Bridge or NAT and DHCP

Similar Messages

• I want to use Back to my mac. When I try to turn it on, it says "Back to My Mac may be slow because more than one device on your network is providing network services.   Turn off NAT and DHCP on one of the devices and try again." How do I fix this?

  Not sure if I am doing this right. This is my first time in the support community.
  I imagine what I put in my heading was supposed to go in here.
  I want to use Back to my mac. When I try to turn it on, it says "Back to my mac may be slow because more than one device on your network is providing network services. Turn off NAT and DHCP on one of the devices and try again. See the documentation that came with your device for information about turning off network services"
  Does anyone know how I do this? I contacted my ISP (Telus in Canada) and they did not know anything (not that they usually do).

  Why do ISPs insist upon making things so difficult for their customers?
  If you cannot get them to understand that you would prefer to use your own router over their piece of cheap junk, perhaps the information in the following will be useful:
  http://keithbalomben.wordpress.com/2012/03/29/telus-actiontec-v1000h-hacks-and-i nformation/
  Scroll down to DHCP Settings
  You will need to log in with proper "technician" credentials. They are provided in the above link as
  Username: tech
  Password: t3lu5tv
  ... but these may or may not work. Try it, and if you cannot get anywhere at least now you know what to ask Telus to do in return for your business.

• DNS required for NAT and DHCP services?

  I have a 10.6.2 server with a static IP, domain name, working as a gateway (I have my reasons) as well as providing some services inside and outside. My ISP has a PTR setup so the domain points to the static IP.
  My question is, do I need the DNS service running on the server? Based on some of the docs it tells me to put my ISPs DNS servers in both of my servers ethernet port settings, as well as in the DHCP profile to give out to clients on the network. When I do this, clients cannot resolve names. I can ping IPs from the client, I can even ping my ISPs DNS servers from clients, but I can't resolve names. When I try to dig anything it just hangs there with a blinky cursor.
  When I have the DNS service running it's all happy. The only thing is, clients on the LAN experience some serious lag when accessing services on the server, UNLESS I configure the DNS for my domain on the server with both internal and external IP addresses. Is that how it is supposed to be?

  In the server zone files, the dedicated IP address should point to the machine name, as in name.someserver.com. The local IP address should point to name.local. If you have more than one domain name, the zone files should show their network IP address, not the dedicated IP address, which should only point to the machine name.
  As a side note, I strongly advise against connecting a server directly to the Internet. It should be behind a router with DMZ/NAT/firewall capabilities. By the time you realize why, it will be too late.

• Using modem Sagem f@st 3464 (Scarlet One : vdsl   tv   VoIP   wi-fi) : impossible to create a new Wi-Fi network (2.4 or 5 GHz) ? Conflict with DHCP / NAT and so on. No answer from the Apple help desk, Air Port Utility 6.1 unusable (configuration = Win 7)

  Good afternoon,
  My internet connection is delivered by a modem Sagem f@st 3464 (Scarlet One : vdsl   tv   VoIP   wi-fi), it's almost the same than a BBox-2 from Belgacom (software and configuration).
  This modem has 4 ethernet port, 2 for TV, 2 for LAN, the WAN port is RJ-11 and the connection is a PPPoE (in fact, it's the Belgacom network). I also got a Wi-Fi 802.11g on it.
  The main raison why I bought a TC is the dual Wi-Fi 2.4 GHz and 5 GHz (for 802.11n), especially for my MacBook Pro and my iPad 3.
  First of all, can I do the following with my TC :
  1) connecting the TC using a ethernet cable from one of the two modem's LAN ports to the TC's WAN port
  2) create a new Wi-Fi network using the TC ?
  Up to now, after 2 man days of configuration, my TC is connected to my existing LAN network, as a bridge, but there is no new Wi-Fi network.
  The Airport Utility 6.1 "Wizard" is just un-usable and I need to use a Win 7 laptop in order to get access to all the configuration !
  The standard manual is very poor.
  Does someone already create a new Wi-Fi network using its TC connected by Ethernet on a modem/router device ? How do you set up the DHCP (and NAT) ? Which range did you use ?
  Sincerely yours,
  AVDB

  1) connecting the TC using a ethernet cable from one of the two modem's LAN ports to the TC's WAN port
  2) create a new Wi-Fi network using the TC ?
  Does someone already create a new Wi-Fi network using its TC connected by Ethernet on a modem/router device ? How do you set up the DHCP (and NAT) ? Which range did you use ?
  This is easy enough to do..
  Plug the TC directly into a computer.. without other connections to do the setup.
  Using the newly installed 5.6 utility.
  Bridge the TC.
  Create a wireless network.
  This is an older screen shot and I would set security to WPA2 Personal only not WPA/WPA2 Personal as shown above.
  I do recommend you use wireless names that are short, no spaces, pure alphanumeric.
  Update the TC..
  Now plug it into the modem router.. it will be a part of the network without doing NAT and DHCP itself.. which you do not want.. that leads to double NAT issues.. but it is a WAP that provides access to devices on both 2.4ghz and 5ghz bands directly to the main router.

