Article:
  Squeezing NAT Out of Panther Server
Subject:   DHCP/NAT/Firewall seem to be working, but ...
Date:   2005-05-31 07:42:40
From:   mlerch
Hello,


I read your article and all posts by other users like me. I have also searched the web high and low for answers to my problem, but thus far only partial success. Perhaps someone here can shed some light on this for me.


My OS X 10.3.9 Server is directly connected to my Cox Highspeed Cable modem via the en0 Ethernet Interface (WAN)


My OS X 10.3.9 Server has a second Ethernet Interface, en1, that handles all the LAN stuff for my local netowork.


All that seems to be working and every machine can access the internet, some have static local IP numbers, and some have dynamically assigned local IP numbers. All is well.


BUT .. Yes.. here comes the but.


I have two computers on the local network, one is running an Apache Web Server on 192.168.0.15:10080, and one is running Windows ASP.NET, ColdFusion, and Flash Communication Server on port 192.168.0.19:10081. Just for clarification, the OS X Server is running it's Apache Webserver on Port 10082.


Since cable modem users only get one dynamically assigned WAN IP number from Cox Highspeed, I am trying to use port numbers to redirect outside and inside traffic on those specific ports on my WAN IP to the LAN Network computers.


When it comes to accessing those computers/services on those ports from the outside (not from a computer on the local network), I got that covered. So http://lan.ip.number.178:10080 is forwarded to the computer on the LAN that handles those requests. I am using a special IP alias directive in the /etc/nat/nat.plist file:


<key>redirect_port</key>
<array>
<dict>
<key>proto</key>
<string>tcp</string>
<key>targetIP</key>
<string>192.168.0.15</string>
<key>targetPortRange</key>
<string>10080</string>
<key>aliasIP</key>
<string>wan.ip.number.178</string>
<key>aliasPortRange</key>
<string>10080</string>
</dict>
... and the same for the other ports/IP sets for TCP and UDP separate <dict> containers.


However, when I try accessing http://wan.ip.number.178:10080 from a computer on my LAN, I get a connection refused. Sure is strange that it would do what it's supposed to do from any computer outside my LAN, but when it comes to computers on the inside of my LAN I get a connection refused.


Sure, http://192.168.0.15:10080 works from any of the LAN computers, but that doesn't really do me any good. Why? Because let's say I assign a domain name to wan.ip.number.178, like office.domainname.com and then want to use office.domainname.com:10080 to access services on the computer on my LAN inside and outside of my network, it will only work from the outside, not from the inside.


Does anyone of you know of a way around that? I used to have a Linksys Router that did port forwarding like a charm, but I got rid of it when I got the OS X Server, only to find out that it's not all that easy on OS X Server with NAT/DHCP/Firewall.


I looked into the Firewall log and I can see that the traffic is accepted, but that's where it ends.


Can anyone give me any pointers here?


Thank you.