Yet another non working NAT Internet Sharing - please help

Murus
Post Reply
redskate
Posts: 30
Joined: Tue Apr 05, 2016 8:08 pm

Yet another non working NAT Internet Sharing - please help

Post by redskate » Thu Apr 07, 2016 4:22 pm

Hi hany

I need also help regarding the NAT internet sharing with Murus.
I spent now 3 hours and I am stuck.

My constellation
A basic router (not yet in bridge mode, with a NAT to 192.168.) = en0
A mac mini with thunderbolt-ethernet= en4
An iMac connected with en4
With OS X Firewall and Internet sharing, internet is passed, everything runs properly.

Using Murus does not yet bring success to me: All the non internet services seems to run (like remote screen), but internet is not passed to en4.

I disabled OS X Firewall and Internet Sharing and rebooted. Then I configured a static NAT for a client on 10.0.1.130 - I cannot figure out what the Router and what the DNS Server for this connection should be. In your troubleshoot on http://murusfirewall.com/forum/viewtopic.php?t=215 you write (thank you) that the Router is the Murus Lan IP, i.e. (I think). the ip of Mac Mini on en0 (192.168.1.100). The static NAT configuration has one NAT group on en4 and this group includes a client 10.0.1.130 and “all services”. Since I want to work with a subnet 10.0. I have configured the NAT for ip’s in the range 10.0.1.1 - 1.0.1.255 - at least I tried to do so.

for Thunderbolt-Ethernet (DHCP):
IP-Adress: 10.0.1.2 (maybe irrelevant here)
Subnet mask is here 255.255.0.0

for iMac ethernet (the client) - Manual configuration
IP Adress: 10.0.1.130
Subnet Mask: 255.255.255.0
Router: 192.168.1.100 - taken from en0 LAN address

On Murus “all services” are at least yellow, passing thus to internal subnet.
What I get on the iMac is just Ethernet and Network Settings. no ISP, no Internet, no Server.

Since I think to have done so far everything as you described, I do not know what to do … in order to get also the internet service done.

What do you suggest me to do?

Regards
Fabio

hany
Posts: 474
Joined: Wed Dec 10, 2014 5:20 pm

Re: Yet another non working NAT Internet Sharing - please help

Post by hany » Thu Apr 07, 2016 5:35 pm

for iMac ethernet (the client) - Manual configuration
IP Adress: 10.0.1.130
Subnet Mask: 255.255.255.0
Router: 192.168.1.100 - taken from en0 LAN address
this is for sure a mistake, IP address and router must stay in the same network.
As far as I understand the iMac is the 'client'. So it must have IP 10.0.1.130 and router 10.0.1.something (assuming you defined your LAN network using a 24 bit subnet mask).

The macmini running Murus NAT must have two interfaces belonging to two different networks: LAN and WAN. The interface connected to the iMac will have IP address 10.0.1.something (leave dns and router fields empty for this interface as it is the LAN one). The interface connected to the router (the WAN) must have a 192.168.something, to match the main router's network, and must be configured with public dns IP and your main router's IP.

redskate
Posts: 30
Joined: Tue Apr 05, 2016 8:08 pm

Re: Yet another non working NAT Internet Sharing - please help

Post by redskate » Sat Apr 09, 2016 1:49 pm

Thank you any

I will try to take as router the ip from the Murus en4 interface as router ...

Still do not figure out how to create a LAN NAT range so like airport extreme ...