• Airport Extreme best practice configuration for Sleep Proxy, DHCP/NAT and PPPOE

  Hi
  I have recently bought a Airport Extreme and it is working well.  One of the reasons I bought is to take advantage of the Bonjour Sleep Proxy on it so I can wake my MAC up remotely from my iPad using the REMOTE app to stream things like iTunes etc...  I followed the set up instructions and basically let it configure itself.  I have an ISP router / modem which currently is providing DHCP services, NAT and PPPOE.
  The Airport detected all of this and set itself up as bridge only.  The speed of the network outo to the internet is fine (more or less what it was before).  However, in doing a bit of research, I have found out that if I want the Airport to act as a sleep proxy, I need it to "host" the network.  I am not an expert in networking but from what I understand I need the Airport to be moved from "Bridge Only" to at least be providing DHCP to my internal network clients.
  This has prompted me to ask what is "Best practice" when it comes to configuring the Airport given I want to have Sleep Proxy enabled.  I think the two options I have are as follows but would really welcome feedback on which is the best option to go for or if there are other options I should be thinking of
  (1)  Have the Airport perform DHCP for my internal clients and leave the ISP router/modem doing NAT
  (2)  Have the Airport perform DHCP and NAT.  I think to do this I need to turn the ISP router / modem into Bridge mode only.  (I've looked and I seem to have this option on the device.  It's an Irish ISP branded device but I think it is a Zyxel)
  I have no reason to believe the ISP router / model is doing a bad job but given I understand the Airport Extreme is a reasonably high-end device (I think?) I am wondering if option 2 is the way to go.
  In addition, during my research, I have also discovered that many people seem to have their Airport Extreme also handle PPPOE.  This is currently being done by my ISP router/modem.  I am  inclined to leave it this way (following the mantra if it isn't broken, don't fix it) but if there was a good reason to have the Aiport do this, perhaps I should make the switch?  Having said this, I have seen on this forum and others, some posts about problems with Internet connection drops when the Airport is handling PPPOE.
  So, a bit of a long post, but if anyone has any information or perspective on this, I'd very much appreciate it. 
  Thanks
  Dave

  I forgot to thank you, John Galt. Yap, it solve my problem by restoring back the original firmware to 7.6.1. My unit is Airport Extreme 2012. I am still using double NAT because I cannot figure it out on how to set DHCP only in the Network tab.
  My goal it to use the airport extreme to the internet and to share the internet to all my devices in the house. Just like my previous Accesspoints. Before I use AP+router Linksy$ WRT54G and D-l!nk DIR-655 without activating the NAT to share my internet connection and they work.
  My problem is that when I set it to DHCP in the internet tab and DHCP in the Network tab in Airport Utility inorder to solve the double NAT situation, only one of all my devices (wired or wireless) can connect to the internet. Each time I connect the other device(s) to the internet my subscriber will verify my subscription (web browser based verification) in which I have to manually enter my account number, etc to validate my subscription.
  So I stick to double NAT so that I can share the internet
  Our broadband provider uses DHCP to link us to the internet. If I change the settings to Static in the Internet Tab, my broadband provider will not let me connect to the internet. In the Airport Utility if I set to static in the Internet Tab inorder to set it to solve the double NAT, a message box appear informing me that I have invalid beginning IP address in the DCHP range in the Network Tab when it appears that only the last 3 digits of the DHCP range is editable.
  Is there any way of configuring the Airport Utility's Internet TAB to DHCP and Network TAB to DHCP to connect to the internet with all my devices without the double NAT and without the aid of another device such as AP or router or switch connected to the Airport or vice versa?

