Women in Technology

Hear us Roar



Article:
  Squeezing NAT Out of Panther Server
Subject:   NAT on Panther Server with PPPoE
Date:   2003-12-14 06:50:10
From:   anonymous2
Response to: NAT on Panther Server with PPPoE

Apple has detailed instructions in Appendix B of the "Getting Started With Mac OS X Server 10.3" Guide to set up a small business Panther server on a DSL internet connection with NAT. It involves using the built-in ethernet and ethernet on a PCI card. (For detailed description on this configuration and step-by-step instructions see the Appendix).
--Don't ask me for my config --it is exactly like the one described in Appendix B.


Unfortunately, NAT doesn't work with Panther Server Server when you are connected to the internet via PPoE.


So, in my case where I have a DSL connection with a fixed address but picked up via PPoE (I input the user id and password and my fixed address gets dynamically assigned to my computer) it was impossible to use NAT.
i.e. any computers on the local 192.168 addresses cannot access the internet.


After about 25 hours of trial and tribulation --and getting steered in the right direction by Dr. Ashley Aitken-- I have finally found the solution. It involves two small changes to Apple's instructions.


As Ashley intuited, the divert command that the GUI creates diverts traffic to the what Apple calls the External interface ("en0" if you are using the built-in Ethernet). The problem is that when PPoE is active the External interface is really "ppp0".


It is necessary to change this by editing the "natd.plist" file. And one must take care to NOT use the Server Admin to select an interface for NAT since this can change the setting back to "en0".


Here is what to do:


1) After installing the software and configuring the ports but before firing up the Server Admin (GUI) you need to edit the "natd.plist". You can use Terminal and Vi or Pico to do this but since I am mostly allergic to the Command Line interface I used BBEdit. You will need BBEdit 6.5 or higher to edit a hidden/invisible file.


2) Using BBEdit, use Open Hidden from the File Menu and navigate to "Macintosh HD/etc/nat/natd.plist". Look for the text:
"<key>interface</key>
"<string>en0</string>"


Change "en0" to "ppp0" and save the file.


3) If there is already a file in the "nat" folder called "natd.plist.default" you should open it too and make the same change.


4) Now fire up Server Admin and make the step by step config changes to start FireWall, DNS, DHCP and NAT.


NB. When you start NAT you will probably notice that the interface that it is sharing is the "en1" PCI Ethernet card which you are using for internal network 192.168.*.*
This is counter intuitive to say the least because you really want to share the external interface.


**Nevertheless, resist the urge to change this back. DON'T click that NAT interface pop-up!**


Just turn on NAT and it should be working even though it says it is sharing the wrong interface and it will survive a restart as long as you don't play with the NAT interface Pop-up menu in the Server Admin.


To check that the settings are correct you can go into the FireWall -> Overview and in Active Rules the first line should have:
"divert 8668 ip from any to any via ppp0"


---
What is going on?


Here is what I think happens. When you fire up NAT for the first time the interface pop-up defaults to the last item on the list "en1".
If you change this it will cause the file "natd.plist.apple" to set the interface to "en0" and your NAT will stop working.


When NAT starts up I think it is reading the natd.plist.default (which you have modified to have "ppp0") then, if you have touched the GUI at all it will read a file called "natd.plist.apple" (which the GUI creates and modifies whenever you make changes in Server Admin) to create the file "natd.plist" which NAT uses when starting up.


---
Troubleshooting


If you do mess with the NAT interface in Server Admin and NAT stops working, you can probably get NAT to work again by making sure the files "natd.plist" and "natd.plist.default" use "ppp0" as per above. Then make a small change to FireWall general rules and save it --such as enabling or disabling the Finger Port 79.
Saving can take a long time so wait for the gear to stop spinning and then Stop the FireWall and Restart it. NAT should be working again. (You may need to restart the computer).

The exact sequence of events here is something I don't exactly understand so just don't ever touch that NAT interface pop-up menu.


Good luck.


Sincerely,


Alex Narvey


Full Threads Oldest First

Showing messages 1 through 5 of 5.

  • NAT on Panther Server with PPPoE
    2005-10-12 03:39:18  MikeHKG [View]

    hours of trial and tribulation: you're speaking from my heart!

    Thanks to you dear Alex i only "wasted" about 10 hours on this one until i found your solution. Thank you so much!

    Unbelievable that even the 10.4.2 server version
    still does not fix this PPPoE issue. Therefore, one sour apple goes to .... Apple for their ignorance to implement the most popular way to connect to the internet.

    By the way, after completing your instructions i still had to enable "TCP outgoing" port for "any", even though that port was already open for the local LAN users, to make it work.

    Thanks again & Best Wishes
    Mike Koessler, Hong Kong

  • NAT on Panther Server with PPPoE
    2004-01-14 09:32:39  anonymous2 [View]

    It is necessary to change this by editing the "natd.plist" file.Look into some ebooks And one must take care to NOT use the Server Admin to select an interface for NAT since this can change the setting back to "en0".

    • NAT on Panther Server with PPPoE
      2005-04-29 23:12:07  brandonarbini [View]

      Fantastic! Thanks for your many hours of hard work and for posting it so I don't have to go through the same torture. I also wanted to add that this is the same/similar situation under Tiger server and this fix works there too!
      • NAT on Panther Server with PPPoE
        2007-03-10 18:13:19  kornnutt73 [View]

        This was a huge help for me and anyone needing to do something on osx server that Apple leaves out. Thanks for the help.

        FYI. There is a way to keep Server Admin from overwriting changes made to any config file via the CLI.

        After editing and saving the file run this command on the file.

        chflags uchg "filenane"
        This locks the file from being edited by even thr root user.

        To unlock the file run this
        chflags nouchg "filename"

      • NAT on Panther Server with PPPoE
        2007-03-10 18:12:43  kornnutt73 [View]

        This was a huge help for me and anyone needing to do something on osx server that Apple leaves out. Thanks for the help.

        FYI. There is a way to keep Server Admin from overwriting changes made to any config file via the CLI.

        After editing and saving the file run this command on the file.

        chflags uchg "filenane"
        This locks the file from being edited by even thr root user.

        To unlock the file run this
        chflags nouchg "filename"