Regards

Fabio

redskate
Posts: 30
Joined: Tue Apr 05, 2016 8:08 pm

Re: Yet another non working NAT Internet Sharing - please help

Post by redskate » Sat Apr 09, 2016 7:41 pm

Hello :)
Today's new experiment (not succeeded) - further hours of learning:

I installed El Capitan on my mini, installed the app OSX Server.
I deactivated OSX Internet Sharing.
I uninstalled and reinstalled Murus.
Then I defined a default firewall configuration (novice, do not preserve) with Murus.
What Murus stored in PF is the following:
sudo pfctl -sr
No ALTQ support in kernel
ALTQ related functions disabled
scrub-anchor "com.apple/*" all fragment reassemble
pass quick on awdl0 all no state
pass quick on p2p0 all no state
pass quick on utun0 all no state
pass quick on utun1 all no state
block drop in quick from <_blacklist> to any label "BlackList_IN"
block drop out quick from any to <_blacklist> label "BlackList_OUT"
block return in log quick from <_adservers> to any label "adservers_IN"
block return out log quick from any to <_adservers> label "adservers_OUT"
block drop in quick from <sshguard> to any label "SSHGuard"
block drop in log quick from <_threats> to any label "Threats_IN"
block drop out log quick from any to <_threats> label "Threats_OUT"
block drop in quick from no-route to any
block drop in quick from urpf-failed to any
anchor "com.apple.server-firewall/*" all
block drop inet all label "Block_V4"
block drop inet6 all label "Block_V6"
anchor "com.apple/*" all
pass proto icmp all keep state
pass in quick proto udp from any port = 5353 to any port = 5353 keep state allow-opts
pass out quick proto udp from any port = 5353 to any port = 5353 keep state allow-opts
pass out quick proto tcp from any port = 68 to any port = 67 flags S/SA keep state
pass out quick proto udp from any port = 68 to any port = 67 keep state
pass in quick proto tcp from any port = 67 to any port = 68 flags S/SA keep state
pass in quick proto udp from any port = 67 to any port = 68 keep state
pass quick inet6 proto udp from any to any port = 546 keep state
pass inet6 proto ipv6-icmp all icmp6-type echoreq keep state allow-opts
pass inet6 proto ipv6-icmp all icmp6-type groupqry keep state allow-opts
pass inet6 proto ipv6-icmp all icmp6-type grouprep keep state allow-opts
pass inet6 proto ipv6-icmp all icmp6-type groupterm keep state allow-opts
pass inet6 proto ipv6-icmp all icmp6-type routersol keep state allow-opts
pass inet6 proto ipv6-icmp all icmp6-type routeradv keep state allow-opts
pass inet6 proto ipv6-icmp all icmp6-type neighbrsol keep state allow-opts
pass inet6 proto ipv6-icmp all icmp6-type neighbradv keep state allow-opts
pass inet6 proto ipv6-icmp all icmp6-type 143 keep state allow-opts
pass proto igmp all keep state allow-opts
pass quick inet from any to 224.0.0.0/4 flags S/SA keep state allow-opts
pass quick inet6 from any to ff00::/8 flags S/SA keep state allow-opts
anchor "murus.inbound" all label "Inbound"
anchor "murus.outbound" all label "Outbound"
anchor "murus.inspector" all label "Inspector"
anchor "murus.custom" all label "Custom_Rules"

I sincerely do not understand where the rules
pass quick inet from any to 224.0.0.0/4 flags S/SA keep state allow-opts
pass quick inet6 from any to ff00::/8 flags S/SA keep state allow-opts
comes from ... they are in the murus.conf file!

(By the way - please - from where refreshes Murus these files ? There must be a database or a file system around where murus saves that data... Murus recovers each time the "Start" button is pressed)

Why should someone pass anything to 224 ?
Probably is my Mini already "infected" ?

The WAN is en0 and LAN is en4. In en4 there is a group with one client to 10.0.1.120 .
When I check Murus "Share Internet connection" and test the PF rules, an error is issued:
Problem with: nat on en0 from en4:network to any -> (en0)
Interesting, when I swap both interfaces, no conflict is generated (but it makes no sense to me from the GUI's point ov view...).

So as you see I am totally confused, nothing (still) runs ...

Resuming what I need
1) defining a NAT connection on OSX on a range 10.0.1.0/24
2) defining a Murus NAT from en0 to en4 (thunderbolt-ethernet).

