Mac OS X TCP/IP Routing
September 16, 2004 12:44 PM Subscribe
Mac OS X TCP/IP routing filter! I have two network interfaces on my Mac. I want most of my Internet traffic to go through my NAT router, but still allow the machine to be accessible from the Internet at its own address. More inside...
I have two Ethernet interfaces in my Mac because this lets me connect to my second computer, a Windows box, behind my hardware firewall/NAT router while at the same time giving it a real TCP/IP address (my DSL package gives me two). However, recently I switched to Vonage for my phone line. Now I want to run most of my Mac net use through the firewall/router so that it goes from there through the Vonage adapter so the adapter can do its voodoo to prevent dropouts on the voice line. Switching the Mac over to go through the router was easy, but now, although the other interface with the "real" TCP/IP address is up and accessible on the LAN, it can't be connected to from the Internet. My guess is that the packets get from the Internet to my Mac okay, but when reply packets go back out, the Mac is sending them out through the NAT router instead of from the interface they came in on, which makes them appear to come from the wrong IP address, so they are discarded.
Now I could set up the firewall/router to open a few ports (SSH, etc.) to my Mac instead of my PC, which is what I'll do if I can't figure this out. But since I have two IP addresses, I'd really like to give the Mac its own. Is there any way to get this to work?
This is kind of a complex situation so if I need to clarify anything, just ask.
I have two Ethernet interfaces in my Mac because this lets me connect to my second computer, a Windows box, behind my hardware firewall/NAT router while at the same time giving it a real TCP/IP address (my DSL package gives me two). However, recently I switched to Vonage for my phone line. Now I want to run most of my Mac net use through the firewall/router so that it goes from there through the Vonage adapter so the adapter can do its voodoo to prevent dropouts on the voice line. Switching the Mac over to go through the router was easy, but now, although the other interface with the "real" TCP/IP address is up and accessible on the LAN, it can't be connected to from the Internet. My guess is that the packets get from the Internet to my Mac okay, but when reply packets go back out, the Mac is sending them out through the NAT router instead of from the interface they came in on, which makes them appear to come from the wrong IP address, so they are discarded.
Now I could set up the firewall/router to open a few ports (SSH, etc.) to my Mac instead of my PC, which is what I'll do if I can't figure this out. But since I have two IP addresses, I'd really like to give the Mac its own. Is there any way to get this to work?
This is kind of a complex situation so if I need to clarify anything, just ask.
I don't understand exactly what you're trying to do (on preview: I guess I'm not the only one ;), but you'll probably need to configure static routes using ipfw. Try using Brickhouse if you'd rather not monkey around at the command line.
posted by maniactown at 1:29 PM on September 16, 2004
posted by maniactown at 1:29 PM on September 16, 2004
Does your router have the ability to set up a DMZ? Most routers seem to have that, and if I understand what you're trying to do, that's what you want.
posted by willnot at 1:40 PM on September 16, 2004
posted by willnot at 1:40 PM on September 16, 2004
can you draw a picture?
posted by andrew cooke at 1:47 PM on September 16, 2004
posted by andrew cooke at 1:47 PM on September 16, 2004
Response by poster: Chris has it right. Here's how the network is set up:
1) The DSL comes into a Zyxel DSL router, which is a DSL modem and a router in one box. It's set to bridging mode, so it doesn't do NAT, it just bridges the two IPs I have from Speakeasy onto my local network.
2) Into the Zyxel router is plugged a) the Motorola ATA from Vonage and b) the built-in Ethernet of my Mac. The ATA is set to use one of my static IPs from Speakeasy, as is my Mac.
3) Into the Motorola ATA is plugged my Netgear FR314 firewall, which is configured to get an IP address from the Motorola ATA.
4) Into the Netgear is plugged the PC and the Mac's second Ethernet port. The firewall blocks most services (e.g. file sharing) from access over the Internet, so I stuck a cheap Ethernet card into the Mac so I could get full access to the PC without going through the firewall. I did this before I moved and got Vonage service, actually.
