NAT / DHCP / Firewall - Port Forwarding for LAN/WAN requests


I have searched the web high and low for answers to my problem, but thus far only partial success. Perhaps someone here can shed some light on this for me.

My OS X 10.3.9 Server is directly connected to my Cox Highspeed Cable modem via the en0 Ethernet Interface (WAN)

My OS X 10.3.9 Server has a second Ethernet Interface, en1, that handles all the LAN stuff for my local netowork.

All that seems to be working and every machine can access the internet, some have static local IP numbers, and some have dynamically assigned local IP numbers. All is well.

BUT .. Yes.. here comes the but.

I have two computers on the local network, one is running an Apache Web Server on, and one is running Windows ASP.NET, ColdFusion, and Flash Communication Server on port Just for clarification, the OS X Server is running it's Apache Webserver on Port 10082.

Since cable modem users only get one dynamically assigned WAN IP number from Cox Highspeed, I am trying to use port numbers to redirect outside and inside traffic on those specific ports on my WAN IP to the LAN Network computers.

When it comes to accessing those computers/services on those ports from the outside (not from a computer on the local network), I got that covered. So http://lan.ip.number.178:10080 is forwarded to the computer on the LAN that handles those requests. I am using a special IP alias directive in the /etc/nat/nat.plist file:

... and the same for the other ports/IP sets for TCP and UDP separate <dict> containers.

However, when I try accessing http://wan.ip.number.178:10080 from a computer on my LAN, I get a connection refused. Sure is strange that it would do what it's supposed to do from any computer outside my LAN, but when it comes to computers on the inside of my LAN I get a connection refused.

Sure, works from any of the LAN computers, but that doesn't really do me any good. Why? Because let's say I assign a domain name to wan.ip.number.178, like and then want to use to access services on the computer on my LAN inside and outside of my network, it will only work from the outside, not from the inside.

Does anyone of you know of a way around that? I used to have a Linksys Router that did port forwarding like a charm, but I got rid of it when I got the OS X Server, only to find out that it's not all that easy on OS X Server with NAT/DHCP/Firewall.

I looked into the Firewall log and I can see that the traffic is accepted, but that's where it ends.

Can anyone give me any pointers here?

Thank you.
I'm sorry not to be of any help, but I was curious how you got routing working between the LAN and the internet with the XServe in-between. We've got our XServe between our LAN and another network with a BSD box running firewall services...we can't get the machines on our LAN to see the internet, although the XServe itself does. DHCP and DNS SEEM to be working properly. Any help? Thanks.

I just read your "reply" to my post. It seems to me that you are missing just one, maybe two things.

- OS X Server won't let you do DHCP and let the clients connected to the OS X Server get out to the internet if the OS X Server Firewall Service is not enabled. You need to have DHCP, NAT and Firewall services enabled in order for your clients to get out. But please refer to the OS X Server PDF manual regarding Networking. You will find a step by step setup
- If you want to provide access from outside your network to any computers behind your firewall you need to add the stuff as described in my original post to the config file. Otherwise it won't work. Of course that's only the case if your OS X Server is doing NAT

I am sorry that I can't be of more help, but this topic is clearly explained in the OS X Server Networking Manual and there are 10 + threads on this topic in the Discussion Forums.

Please try to keep this post clean for the actual question at hand. Thank you very much in advance.

Bye for now.
I know a lot of time has happened since your post, so maybe you found a way to do it, but you might be able to have a workaround if you use two different DNS servers.

I use for the "public" requests, and my OS X server for my lan requests. This way, I can point the requests coming from my LAN to the private address, and the requests coming from the internet to the public IP address.

Of course, this would only work if your OS X server is not the DNS server for your domain out in the internet, but it's one way to make things work.
Ok, I'm having problem to make my server work with the forwardind itself... But, since in your case it's working, i would try to add a section for another port redirection, this new one would redirect from IP (that being the INTERNAL nic of your server) to the IP I'm pretty sure this would do it... And if it does, maybe you can help me putting my server to do the redirection... :D

Marcelo Myara
Rio de Janeiro/Brazil