Lion Server: How to configure NAT and DHCP with a custom range of IP addresses

Learn how to configure Lion Server as a gateway using a custom range of IP addresses.

Gateway Setup Assistant on Lion Server can configure your server as a gateway that uses a predefined range of IP addresses for the internal network. The server's internal network interface will be assigned an IP address of, and the DHCP service will be configured to serve IP addresses in the range of

  1. If you haven't already done so, download and install the Server Admin Tools for Lion Server.
  2. Disable Internet Sharing in System Preferences or the NAT service in the Server Admin application.
  3. Configure the server's secondary network interface with the desired IP address and subnet mask. For example, if you wish to serve DHCP addresses in the range of you could configure en1 to have an IP address of with a subnet mask of
  4. Configure the DHCP service to serve IP addresses in the desired range. See the Lion Server Advanced Administration guide for more details.
  5. Configure the DNS service to resolve IP addresses in the range of DHCP addresses you'll be serving. This step is optional but recommended; see theLion Server Advanced Administration guide for more details.
  6. Configure the Firewall service to restrict access to and from your server. This step is also optional but recommended; see the Lion Server Advanced Administration guide for more details.
  7. Edit /etc/pf.anchors/ and comment out the *InternetSharing* lines. Add your own NAT rules below this section so that it looks like this:
    #nat-anchor "100.InternetSharing/*"
        #rdr-anchor "100.InternetSharing/*"
        #anchor "100.InternetSharing/*"
        nat-anchor "100.exampleNATRules/*"
        rdr-anchor "100.exampleNATRules/*"
        load anchor "100.exampleNATRules" from "/etc/pf.anchors/exampleNATRules"
  8. Create /etc/pf.anchors/exampleNATRules with these contents like these:
    nat on en0 from to any -> (en0)
        pass from {lo0,} to any keep state

    Modify en0 and as needed to match your server's external network interface and the internal subnet.

  9. Edit /System/Library/LaunchDaemons/ so that pfctl(8) is invoked with the -e flag. This can be accomplished with this command:
    sudo /usr/libexec/PlistBuddy -c 'add :ProgramArguments:3 string -e' /System/Library/LaunchDaemons/
  10. Create /etc/sysctl.conf if necessary, and add this line to it:
  11. Reboot the server. NAT will now be done by Packet Filter (PF), thus allowing you to use a custom range of DHCP addresses.

Note: Repeat step 8 if you change the IP address of the internal subnet.

Last Modified:

Additional Product Support Information

Start a Discussion

in Apple Support Communities
See all questions on this article See all questions I have asked
United States (English)