Using NATD and IPFW to share a cable connectionw with 2 enet cards

whirk

Registered
Ok so I'm trying to setup natd and ipfw to share my cable modem connection which is a static ip.

A bit of background..i have a b&w g3 running osx with a built in ethernet and a pci ethernet card...the built in ethernet (en0) is connected to my cable modem. The pci card (en1) is connected to hub that the rest of the computers on my home network are connected to that I want to share my cable connection with.

I've read the posts on configuring natd and ipfw for a ppp connection and tried tweaking it to work with dual ethernet cards but haven't had luck.

I have my two ethernet cards configured correctly:
en0 is connected to my cable modem - static ip and netmask are set

en1 is my internal network connection and the gateway. Its ip is set to 192.168.0.1 and netmask is 255.255.255.0

IP Forwarding is enabled.

Heres the script I'm currently working with but is not working properly:

---

#!/bin/sh

natd -interface en0

/sbin/ipfw -f flush
/sbin/ipfw add divert natd all from any to any via en0
/sbin/ipfw add pass all from any to any

---

I can't figure out what else I need to add...I've read the man pages for ipfw and natd in depth and am somewhat lost.

I think I just need to add something that will enable my en1 port to pass traffic through to the en1 port...? Do I need to add a route for traffic on en1? I'm clueless as to what to do next but feel i'm really close to getting this working...
 

ChrisL

Registered
I used the exact script you posted above (with a DSL connection), and it worked immediately...

I'd make sure your interfaces are all up by pinging them from both machines (in both directions).
 

Lord Xoi

Registered
Originally posted by whirk
Ok so I'm trying to setup natd and ipfw to share my cable modem connection which is a static ip.

A bit of background..i have a b&w g3 running osx with a built in ethernet and a pci ethernet card...the built in ethernet (en0) is connected to my cable modem. The pci card (en1) is connected to hub that the rest of the computers on my home network are connected to that I want to share my cable connection with.

I've read the posts on configuring natd and ipfw for a ppp connection and tried tweaking it to work with dual ethernet cards but haven't had luck.

I have my two ethernet cards configured correctly:
en0 is connected to my cable modem - static ip and netmask are set

en1 is my internal network connection and the gateway. Its ip is set to 192.168.0.1 and netmask is 255.255.255.0

IP Forwarding is enabled.

Heres the script I'm currently working with but is not working properly:

---

#!/bin/sh

natd -interface en0

/sbin/ipfw -f flush
/sbin/ipfw add divert natd all from any to any via en0
/sbin/ipfw add pass all from any to any

---

I can't figure out what else I need to add...I've read the man pages for ipfw and natd in depth and am somewhat lost.

I think I just need to add something that will enable my en1 port to pass traffic through to the en1 port...? Do I need to add a route for traffic on en1? I'm clueless as to what to do next but feel i'm really close to getting this working...
It works perfectly for me, I have two network cards and a cable modem. You are my hero!
 

Lord Xoi

Registered


>It works perfectly for me, I have two network cards and >a cable modem. You are my hero!

Well it was working yesterday, and now I couldn't get it to work again today. Strange.
 

Tim Kelly

Registered
Originally posted by judge
i just discovered that is classic is running NAT will not work... curious eh?
I can confirm this - I had the setup working fine with the cable modem going to en1 and the hub going to en0, and the I launched Classic and it stopped working.

I haven't figured out how to get the shell script to execute as a root if I log on as an administrator that is not root. Any suggestions?

thanks in advance,
tim
 

judge

Registered
Here, try this link:

<a href="http://wopr.norad.org/articles/firewall/booting.html">Firewall Setup</a>
 

Tim Kelly

Registered
Originally posted by judge
Here, try this link:

<a href="http://wopr.norad.org/articles/firewall/booting.html">Firewall Setup</a>
I'm going to look into an easier way to creating a startup item. While by Unix standards the described procedure may be a small thing, the Mac way has to have a simpler way to do these things or OS X will not sell a half million copies in its lifetime, much less in a year.

While continuing to try to find an easy way, I realized that an earlier attempt had a syntax error. To have the natd script setup at boot:

1) login as root
2) create the previously described script (See whirk's and others post) and save it somewhere (this can be done with BBEdit or TextEdit) such as /System/Library/StartupItems/Network/rc.natd
3) go to the Terminal and navigate to file and type "chmod ugo+rx rc.natd" (I'm looking into seeing if this can be done through the Sharing panel in Inspector, I sure hope this can be done in the UI all the way)
4) in the UI (or Terminal) edit the file /System/Library/StartupItems/Network/Network (TextEdit will handle it)
5) before the last "fi" add the line "/System/Library/StartupItems/Network/rc.natd" (assuming that's where you've put the file and how you named it).