Now the way I used to have the Mac set up is that it uses the built-in Ethernet port for its Internet access. (You can choose which interface is used for Internet access in the Mac's Network preference panel.) This way it has its own real IP address. However, I now want to switch it over to use the add-on Ethernet card for Internet access, which will go through the firewall and thus the Vonage ATA. This way the ATA can shape the traffic so if I'm downloading something, it doesn't affect my ability to talk on the phone. However, when I do this, machines outside my network can't connect to the Mac on its public IP address. As I said, I assume the reply packets to incoming connections are going out on the other interface and are thus not being recognized by their targets. I'm not sure if this is something I can solve with the router and/or firewall settings, but I don't know enough about TCP/IP to be sure.
I suppose the easiest thing to do would be to not use the second TCP/IP address, and configure the Netgear router to forward the SSH port and a few others to my Mac. But there are some apps that don't work fully behind NAT and I'm paying for the second IP address anyway, so I'd like the flexibility. I realize that anything I do on that address could interfere with my voice service, since it won't go through the ATA, but the idea is to keep most things from interfering with it, while still being flexible.
posted by kindall at 3:42 PM on September 16, 2004
1) The DSL comes into a Zyxel DSL router, which is a DSL modem and a router in one box. It's set to bridging mode, so it doesn't do NAT, it just bridges the two IPs I have from Speakeasy onto my local network.
2) Into the Zyxel router is plugged a) the Motorola ATA from Vonage and b) the built-in Ethernet of my Mac. The ATA is set to use one of my static IPs from Speakeasy, as is my Mac.
3) Into the Motorola ATA is plugged my Netgear FR314 firewall, which is configured to get an IP address from the Motorola ATA.
4) Into the Netgear is plugged the PC and the Mac's second Ethernet port. The firewall blocks most services (e.g. file sharing) from access over the Internet, so I stuck a cheap Ethernet card into the Mac so I could get full access to the PC without going through the firewall. I did this before I moved and got Vonage service, actually.
Now the way I used to have the Mac set up is that it uses the built-in Ethernet port for its Internet access. (You can choose which interface is used for Internet access in the Mac's Network preference panel.) This way it has its own real IP address. However, I now want to switch it over to use the add-on Ethernet card for Internet access, which will go through the firewall and thus the Vonage ATA. This way the ATA can shape the traffic so if I'm downloading something, it doesn't affect my ability to talk on the phone. However, when I do this, machines outside my network can't connect to the Mac on its public IP address. As I said, I assume the reply packets to incoming connections are going out on the other interface and are thus not being recognized by their targets. I'm not sure if this is something I can solve with the router and/or firewall settings, but I don't know enough about TCP/IP to be sure.
I suppose the easiest thing to do would be to not use the second TCP/IP address, and configure the Netgear router to forward the SSH port and a few others to my Mac. But there are some apps that don't work fully behind NAT and I'm paying for the second IP address anyway, so I'd like the flexibility. I realize that anything I do on that address could interfere with my voice service, since it won't go through the ATA, but the idea is to keep most things from interfering with it, while still being flexible.
posted by kindall at 3:42 PM on September 16, 2004
sounds like the mac's config is too restrictive. can you not associate different programs with different addresses? for example, if you're running a web server then it should be configured to listen on the external address. from what you say it sounds as though everything is configured via a single switch, which isn't what you want.
basically, this should work, but you have to keep any particular protocol on just one route.
posted by andrew cooke at 3:59 PM on September 16, 2004
basically, this should work, but you have to keep any particular protocol on just one route.
posted by andrew cooke at 3:59 PM on September 16, 2004
Response by poster: Hmmm. That's tantalizing... although the Mac does seem to be listening on both interfaces. From the PC, for example, I can access the Mac's Web server at both the internal 192.168.x.y address, which should only need to go as far as the firewall, and the external address, which should go through the firewall to the DSL router and back to the Mac on the other interface.
