Getting Appleshare IP to work over a PPPoE connection

On Mac OS X, if you go to Network settings and you have a PPPoE connection to the outside world, you will see that you are not allowed to turn on Appletalk for that particular interface (which we call the external interface). You have to create another interface (the internal interface) and then activate Appletalk on that new interface. If you try to connect to your external interface via Appleshare, this will fail because the outside connection does not communicate with the internal interface by default. This document explains you how to do so.

Overview

Get your PPPoE (10.0.x) or PPP (10.1.x) connection to work. This is not covered in this document.
Configure an internal interface and activate Appletalk.
Configure the Network Address Translator services to allow the outside interface to forward the Appletalk connection to the internal interface
Configure the firewall to enable the Network Address Translator
Set everything up to start at boot time and start it manually for now (we do not reboot anymore, do we ?)

Note: 10.0.x uses pppoe0 for DSL modem connections whereas 10.1.x uses ppp0. This document will eventually updated but was written for 10.0.x. Change everything to ppp0 for 10.1.x. If you have improvements, comments, etc... let me know at dccote@novajo.ca

Get your PPPoE connection to work

You have to do that by yourself. It simply means you have to enter your user identification in the Network control panel.

Configure an internal interface

I put the instructions on a separate page. Read it then come back to this page and read on.

Configure the Network translator services

This is the step where you configure the Network Address Translator services (natd or NAT) to forward connections to the internal interface when they come to the outside interface pppoe0. There is a graphical utility called gNAT that can do similar things but I have not used it.

First, get the files necessary for /Library/StartupItems/ here and save them in your home directory. Open a terminal and type:

Open a terminal and type:

cp ~/NAT.tar /Library/StartupItems/
cd /Library/StartupItems/
tar xvf NAT.tar
rm NAT.tar

This installs the files you need to start natd when you reboot as well as some configuration files. It does not always start though, and I don't know why. If it does not, start it manually. The natd.conf file (which should probably be kept in /usr/local/etc/ but is in /Library/Startupitems/NAT/) contains the following:

natd.conf:

dynamic yes
interface pppoe0
redirect_port tcp 192.168.0.1:548 548

which tells natd that the address is dynamic and will change from time to time, that your outside interface (the one connected to the outside world) is pppoe0 and finally the real meat is the last line: every Appletalk connection attempt to port 548 on the outside interface will be forwarded to your internal interface 192.168.0.1 (which you configured above) on the same port 548. natd will take care of all sorts of things to make it happen.

One last thing: you need to enable forwarding so that natd can do its job, so in a terminal, do the following to activate it now:

Enable forwarding:

/usr/sbin/sysctl -w net.inet.ip.forwarding=1

and modify the config file hostconfig so that next time you reboot, it is already activated:

Enable forwarding in /etc/hostconfig:

sudo pico /etc/hostconfig
[...]
IPFORWARDING=-YES-

and modify the line IPFORWARDING=-YES- instead of -NO-. Type control-X to save your work.

Configure the firewall

Now comes the part that can be done quickly and wrong, or slowly and right. Pick yours.

(1) The unsafe way

You have to configure the firewall even if it is doing very little: NAT requires the firewall to be running to divert the packets. It does not have to do anything complicated if you don't care about security. If you don't care, go to the terminal and uncomment the lines in /Library/StartupItems/NAT by using pico:

Uncomment this in /Library/StartupItems/NAT for a quick'n dirty and very unsafe solution:

/sbin/ipfw -f flush
/sbin/ipfw add divert natd all from any to any via pppoe0
/sbin/ipfw add pass all from any to any

That will get you going. However, your computer is wide open to anybody who might want to sneak in.

(2) The better way

If you do care about security though, you should set up your firewall properly with good rules. Follow the instructions and come back here. Make sure that:

The divert rule: $fwcmd add divert natd all from any to any via $oif is uncommented so that natd analyzes the packets.
Make sure natd is running before activating the firewall.

Both setups do the same essential work: anything that goes through the outside interface is analyzed by natd before it is reinjected in the firewall ruleset (for any rules that follow the divert rule). The quick and dirty solution just takes everything that comes in and out, translates it if necessary and moves on. The more complicated but much safer solution analyzes the packet before translating it (for any spoofing attempts), then translates it and if it is allowed will let it through. The key here is that after the divert rule in the firewall, the filtering does not start all over again from rule one but goes on from where it left off (that is, right after the divert rule).

Starting everything

Starting it up

/usr/sbin/sysctl -w net.inet.ip.forwarding=1
/usr/sbin/sysctl -w net.inet.ip.fw.verbose=1
sudo /Library/StartupItems/NAT/NAT

If you have used option (1) for the firewall and have uncommented the lines mentionned above in /Library/StartupItems/NAT, then you are done because natd started the firewall for you. If you used the instructions (2) from this page for the firewall, then simply disconnect and connect using the Internet Connect Application. If you have a static IP address and also used the instructions (2) from this page, then type:

Starting the firewall

sudo /Library/StartupItems/Firewall/Firewall

Next time you reboot, it will start automatically and you will not have to start it manually.

Connecting

From anywhere on the Internet, you can now connect to your Computer using the chooser or the Connect To Server... menu. You need to know your IP address though. I personnally use www.dyndns.org with software from Julien Jalon.

Troubleshooting

Things might not work the first time because my instructions might not be as clear as I would like them. Here is a list of things you want to double-check, in no particular order:

On Macfixit, I read that natd does not work when classic is running. I never experienced that myself, but this might be your case. Stop Classic if you are experiencing problems.
I did experience another problem though: it seems that NATd does not always start from /Library/StartupItems/NAT. I don't know why. Start it manually.
Make sure the forwarding and filtering is activated in the kernel. In terminal, type: /usr/sbin/sysctl -a and look for net.inet.ip.forwarding=1 and net.inet.ip.fw.verbose=1. If either is zero, you must activate them (see above).
Make sure natd is running. Open ProcessViewer or type top in terminal and look for natd.
You must have a divert rule in your firewall rules. In terminal type sudo ipfw show and look for a divert rule. If there isn't, you did not set up the firewall properly. Go back.
If you try to connect and nothing happens, take a look at /var/log/system.log for a "Denied" connection to see if the firewall is blocking you from accessing port 548.