Restart the system. If the script worked before it should still work and now be automatically executed when the system boots.

And yes, I'm looking into some automatic execution simply by having the file in the StartupItems folder without going through the plist method.
 

Tim Kelly

Registered
OK, after some careful examination it appears the problem lies in Classic's Open Transport.

I used tcpdump to listen to the two ethernet cards and watched traffic before and after launching Classic. Before launching Classic everything works fine and I won't bore you with the details (as expected, NAT is using a simple port mapping to track the network requests).

It gets interesting after launching Classic:
On the network side:
12:16:56.503696 arp who-has 192.168.0.1 (Broadcast) tell 192.168.0.10
12:16:56.503766 arp reply 192.168.0.1 is-at 0:30:65:9b:12:c2
12:16:56.504910 192.168.0.10.49152 > px1cl.gv.wave.shaw.ca.53: 72+ (36) (DF)

On the cable modem side:
12:16:56.505216 xx.xx.xx.xx.bc.wave.home.com.49152 > px1cl.gv.wave.shaw.ca.53: 72+ (36) (DF)
12:16:56.549866 px1cl.gv.wave.shaw.ca.53 > xx.xx.xx.xx.bc.wave.home.com.49152: 72 2/2/2 (165)
12:16:56.550691 xx.xx.xx.xx.bc.wave.home.com > px1cl.gv.wave.shaw.ca: icmp: xx.xx.xx.xx.bc.wave.home.com udp port 49152 unreachable (DF)
12:16:56.832859 xx.xx.xx.xx.bc.wave.home.com.1035 > px1cl.gv.wave.shaw.ca.53: 25488+ (42)
12:16:56.861608 px1cl.gv.wave.shaw.ca.53 > xx.xx.xx.xx.bc.wave.home.com.1035: 25488 NXDomain 0/1/0 (124)

(Please excuse me if I don't post me ip address, it is a Unix box after all.)

Something on the OS X box decides that the port just used is unreachable. I'm not sure what the 1035 port interaction is, but I know that it resides on the OS X side, not Classic (it appears even when Classic is off).

My theory is that since Classic didn't open the port, it says it isn't available. Why it has priority over OS X I don't know.

To push my suspicions farther, I quit Classic and tried using NAT again - worked perfectly fine, without restarting anything (I didn't even need to rerun the rc.natd script). Since nothing gets torn down, so I believe that the requests get intercepted by Classic. I bet this could be patched pretty quickly. It does lead me to wonder if Apple is running both the Streams network interface and the Sockets network interface, instead of emulating Streams over Sockets (which I understand is quite difficult, as opposed to the ease of emulating Sockets over Streams).

tim
 

Orion98

Registered
Hi,

I have a setup similar to whirk's. I'm trying to share my DSL connection with a second Mac. My DSL modem is connected to my G4 running OS X via the built-in ethernet port, and a second pci ethernet card which connects to the second Mac via a crossover cable.

I have the script from above, but I don't know how to configure my ethernet connections ( I'm a newbie to unix :D ). Any help you could offer would be greatly appreciated.


~Orion98
 

Tim Kelly

Registered
I'm finding more and more evidence that Classic and OS X are running two completely seperate network stacks. I added the following rule to ipfw:

ipfw add 6000 deny all from any to any

That completely shuts down the OS X access to the network, but Classic apps work perfectly fine. tcpdump shows activity on the Ethernet card for Classic, but not OS X.

tim
 

Tim Kelly

Registered
Originally posted by whirk


Heres the script I'm currently working with but is not working properly:

---

#!/bin/sh

natd -interface en0

/sbin/ipfw -f flush
/sbin/ipfw add divert natd all from any to any via en0
/sbin/ipfw add pass all from any to any

---

I can't figure out what else I need to add...I've read the man pages for ipfw and natd in depth and am somewhat lost.

I think I just need to add something that will enable my en1 port to pass traffic through to the en1 port...? Do I need to add a route for traffic on en1? I'm clueless as to what to do next but feel i'm really close to getting this working...
Unfortunately in my attempt to get natd and Classic working together I'm getting more familiar with ipfw than I cared to. The problem is in your divert statement. You should use interface en1, which you indicated is the interface to the cable modem. Don't divert en0 traffic.

tim
 

whirk

Registered
Originally posted by Orion98
Hi,

I have a setup similar to whirk's. I'm trying to share my DSL connection with a second Mac. My DSL modem is connected to my G4 running OS X via the built-in ethernet port, and a second pci ethernet card which connects to the second Mac via a crossover cable.

I have the script from above, but I don't know how to configure my ethernet connections ( I'm a newbie to unix :D ). Any help you could offer would be greatly appreciated.