posted by kindall at 4:13 PM on September 16, 2004
posted by kindall at 4:13 PM on September 16, 2004
so you can access the second address (the one just for the mac) from your pc but not from the outside world? that sounds like a problem with the zyxel router.
posted by andrew cooke at 4:28 PM on September 16, 2004
posted by andrew cooke at 4:28 PM on September 16, 2004
There's really no reason why a service running on the Mac should receive a connection on one network interface and then start sending replies on the other interface, as long as it's all part of one 'conversation'... unless there's some pretty weird config going on.
For instance, I often have my Mac connected to our network via its wireless Airport interface and it's wired Ethernet interface, on two separate IP addresses, and everything works as you'd expect it. So I know that this should work.
You say that you can access the Mac's web server on both addresses from your PC, so that's clearly working. Can you ssh to your Mac from your PC? Or ftp to it?
And what about accessing your Mac from completely outside your network? Which services (if any) work?
posted by chrismear at 4:42 PM on September 16, 2004
For instance, I often have my Mac connected to our network via its wireless Airport interface and it's wired Ethernet interface, on two separate IP addresses, and everything works as you'd expect it. So I know that this should work.
You say that you can access the Mac's web server on both addresses from your PC, so that's clearly working. Can you ssh to your Mac from your PC? Or ftp to it?
And what about accessing your Mac from completely outside your network? Which services (if any) work?
posted by chrismear at 4:42 PM on September 16, 2004
Response by poster: Sure, I can do pretty much anything from my PC to my Mac -- browse the Web, VNC, whatever. They're on the same network segment with no filtering between them whatsoever.
At the moment I have the Mac set up to use the external address as its Internet connection, so I can connect to it just fine. If tell it to use the internal address (that goes through the NAT router) for Internet, then I can't connect to it at all, even though both interfaces are still "up."
I actually put a trouble ticket in on this with Speakeasy last night, because I thought it was a problem in their router, but after I figured out it was an oddity in the Mac's Internet configuration, I closed the ticket.
posted by kindall at 5:42 PM on September 16, 2004
At the moment I have the Mac set up to use the external address as its Internet connection, so I can connect to it just fine. If tell it to use the internal address (that goes through the NAT router) for Internet, then I can't connect to it at all, even though both interfaces are still "up."
I actually put a trouble ticket in on this with Speakeasy last night, because I thought it was a problem in their router, but after I figured out it was an oddity in the Mac's Internet configuration, I closed the ticket.
posted by kindall at 5:42 PM on September 16, 2004
it's not just about the interfaces. the software has to listen to the right interface. when you change the mac config you're changing what the software does.
when you have the mac configured for the internal address, can you still access it at the external address from the pc?
posted by andrew cooke at 6:53 PM on September 16, 2004
when you have the mac configured for the internal address, can you still access it at the external address from the pc?
posted by andrew cooke at 6:53 PM on September 16, 2004
Response by poster: Yes, from the PC, it responds on both interfaces fine, for every service I've tried it on. Granted, I haven't tried it on everything. However, there's nothing in xinetd.conf that would appear to bind any service to one interface or the other.
posted by kindall at 7:04 PM on September 16, 2004
posted by kindall at 7:04 PM on September 16, 2004
so if it works fine on both addresses when you connect to it from the pc, why do you think it's a problem with the mac?
posted by andrew cooke at 7:18 PM on September 16, 2004
posted by andrew cooke at 7:18 PM on September 16, 2004
I'm not very good at these thing, but what's the subnet of your mac, and if you type "ip route" what information do you get? (this is a linux command, I don't know about osx)
posted by holloway at 7:57 PM on September 16, 2004
posted by holloway at 7:57 PM on September 16, 2004
Response by poster: so if it works fine on both addresses when you connect to it from the pc, why do you think it's a problem with the mac?