Thanks for any (constructive) hint!

hany
Posts: 474
Joined: Wed Dec 10, 2014 5:20 pm

Re: Yet another non working NAT Internet Sharing - please help

Post by hany » Sat Apr 09, 2016 9:41 pm

I sincerely do not understand where the rules
pass quick inet from any to 224.0.0.0/4 flags S/SA keep state allow-opts
pass quick inet6 from any to ff00::/8 flags S/SA keep state allow-opts
comes from ... they are in the murus.conf file!
If you see a rule, then for sure is in Murus files.
These specific rules are for multicast, see Murus preferences -> general
More info here https://en.wikipedia.org/wiki/Multicast_address
(By the way - please - from where refreshes Murus these files ? There must be a database or a file system around where murus saves that data... Murus recovers each time the "Start" button is pressed)
Every time you click PLAY Murus re-creates all your pf configuration files and loads then in runtime. This is the way to "update" pf runtime rules. Rules are read from file generated by Murus and saved in /etc/murus. Please see the manual for more.
Why should someone pass anything to 224 ?
You can choose, just select the corresponding Murus option.
Passing multicast is a common practice.
Probably is my Mini already "infected" ?
no, believe me, you just have to read the manual :D :D :D
The WAN is en0 and LAN is en4. In en4 there is a group with one client to 10.0.1.120 .
When I check Murus "Share Internet connection" and test the PF rules, an error is issued:

Problem with: nat on en0 from en4:network to any -> (en0)

Interesting, when I swap both interfaces, no conflict is generated (but it makes no sense to me from the GUI's point ov view...).

So as you see I am totally confused, nothing (still) runs ...

Resuming what I need
1) defining a NAT connection on OSX on a range 10.0.1.0/24
2) defining a Murus NAT from en0 to en4 (thunderbolt-ethernet).
I'm sorry, this is not really clear to me. NAT can be very very difficult to troubleshoot.
You should really start from a default configuration and implementing NAT before modifiying filtering rules.
This thread may help you:

http://murusfirewall.com/forum/viewtopic.php?f=2&t=215

Important: do NEVER uninstall/reinstall Murus. It has no sense, it may create problems.
Choose "firewall" menu and "restore default configuration" is the right thing to do to reset murus to factory default.

redskate
Posts: 30
Joined: Tue Apr 05, 2016 8:08 pm

Re: Yet another non working NAT Internet Sharing - please help

Post by redskate » Sun Apr 10, 2016 8:49 am

Dear hany

first of all - thank you for all your single answers at that late hour - for me - (I do not know in which timezone you live).

Well ... I have the option to non-multicast - (thanks, I could NOT infer it from 224.0.0.0/4 to the Multicast option in the config !! - now I know also this ;) ) - Please ADD IT TO SOME HELP on the configuration pane .... ?

And yes, your nice troubleshoot http://murusfirewall.com/forum/viewtopic.php?f=2&t=215 - I know it by heart, I already booted a 10th of times without having anything internet passed to any NAT client. But I discovered that starting from a virgin configuration (inbound exclusive!!!!) does not produce (at least) the one inconsistency with Murus NAT Internet Sharing "button".

I suppose I have first to get to the "HOW" to predispose the server for NAT client IP range of 10.x.x.x before continuing with Murus+InternetSharing...

Concerning my question on "where are the originally rules information" - you did not respond ... really. I know that Murus renew those files on /etc/murus/* - my point was - from where? Murus must have a sort of internal database or internal file system where it takes the rules in order to refresh /etc/murus/* .... that was my question.

Well, Murus was - except all that NAT things ... - already for me useful, since I could put some computer under control (hopefully) and I discovered already a bunch of intrusion :) - Thank you Murus :)

I will read again the documentation - but my PF time is now nearly consumed ...

Nice days for you
Regards

Post Reply