~Orion98
Goto the System Preferences and under network it should list your two ethernet cards (assuming your pci ethernet card is detected)

Note: I had a dual ethernet card setup working for awhile..but it would sporadically stop working. After trying all sorts of things to get it working again and then having it fail again I determined that is was related to my second ethernet card..sometimes it worked fine and other times it just ceased to work.

So currently I'm just using my built in ethernet port, which is connected to my switch, and having the cable modem connected to the switch as well.

Here's what my single ethernet interface script looks like now (and has been working great for the past month - uptimes of 12 days straight with natd working fine the whole time (too bad I had to restart to install other software)). Anyways, here it is:

UW PICO(tm) 2.3 File: rc.natd

#!/bin/sh

ifconfig en0 alias 192.168.0.1 netmask 255.255.255.0

natd -interface en0

/sbin/ipfw -f flush
/sbin/ipfw add divert natd all from any to any via en0
/sbin/ipfw add allow ip from any to any

----------
NOTE: en0 is configured as it would normally in the network control panel with my real IP and netmask supplied by my cable provider. The Alias address in the script is the internal ip that clients on my network put in as the router address.

[Edited by whirk on 12-08-2000 at 05:01 PM]
 

whirk

Registered
Originally posted by Tim Kelly
Originally posted by whirk


Heres the script I'm currently working with but is not working properly:

---

#!/bin/sh

natd -interface en0

/sbin/ipfw -f flush
/sbin/ipfw add divert natd all from any to any via en0
/sbin/ipfw add pass all from any to any

---

I can't figure out what else I need to add...I've read the man pages for ipfw and natd in depth and am somewhat lost.

I think I just need to add something that will enable my en1 port to pass traffic through to the en1 port...? Do I need to add a route for traffic on en1? I'm clueless as to what to do next but feel i'm really close to getting this working...
Unfortunately in my attempt to get natd and Classic working together I'm getting more familiar with ipfw than I cared to. The problem is in your divert statement. You should use interface en1, which you indicated is the interface to the cable modem. Don't divert en0 traffic.

tim
ummm no.

What that divert statement says essentially is this:
"Divert *to* NATD all traffic going through en0."

This is what you want because you want NATD to proccess the traffic coming from the internal network, which in turn translates it and sends it on to the internet using whatever means to access the internet that your computer is already configured for. You want to divert the traffic on whatever ethernet port is connected to the clients that need to access the internet via your gateway - otherwise their network traffic wouldn't get translated and tunneled out to the internet.

I hope this makes *some* sense...
 

mutha

Registered
i been folowing your posts and tried this on my G4. My problem is that I have to use PPPoe so I get a dynamic address from my provider. Hence, I cannot get it working the way you are doing it here. Do I need to use ppp0 instead of en0 for the script ?

Cheers
 

Tim Kelly

Registered
Originally posted by whirk

ummm no.

What that divert statement says essentially is this:
"Divert *to* NATD all traffic going through en0."

This is what you want because you want NATD to proccess the traffic coming from the internal network, which in turn translates it and sends it on to the internet using whatever means to access the internet that your computer is already configured for. You want to divert the traffic on whatever ethernet port is connected to the clients that need to access the internet via your gateway - otherwise their network traffic wouldn't get translated and tunneled out to the internet.

I hope this makes *some* sense... [/B]
You are correct. After rereading your post I see that in fact you have the opposite arrangement than I do. I do not know why I misread your configuration.

My apologies for the confusion.

tim
 

monty

Registered
mutha,

sort of. Yes you have to change en0 to ppp0 but the problem is natd is expecting a static IP address so you have to add the -dynamic flag as well. The other way will work but if the connection drops out and you reconnect and get assigned a new IP address then natd will get lost. So here's the script you need:

#!/bin/sh

natd -dynamic -interface ppp0

/sbin/ipfw -f flush
/sbin/ipfw add divert natd all from any to any via ppp0
/sbin/ipfw add pass all from any to any

Also as an optional extra i suggest geting the two files from <a href="http://wopr.norad.org/articles/firewall/booting.html">Firewall Setup</a>. Follow the directions and change their script so that it macthes the above but leave the ConsoleMessage part in. That way it loads when the macosx startup progress bar goes by and the ConsoleMessage appears. Seems more professional and mac-like that way. Note: you can change ConsoleMessage to anything you want, like Starting NAT.

peter
 

monty

Registered
Oops. looks like you have to change the message "Starting firewall" in the plist and not in the shell script to get a custom startup message otherwise what i said works. Sorry I wrote my last post before I tried changing the message myself. the shell script works though.

peter
 

monty

Registered
tim,

Ok now i'm really confused. Your theory was that OT in the classic environment is intercepting the packets before they can be fowarded right? Problem: I turned of OT in classic but problem remains. Quit classic and all works fine again. What the hell is happening?!?

peter
 
Top