer to your questions is that it's not handing out the "wrong DNS server address".

This demonstrable worked for me setting up Internet Sharing to share out my WiFi connection via Ethernet. Clients served by Internet Sharing sent DNS requests to 192.168.2.1 were observed to receive there queries correctly from a browser and when issuing dig @192.168.2.1 apple.com; I observed this in action with tcpdump to verify. Everything "just works" as you'd expect.

I note that in this configuration from the hosting Mac I'm also able to telnet 192.168.2.1 53 and connect to mDNSResponder. I also note that I have the Service Order for the configured networks set with WiFi having precedence over the Ethernet.

However when running this in reverse, sharing the Ethernet connection via WiFi I initially experienced the same issue you were seeing. Namely I saw the UDP DNS request sent over but no response back, just like you observed. Ping passed through to 8.8.8.8 and resolving against 8.8.8.8 using dig worked fine too. I was all prepared to write this up as a bug but I later had the opportunity to restart my MacBook Pro and tried this again, also assuring this time I had Ethernet having precedence over WiFi in the Network preference pane Service Order. This time it "just worked" and I wasn't able to recreate the issue. Problem solved by reboot and checking service order.

Additionally I verified that I could:

Issue a dig @192.168.2.1 apple.com from a client (assigned 192.168.2.3) of Internet Sharing and receive a successful response. I also observed the UDP query and response using tcpdump:

01:01:05.620240 IP 192.168.2.3.58817 > 192.168.2.1.domain: 34923+ A? apple.com. (27) 01:01:06.051566 IP 192.168.2.1.domain > 192.168.2.3.58817: 34923 3/0/0 A 17.149.160.49, A 17.172.224.47, A 17.178.96.59 (75)

From the hosting Mac was able to telnet 192.168.2.1 53 and receive a connection.

Internet Sharing has always been a bit fragile. I've often seen weird behavior and have found it's best to restart before attempting to run Internet Sharing or at least to "Make [the] Service Inactive" in Network Preferences for the interfaces in question and then set them active again. (Be sure also to "Apply" when making such changes".) Additionally the Service Order (which controls the default gateways) can also have an impact (as would be expected.) You may also wish to make sure you're using the Apple supplied Location "Automatic" (or a reasonable facsimile). Remember when debuging also that each network interface can have it's own gateway and prefered DNS server to use since after around Leopard or so.

So I'd suggest three things: (1) a reboot and confirm your network service order precedence and/or (2) a clean install of Mavericks to see if this resolves your issues, as well as (3) verify you can get Internet Sharing working where Ethernet is shared out over WiFi and vise versa. If you can't make (3) work then you need to look at something specifically configured wrong on your Mac and again that suggests a clean install.

If you can get it working for Ethernet -> WiFi and WiFi -> Ethernet, this suggests something with the USB Dongle -- and perhaps adjusting the Service Order so it's a higher precedence may be required.

Make sure also you don't have any Firewall rules or are running Little Snitch or anything that may interfere.

Internet Sharing appears also to have some debugging options if you issue

$ /usr/libexec/InternetSharing --help

These, and it's log file, along with the log file for mDNSResponder, might also be useful if you're still having issues.

But as the answer to the question: It's not handing out the wrong DNS server address in DHCP as 192.168.2.1 is the "right" DNS server for Internet Sharing to be handing out based on how it's designed to operate. And mDNSResponder is what should be handling DNS on the host running Internet Sharing under Mavericks. No `named is needed.

Best Answer

Related Solutions

IPhone – Internet Sharing: Using the MacBook Pro as a Wifi Modem with its Ethernet Connection for the iPhone, connectivity issues

MacOS – Internet Sharing handing out wrong DNS server address

Related Question