Women in Technology

Hear us Roar



Article:
  Squeezing NAT Out of Panther Server
Subject:   NAT on Panther Server with PPPoE
Date:   2003-12-02 16:30:35
From:   anonymous2

Hi,


Thanks for the article.


I have also been struggling with NAT and Firewall on Panther Server because my server uses PPPoE to connect to the Internet, and I want to set up an Airport network using the Airport card in the server.


What makes it more frustrating (as you point out) is that all (event he Airport network) of this can be done so simply in Panther Client (ie NAT with a PPPoE connection and also automatically setting up on boot an Aiport network).


The problem I have found is that when setting up NAT with a PPPoE connection to the Internet, the NAT interface must be the ppp* interface not the en* interface. Unfortunately, NAT Panther Server doesn't give this option (or deduce this requirement).


It can be done, since BrickHouse did all of this (and more) simply in Jaguar Server. Unfortunately, it hasn't been updated for Panther. Even on Panther Client, I can use the command line (ps aux, and ipfw list) to get the config, but haven't been able to make that work no Panther Server.


Also, Panther Client when doing InternetSharing seems to put Airport into a different mode than Panther Server when doing a Computer-To-Computer Network. Panther Client puts an up-arrow in he Airport status and shows signal strength on the clients (as opposed to just the little computer).


If anyone has successfully got NAT working on Panther Server with a PPPoE connection to the Internet I would be very keen to hear from them, how they did it etc.


Many thanks in advance,
Ashley Aitken
aitkena@cbs.curtin.edu.au


Full Threads Oldest First

Showing messages 1 through 6 of 6.

  • NAT on Panther Server with PPPoE
    2003-12-14 06:50:10  anonymous2 [View]

    Apple has detailed instructions in Appendix B of the "Getting Started With Mac OS X Server 10.3" Guide to set up a small business Panther server on a DSL internet connection with NAT. It involves using the built-in ethernet and ethernet on a PCI card. (For detailed description on this configuration and step-by-step instructions see the Appendix).
    --Don't ask me for my config --it is exactly like the one described in Appendix B.

    Unfortunately, NAT doesn't work with Panther Server Server when you are connected to the internet via PPoE.

    So, in my case where I have a DSL connection with a fixed address but picked up via PPoE (I input the user id and password and my fixed address gets dynamically assigned to my computer) it was impossible to use NAT.
    i.e. any computers on the local 192.168 addresses cannot access the internet.

    After about 25 hours of trial and tribulation --and getting steered in the right direction by Dr. Ashley Aitken-- I have finally found the solution. It involves two small changes to Apple's instructions.

    As Ashley intuited, the divert command that the GUI creates diverts traffic to the what Apple calls the External interface ("en0" if you are using the built-in Ethernet). The problem is that when PPoE is active the External interface is really "ppp0".

    It is necessary to change this by editing the "natd.plist" file. And one must take care to NOT use the Server Admin to select an interface for NAT since this can change the setting back to "en0".

    Here is what to do:

    1) After installing the software and configuring the ports but before firing up the Server Admin (GUI) you need to edit the "natd.plist". You can use Terminal and Vi or Pico to do this but since I am mostly allergic to the Command Line interface I used BBEdit. You will need BBEdit 6.5 or higher to edit a hidden/invisible file.

    2) Using BBEdit, use Open Hidden from the File Menu and navigate to "Macintosh HD/etc/nat/natd.plist". Look for the text:
    "<key>interface</key>
    "<string>en0</string>"

    Change "en0" to "ppp0" and save the file.

    3) If there is already a file in the "nat" folder called "natd.plist.default" you should open it too and make the same change.

    4) Now fire up Server Admin and make the step by step config changes to start FireWall, DNS, DHCP and NAT.

    NB. When you start NAT you will probably notice that the interface that it is sharing is the "en1" PCI Ethernet card which you are using for internal network 192.168.*.*
    This is counter intuitive to say the least because you really want to share the external interface.

    **Nevertheless, resist the urge to change this back. DON'T click that NAT interface pop-up!**

    Just turn on NAT and it should be working even though it says it is sharing the wrong interface and it will survive a restart as long as you don't play with the NAT interface Pop-up menu in the Server Admin.

    To check that the settings are correct you can go into the FireWall -> Overview and in Active Rules the first line should have:
    "divert 8668 ip from any to any via ppp0"

    ---
    What is going on?

    Here is what I think happens. When you fire up NAT for the first time the interface pop-up defaults to the last item on the list "en1".
    If you change this it will cause the file "natd.plist.apple" to set the interface to "en0" and your NAT will stop working.

    When NAT starts up I think it is reading the natd.plist.default (which you have modified to have "ppp0") then, if you have touched the GUI at all it will read a file called "natd.plist.apple" (which the GUI creates and modifies whenever you make changes in Server Admin) to create the file "natd.plist" which NAT uses when starting up.

    ---
    Troubleshooting

    If you do mess with the NAT interface in Server Admin and NAT stops working, you can probably get NAT to work again by making sure the files "natd.plist" and "natd.plist.default" use "ppp0" as per above. Then make a small change to FireWall general rules and save it --such as enabling or disabling the Finger Port 79.
    Saving can take a long time so wait for the gear to stop spinning and then Stop the FireWall and Restart it. NAT should be working again. (You may need to restart the computer).

    The exact sequence of events here is something I don't exactly understand so just don't ever touch that NAT interface pop-up menu.

    Good luck.

    Sincerely,

    Alex Narvey

    • NAT on Panther Server with PPPoE
      2005-10-12 03:39:18  MikeHKG [View]

      hours of trial and tribulation: you're speaking from my heart!

      Thanks to you dear Alex i only "wasted" about 10 hours on this one until i found your solution. Thank you so much!

      Unbelievable that even the 10.4.2 server version
      still does not fix this PPPoE issue. Therefore, one sour apple goes to .... Apple for their ignorance to implement the most popular way to connect to the internet.

      By the way, after completing your instructions i still had to enable "TCP outgoing" port for "any", even though that port was already open for the local LAN users, to make it work.

      Thanks again & Best Wishes
      Mike Koessler, Hong Kong

    • NAT on Panther Server with PPPoE
      2004-01-14 09:32:39  anonymous2 [View]

      It is necessary to change this by editing the "natd.plist" file.Look into some ebooks And one must take care to NOT use the Server Admin to select an interface for NAT since this can change the setting back to "en0".

      • NAT on Panther Server with PPPoE
        2005-04-29 23:12:07  brandonarbini [View]

        Fantastic! Thanks for your many hours of hard work and for posting it so I don't have to go through the same torture. I also wanted to add that this is the same/similar situation under Tiger server and this fix works there too!
        • NAT on Panther Server with PPPoE
          2007-03-10 18:13:19  kornnutt73 [View]

          This was a huge help for me and anyone needing to do something on osx server that Apple leaves out. Thanks for the help.

          FYI. There is a way to keep Server Admin from overwriting changes made to any config file via the CLI.

          After editing and saving the file run this command on the file.

          chflags uchg "filenane"
          This locks the file from being edited by even thr root user.

          To unlock the file run this
          chflags nouchg "filename"

        • NAT on Panther Server with PPPoE
          2007-03-10 18:12:43  kornnutt73 [View]

          This was a huge help for me and anyone needing to do something on osx server that Apple leaves out. Thanks for the help.

          FYI. There is a way to keep Server Admin from overwriting changes made to any config file via the CLI.

          After editing and saving the file run this command on the file.

          chflags uchg "filenane"
          This locks the file from being edited by even thr root user.

          To unlock the file run this
          chflags nouchg "filename"