Troubleshooting NAT Internet Sharing

Murus
hany
Posts: 445
Joined: Wed Dec 10, 2014 5:20 pm

Troubleshooting NAT Internet Sharing

Post by hany » Fri Apr 03, 2015 12:10 pm

To share the internet connection you have 2 alternative ways:

1) use OS X system preferences sharing panel
2) use Murus NAT

In order to work correctly you have to activate one of these methods, and stop the other.
There are differences between the two ways to share the Internet:

1) OS X INTERNET SHARING:
- Activated within OS X System Preferences, Sharing prefpane
- It uses NATPMP, not static NAT. Port redirection to clients' apps is automatic provided that apps do support it.
- It uses a fixed LAN interface with fixed IP address (192.168.2.1). Your LAN clients must stay on this network.
- You can't have a filtering or logging policy, LAN clients access to internet is unrestricted
- You can't export LAN services to the internet
- You can use your built-in wifi as LAN, using your Mac as wifi access point
- You can't share a VPN connection with LAN clients
- You can't monitor LAN clients traffic

2) MURUS INTERNET SHARING:
- Activated using Murus Pro
- Uses Static NAT. Port redirections are customizable. You have to manually add all your ports redirection.
- Uses one or more manually configured LAN interfaces
- Freedom of configuration for all your interface, no need to stay within a specific network
- Per-client or per-network or per-group filtering and logging policy, for both inbound and outbound
- Export LAN services to the Internet
- Share VPN connection with LAN clients
- Use your built-in wifi as LAN, but you can't use it as access point
- Monitor LAN clients traffic


MURUS NAT TROUBLESHOOTING:

In case you have problems running Murus Internet Sharing please consider to read the provided Murus Manual, then follow these steps:

- be sure to turn off the OS X system preferences firewall and to remove ALL third party firewalls (IceFloor, PFLists, WaterRoof, NoobProof, LittleSnitch, TCPBlock). Then REBOOT. You will reinstall these third party apps later when troubleshooting is finished.
- be sure to deactivate Internet Sharing in System preferences, REBOOT, and then activate Murus NAT and REBOOT again. These 2 ways of doing NAT do fight each other.
- be sure to install Murus boot scripts. They are mandatory because they activate interface bridging, which is needed for NAT. After installing scripts you must REBOOT.
- start from a CLEAN Murus conf, that’s important when troubleshooting
- NAT is the first thing to configure, you need to activate it on a plain-default Murus configuration (you can restore it from murus “Firewall” menu)
- NAT must work (clients must surf the web) with a plain-default configuration. Then add your filtering and redirection rules, if you need any.
- be sure to correctly assign WAN and LAN interfaces. WAN is connected to the internet and fully configured, LAN is the local one, it needs only IP and subnet (no router or dns addresses needed)
- be sure to correctly assign permissions to NAT groups: assign correct addresses and assign ALL SERVICES so they have full internet access (you’ll limit it later, after troubleshooting is completed)
- disable DHCP on your router and LAN clients because it would assign wrong network settings to your clients. Configure your clients with static IP.
- check twice your NAT clients configuration: Static IP address, Router IP and DNS IP for all clients. All LAN clients will use your Murus' Mac's LAN IP as router.
- in case of error be sure to verify if it’s a Routing problem or a DNS problem… sometime it happens that NAT is currently working, but for some reason DNS is not. Try using well-known dns servers like google's 8.8.8.8.

osahum
Posts: 1
Joined: Wed May 06, 2015 9:55 pm

Re: Troubleshooting NAT Internet Sharing

Post by osahum » Wed May 06, 2015 10:02 pm

Can I share two internet connections (two WANs from two ethernets) to one LAN network? If yes, will OS X or Murus for that matter distribute the available bandwidth over the two WANs (like load balancer)?

If no, do you have any suggestions how I might do that? I use my mac pro as gateway server. I am thinking to add another fiber optic connection to my network but I like everything to be centralized. I currently use IceFloor for NAT. It works very well but I might buy Murus since it has better Yosemite Support.

Thanks

kc0mmy
Posts: 9
Joined: Tue Dec 22, 2015 1:13 am

Re: Troubleshooting NAT Internet Sharing

Post by kc0mmy » Sun Dec 27, 2015 10:58 pm

The question I have is: Do I need to set the service order in System Preferences? For instance, should en0 (WAN interface) be before en1 (LAN interface)? I don't see anything in the manual regarding this so my guess is that it doesn't matter? Or perhaps in this example en1 should come before en0?