• Bridge or Nat mode with guest networks

  Hi,
  I have my new TC configured in NAT and DCHP mode because that is the only way that i can have the guest network working and also because I can use correctly de feature back to my mac. But i have the warning "double NAT" in my TC (I have a router from my isp which I turn off only the wireless service)? What do you suggest? Ignore de warning or is there anyway that i can put de TC in bridge mode and have guest network and back to my mac Working?
  Thanks

  While Double NAT is not desireable on a network, as you have discovered it is the only way for you to enable the Guest Network function and possibly other functions that you might need with your current modem/router.
  Ideally, you would have a simple modem....not a modem/router.....which would allow the Time Capsule to be configured to provide DHCP and NAT services without producing the Double NAT error.
  If the Double NAT is not producing any ill effects......normally Internet browsing will slow a bit and you may not be able to access some websites among other things......then there is an option in AirPort Utility to "ignore" the error and the TC will display a green light.

• Ethernet-connected Devices and DHCP

  Hi!
  I have an ethernet-connected device (http://www.avid.com/US/products/artist-mix) which I'm having some issues with. I currently have it plugged into the primary ethernet port on my Mac Pro, with the LAN connected to the secondary ethernet port.
  Some suggestions have been to assign it a static IP to the device to avoid conflicts. Which leads me to my question:
  If the device is connected via ethernet to my Mac, is it assigned an IP address via DHCP like a device connected directly to the LAN does? Or would it remain separate from the network? If connecting it to my Mac does indeed attach it to the network via DHCP, then I will get on assigning a static IP for it.
  I realise this isn't really a Mac Pro based question, but I know there are people in this forum who can help me.
  Many thanks for any help in advance,
  Steve

  So I have the modem/router in DHCP/NAT mode, and Airport Extreme in Bridged mode.
  This would be the simplest, correct way to configure your network.
  Unless you need some special feature from the AirPort Extreme....that would require that the AirPort Extreme handle DHCP and NAT service.....like the Guest Network feature......then it would probably be best to keep things simple and leave them "as is" on your network.
  Either the modem needs to be in Bridge Mode and the AirPort Extreme handles DHCP and NAT.....or.....the modem/router handles DHCP and NAT and the AirPort Extreme is setup in Bridge Mode.
  it does not really matter which device handles DHCP and NAT as long as your feature requirements are being met on the network.
  Personally, I strongly prefer to use a simple modem....not a modem/router....and another separate router to control the network. But, your ISP may not offer that option.

• No errors with NAT or DHCP, but can't ping server or access internet

  2 weeks ago my Xserve was positioned directly behind a modem and acted as the router to my small office - supplying DHCP, NAT, etc. Then, the Xserve lost it's connection to the internet. The Xserve was unable to pull an address from the modem (via DHCP) and troubleshooting the issue with my ISP resulted in getting my modem swapped.
  My Xserve is still unable to pull an address via DHCP directly from the modem. So, I called apple support. The tech I spoke to was extremely helpful and instructed me to place the Xserve behind a router so it could use a static ip - without having to pay my ISP for one. So, I did as he instructed.
  Regardless, since my Xserve originally lost connection to the internet I have been unable to get my Xserve to supply NAT to my internal network successfully. DHCP is working fine, the firewall isn't logging any refusals, NAT isn't returning errors. All internal network functions work, I just can't access the internet from any machine other than the server.
  Here is the network port breakdown:
  Ethernet 1 (wan)
  ip: 192.168.1.2
  sub: 255.255.255.0
  router: 192.168.1.1 (router supplying static ip)
  dns: 208.67.222.222,208.67.220.220 (opendns)
  Ethernet 2 (lan)
  ip: 192.168.1.3
  sub: 255.255.255.0
  router: 192.168.1.3
  DHCP settings:
  start ip: 192.168.1.4
  end ip: 192.168.1.254
  sub: 255.255.255.0
  interface: en1
  router: 192.168.1.3
  Firewall:
  Allow all traffic from "any"
  NAT:
  IP Forwarding and Network Address Translation
  External network interface: Ethernet 1
  NAT Port Mapping Protocol enabled.
  Other notes: I can see the Xserve from any device on the network (in Finder running OS X) but I cannot ping it via the router's ip. (example: ping 192.168.1.3) 100% packet loss.
  The Xserve does have access to the internet.
  The Xserve leases an ip to the devices on the network, but cannot ping them using their leased ip address.
  Initially, I was receiving the following error:
  "xserve subnets: create failed, Invalid/missing 'net_address' property
  So I modified bootpd.plist by adding:
  <key>net_address</key>
  <string>192.168.1.0</string>
  I no longer receive the error and DHCP works properly.
  Any help is thoroughly appreciated as this issue has set me back over a week in troubleshooting.

