Languages

Lion Server: How to configure NAT and DHCP with a custom range of IP addresses

Learn how to configure Lion Server as a gateway using a custom range of IP addresses. 

Gateway Setup Assistant on Lion Server can configure your server as a gateway that uses a predefined range of IP addresses for the internal network. The server's internal network interface will be assigned an IP address of 192.168.2.1, and the DHCP service will be configured to serve IP addresses in the range of 192.168.2.0/24.  

  1. If you haven't already done so, download and install the Server Admin Tools for Lion Server.
  2. Disable Internet Sharing in System Preferences or the NAT service in the Server Admin application.
  3. Configure the server's secondary network interface with the desired IP address and subnet mask. For example, if you wish to serve DHCP addresses in the range of 10.0.0.2-10.0.0.254 you could configure en1 to have an IP address of 10.0.0.1 with a subnet mask of 255.255.255.0.
  4. Configure the DHCP service to serve IP addresses in the desired range. See the Lion Server Advanced Administration guide for more details.
  5. Configure the DNS service to resolve IP addresses in the range of DHCP addresses you'll be serving. This step is optional but recommended; see the Lion Server Advanced Administration guide for more details.
  6. Configure the Firewall service to restrict access to and from your server. This step is also optional but recommended; see the Lion Server Advanced Administration guide for more details.
  7. Edit /etc/pf.anchors/com.apple and comment out the *InternetSharing* lines. Add your own NAT rules below this section so that it looks like this:

    #nat-anchor "100.InternetSharing/*"
    #rdr-anchor "100.InternetSharing/*"
    #anchor "100.InternetSharing/*"
    nat-anchor "100.exampleNATRules/*"
    rdr-anchor "100.exampleNATRules/*"
    load anchor "100.exampleNATRules" from "/etc/pf.anchors/exampleNATRules"

  8. Create /etc/pf.anchors/exampleNATRules with these contents like these:

    nat on en0 from 10.0.0.0/24 to any -> (en0)
    pass from {lo0, 10.0.0.0/24} to any keep state

    Modify en0 and 10.0.0.0/24 as needed to match your server's external network interface and the internal subnet.

  9. Edit /System/Library/LaunchDaemons/com.apple.pfctl.plist so that pfctl(8) is invoked with the -e flag. This can be accomplished with this command:

    sudo /usr/libexec/PlistBuddy -c 'add :ProgramArguments:3 string -e' /System/Library/LaunchDaemons/com.apple.pfctl.plist

  10. Create /etc/sysctl.conf if necessary, and add this line to it:

    net.inet.ip.forwarding=1

  11. Reboot the server. NAT will now be done by Packet Filter (PF), thus allowing you to use a custom range of DHCP addresses.

Note: Repeat step 8 if you change the IP address of the internal subnet.

Last Modified: Mar 21, 2012
Helpful?
Yes
No
Not helpful Somewhat helpful Helpful Very helpful Solved my problem
Print this page
  • Last Modified: Mar 21, 2012
  • Article: HT5215
  • Views:

    35799
  • Rating:
    • 61.0

    (439 Responses)

Additional Product Support Information

Start a Discussion
in Apple Support Communities
See all questions on this article See all questions I have asked