Because the PC's on the local subnet in both cases. It's not actually going through a router. If I try to do it from outside the router, it doesn't work. Something's getting lost on the way out of the Mac to the requesting host out on the Internet, I think.
ip route
No such command on the Mac, unfortunately, and fink doesn't seem to have it either.
posted by kindall at 9:54 PM on September 16, 2004
Because the PC's on the local subnet in both cases. It's not actually going through a router. If I try to do it from outside the router, it doesn't work. Something's getting lost on the way out of the Mac to the requesting host out on the Internet, I think.
ip route
No such command on the Mac, unfortunately, and fink doesn't seem to have it either.
posted by kindall at 9:54 PM on September 16, 2004
Response by poster: Oh. Oops. The Mac is on two subnets of course: 192.168.1.x (behind firewall) and 216.231.50.x (outside firewall).
posted by kindall at 10:43 PM on September 16, 2004
posted by kindall at 10:43 PM on September 16, 2004
ok, so if i understand correctly, you can (without changing the config on the mac) connect to the external 216... address from the pc.
do that.
then unplug the cable from the mac to the local network (192...). leave the cable that goes to the cable modem/splitter (216...) alone.
can you still connect to the mac from the pc?
posted by andrew cooke at 7:54 AM on September 17, 2004
do that.
then unplug the cable from the mac to the local network (192...). leave the cable that goes to the cable modem/splitter (216...) alone.
can you still connect to the mac from the pc?
posted by andrew cooke at 7:54 AM on September 17, 2004
so do you still think there's a problem with the mac? your pc can talk to it just fine via the port connected to the 216... card. it's not doing anything via the local network because that cable is unplugged. there doesn't seem to be anything wrong with your mac, as far as i can see.
posted by andrew cooke at 9:04 AM on September 17, 2004
posted by andrew cooke at 9:04 AM on September 17, 2004
(maybe i'm misunderstanding something basic here - can anyone else explain why the mac is the problem?)
posted by andrew cooke at 9:05 AM on September 17, 2004
posted by andrew cooke at 9:05 AM on September 17, 2004
Response by poster: Well, as I said, there's clearly nothing wrong with the routing on the ISP's side. If I have the Mac configured to connect to the Internet through the 216 interface, I can connect to that address fine from, say, work. The problem is that if I have the Mac configured to connect to the Internet through the 192 interface, I can't connect to the 216 address from work. Since the only thing I change between these two scenarios is which interface the Mac is using for Internet access, it must be a Mac networking oddity, no?
In thinking about how I want to set things up here, though, this point may become moot. My DirecTiVo is now bitching every day about how I haven't made a daily call (it did this only once a week at first) so I'm going to have to put the ATA near the TiVo, which means the DSL router has to be there too, which means I'm going to have to just live with running the Mac out through the firewall and using port-forwarding for incoming connections. At least for now.
posted by kindall at 10:56 AM on September 17, 2004
In thinking about how I want to set things up here, though, this point may become moot. My DirecTiVo is now bitching every day about how I haven't made a daily call (it did this only once a week at first) so I'm going to have to put the ATA near the TiVo, which means the DSL router has to be there too, which means I'm going to have to just live with running the Mac out through the firewall and using port-forwarding for incoming connections. At least for now.
posted by kindall at 10:56 AM on September 17, 2004
ok, i'm sorry - i give up. i must have misunderstood something.
posted by andrew cooke at 11:09 AM on September 17, 2004
posted by andrew cooke at 11:09 AM on September 17, 2004
Response by poster: Well, thanks for trying to help, anyway. I was hoping it'd just be some "duh" thing or simple command-line incantation that someone would know.
posted by kindall at 1:57 PM on September 17, 2004
posted by kindall at 1:57 PM on September 17, 2004
This thread is closed to new comments.
posted by chrismear at 1:23 PM on September 16, 2004