-Andre

hany
Posts: 445
Joined: Wed Dec 10, 2014 5:20 pm

Re: Troubleshooting NAT Internet Sharing

Post by hany » Mon Dec 28, 2015 1:34 pm

Andre

interface order in OS X System Preferences -> Network does matter because your Mac will use the first available (and working) interface as default. Let's say you have 3 working internet connections on your Mac running NAT:
1) ethernet connected to your home dsl router
2) wifi connected to your neighbor's home wifi router
3) bluetooth connected to your 3G iphone modem

then you have a 4th interface, an ethernet, connected to a switch for your home network, with some Macs connected to it. You are using this interface as LAN, and these Macs will use your Mac as router.

Now, the most important thing is to decide which of the three internet connections will be the default one. You do this changing interfaces order in System Preferences. So let's say you want to use the dsl ethernet router as main interface, the very same interface must be set as WAN on Murus NAT. Once done, the order of the remaining interfaces can be left as is.

kc0mmy
Posts: 9
Joined: Tue Dec 22, 2015 1:13 am

Re: Troubleshooting NAT Internet Sharing

Post by kc0mmy » Mon Dec 28, 2015 3:35 pm

Hany,

Again, thank you! Crystal clear! I thought that was the case (and I did set it up that way) but as I stated in another post, I guess I just don't have enough confidence in my judgement. Now I just need to make the magic happen. :)

If I could, I'd like to ask for another point of clarification: Is it absolutely necessary to activate NAS with a default configuration, or is that just for troubleshooting purposes? The reason I ask is because I was using my OS X Server as a "Test Machine" before turning it into a gateway and I think I have everything as it should be. If I need to do the "default settings" it's not too big of a deal. I can just write down the settings I need.

Again, thanks! You've been a HUGE help. :)

-Andre

kc0mmy
Posts: 9
Joined: Tue Dec 22, 2015 1:13 am

Re: Troubleshooting NAT Internet Sharing

Post by kc0mmy » Tue Dec 29, 2015 11:33 am

All is working!

I just used the rules I created already, tested the settings, installed the boot scripts, rebooted and all is set. Wireless clients are able to browse.

Definitely a great product. $35 well spent. :)

-Andre

hany
Posts: 445
Joined: Wed Dec 10, 2014 5:20 pm

Re: Troubleshooting NAT Internet Sharing

Post by hany » Tue Dec 29, 2015 12:27 pm

Is it absolutely necessary to activate NAT with a default configuration, or is that just for troubleshooting purposes
No, I just think that starting from a Murus default configuration is more easy FOR ME to troubleshoot customers first attempt to run NAT :D
Probably no one is using the default conf at the end, but is a good starting point even for me when I have to make my own test and such :)
I just used the rules I created already, tested the settings, installed the boot scripts, rebooted and all is set. Wireless clients are able to browse.
Glad to see it just works! Enjoy :)
Thank you!

kc0mmy
Posts: 9
Joined: Tue Dec 22, 2015 1:13 am

Re: Troubleshooting NAT Internet Sharing

Post by kc0mmy » Tue Dec 29, 2015 4:32 pm

Okay, I do have one quick question and I am racking my brain here ...

Sorry ....

I need port 22 to be open for an application that I use to get into the machine remotely. It's on the same machine that I'm using Murus on and it is acting as a dual homed router. I assume I just set up a forwarding rule in Murus to the local machine's address, correct? Or because it's acting as a router, do I need to set something else up? :)

Certainly not critical ... but is helpful. :)

Thanks!

-Andre

hany
Posts: 445
Joined: Wed Dec 10, 2014 5:20 pm

Re: Troubleshooting NAT Internet Sharing

Post by hany » Tue Dec 29, 2015 6:11 pm

If the service is listening (also) on the public WAN interface then you just have to manage SSH service in Managed Inbound Services. In my opinion this is the best approach and the most common.
But if the service listens only on the local side of the network then you must forward it to a local ip. The easiest way is to do it in Managed Inbound Services enabling SSH service's forwarding option, but you can also issue a custom forwarding rule.

...Then...
If you need to access this service also from local hosts (hosts running on the LAN side of your dual-homed Mac router) using the public address then you probably will face a typical dns problem that you will understand and hopefully fix reading the PF manual chapter about "split horizon dns". Welcome to the wonderful world of NAT :)

kc0mmy
Posts: 9
Joined: Tue Dec 22, 2015 1:13 am

Re: Troubleshooting NAT Internet Sharing

Post by kc0mmy » Wed Dec 30, 2015 1:04 pm

I kind of figured it had something to do with what side of the network that program was listening on. In my case, it IS listening on the WAN side and not the LAN side.

It's not critical the that I have the application working, but I do like to have more than one way into the network. :) Otherwise I have everything working the way I need it to with only minor hiccups that I can deal with.

Thanks again for your help! :)

-Andre

Post Reply