Squeezing NAT Out of Panther Server
Subject:   NAT on Panther Server with PPPoE
Date:   2003-12-14 06:50:10
From:   anonymous2
Response to: NAT on Panther Server with PPPoE

Apple has detailed instructions in Appendix B of the "Getting Started With Mac OS X Server 10.3" Guide to set up a small business Panther server on a DSL internet connection with NAT. It involves using the built-in ethernet and ethernet on a PCI card. (For detailed description on this configuration and step-by-step instructions see the Appendix).
--Don't ask me for my config --it is exactly like the one described in Appendix B.

Unfortunately, NAT doesn't work with Panther Server Server when you are connected to the internet via PPoE.

So, in my case where I have a DSL connection with a fixed address but picked up via PPoE (I input the user id and password and my fixed address gets dynamically assigned to my computer) it was impossible to use NAT.
i.e. any computers on the local 192.168 addresses cannot access the internet.

After about 25 hours of trial and tribulation --and getting steered in the right direction by Dr. Ashley Aitken-- I have finally found the solution. It involves two small changes to Apple's instructions.

As Ashley intuited, the divert command that the GUI creates diverts traffic to the what Apple calls the External interface ("en0" if you are using the built-in Ethernet). The problem is that when PPoE is active the External interface is really "ppp0".

It is necessary to change this by editing the "natd.plist" file. And one must take care to NOT use the Server Admin to select an interface for NAT since this can change the setting back to "en0".

Here is what to do:

1) After installing the software and configuring the ports but before firing up the Server Admin (GUI) you need to edit the "natd.plist". You can use Terminal and Vi or Pico to do this but since I am mostly allergic to the Command Line interface I used BBEdit. You will need BBEdit 6.5 or higher to edit a hidden/invisible file.

2) Using BBEdit, use Open Hidden from the File Menu and navigate to "Macintosh HD/etc/nat/natd.plist". Look for the text:

Change "en0" to "ppp0" and save the file.

3) If there is already a file in the "nat" folder called "natd.plist.default" you should open it too and make the same change.

4) Now fire up Server Admin and make the step by step config changes to start FireWall, DNS, DHCP and NAT.

NB. When you start NAT you will probably notice that the interface that it is sharing is the "en1" PCI Ethernet card which you are using for internal network 192.168.*.*
This is counter intuitive to say the least because you really want to share the external interface.

**Nevertheless, resist the urge to change this back. DON'T click that NAT interface pop-up!**

Just turn on NAT and it should be working even though it says it is sharing the wrong interface and it will survive a restart as long as you don't play with the NAT interface Pop-up menu in the Server Admin.

To check that the settings are correct you can go into the FireWall -> Overview and in Active Rules the first line should have:
"divert 8668 ip from any to any via ppp0"

What is going on?

Here is what I think happens. When you fire up NAT for the first time the interface pop-up defaults to the last item on the list "en1".
If you change this it will cause the file "" to set the interface to "en0" and your NAT will stop working.

When NAT starts up I think it is reading the natd.plist.default (which you have modified to have "ppp0") then, if you have touched the GUI at all it will read a file called "" (which the GUI creates and modifies whenever you make changes in Server Admin) to create the file "natd.plist" which NAT uses when starting up.


If you do mess with the NAT interface in Server Admin and NAT stops working, you can probably get NAT to work again by making sure the files "natd.plist" and "natd.plist.default" use "ppp0" as per above. Then make a small change to FireWall general rules and save it --such as enabling or disabling the Finger Port 79.
Saving can take a long time so wait for the gear to stop spinning and then Stop the FireWall and Restart it. NAT should be working again. (You may need to restart the computer).

The exact sequence of events here is something I don't exactly understand so just don't ever touch that NAT interface pop-up menu.

Good luck.


Alex Narvey

1 to 2 of 2
  1. NAT on Panther Server with PPPoE
    2005-10-12 03:39:18  MikeHKG [View]

  2. NAT on Panther Server with PPPoE
    2004-01-14 09:32:39  anonymous2 [View]

    • NAT on Panther Server with PPPoE
      2005-04-29 23:12:07  brandonarbini [View]

      • NAT on Panther Server with PPPoE
        2007-03-10 18:13:19  kornnutt73 [View]

      • NAT on Panther Server with PPPoE
        2007-03-10 18:12:43  kornnutt73 [View]

1 to 2 of 2