  Thanks again.
  I'll try to be more clear about my current setup:
  Modem
  ->
  Router
  DHCP enabled but supplying server with static ip of: 192.168.1.2 - hence my Ethernet 1 settings on my Xserve. The DHCP address the router supplies to other devices range between 192.168.1.101 - 192.168.1.150 (this is temporary). I'm using the Router as a temporary network connection for devices as I continue to setup the server. Once the server is completed, I will hook everyone up through the switch.
  ->
  Xserve
  The Xserve receives a static IP from the router above (192.168.1.2) even though the router gives DHCP addresses to other devices. The Xserve then goes out Ethernet 2 to (which has also been assigned a static internal address: 192.168.1.3) a switch.
  ->
  Switch
  The Switch definitely has DHCP disabled, and merely extends the network connection.
  Right now, the Xserve is doing nothing other than attempting to supply an internet connection to devices attached to it. I performed a clean install after a day or two of troubleshooting.
  I really want to be able to control content access as well as give certain devices priority over others using the Xserve. I want it to control... the network, in all aspects: DNS, Open Directory (Master), Firewall etc. Am I still able to control the network with the Xserve if it is hooked up side by side to the clients without reconfiguring my router to hop through the Xserve before going to the internet? If not, why not just use the Xserve as a middle man as I currently do?
  What are the benefits of using it side by side to the clients? What are the drawbacks of my current setup? (Other than it not functioning)

• What are the endpoints attributes collected by NAC Profiler through SNMP and DHCP?

  Hi Everyone,
  Please help on this.
  I want to know what are the endpoints attributes collected by NAC Profiler to discover and profile the endpoints.through SNMP protocol and DHCP protocol.
  Also if anybody can explain a simple used case on this.
  Please guide me on this.
  Thanks in advance.
  Thanks,
  Abuzar.

  Hi,
  SNMP
  =====
  NetMap queries network devices via SNMP for:
  System information
  Interface information
  Bridge information
  802.1X information (PAE MIB)
  Routing/IP information
  CDP MIB Information
  This information is used to Build and maintain a model of the network topology and endpoint discovery.
  NetMap uses SNMP Get, GetNext and GetBulk (when available) requests to  query the SNMP agents running on the network infrastructure devices to  gather specific Management Information Base (MIB) objects about their  status based on device type (Layer 2 or Layer 3).
  In addition to polling each network device for all MIB data at a regular  interval, NetMap may also be commanded to poll port-specific  information when the NAC Profiler system is notified that an endpoint  has joined or left the network via SNMP traps sent by devices at the  network edge, switches typically.
  Upon receipt and verification of a link state (link up, link down) or  MAC notification trap, NetTrap will notify the NAC Profiler Server that a  change has occurred on the network edge (endpoint joined or left a  network port). If the trapping device is in the NAC Profiler  configuration, the NetMap component module assigned to poll the device  that sent the trap will be commanded by the Server module to initiate a  poll of the device's port information to determine the change to the  endpoint topology that resulted in the trap being sent by the network  device.
  The information gathered by NetMap is processed by the Server  accordingly to update the network topology, noting the endpoint joining  or leaving a port. Note that NetMap SNMP polling of network devices  resulting from a trap is localized to the port specified in the trap.  This is unlike the regular polling that occurs at the frequency  specified for each device type (L2 and L3) which gathers all SNMP  information from the device used by the NAC Profiler system.
  DHCP:
  =====
  The NetWatch module listens for traffic including DHCP traffic.
  The module will collect all the DHCP information on the traffic collected, like mac address, ip address,  DHCP Vendor Class Identifier in DHCP request, host name in DHCP request, requested specified options in DHCP request (option 55) and full list of DHCP options supported by the DHCP client as specified in the DHCP request.
  All the endpointe data can then be used to map endpoints with profiles.
  HTH,
  Tiago
  If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

• WET200 and DHCP

  Hi there,
  I noticed a few discussion about Cisco Wireless bridges not being able to pass DHCP requests from clients.
  In my case I have a WET200 successfully associated with a Deliberant DLB2700 access point. When client computers are configured with static IP addresses they can browse the network, connect to e-mail etc. Problem starts when a computer will try to obtain the IP address via DHCP while connected to the wireless bridge. It simply doesn't work.
  Is there a newer firmware or a secret settings which will allow me to make it working? I have a quite few of these WET200 units ...
  Thanks in advance for any suggestions.

  Hi Mr 2,
  Please check the following link;
  1.  http://support.deliberant.com/forums/p/1069/4889.aspx#4889  does this sound familiar ?
  But my thoughts are  at this stage,  sure look like there is a question hanging over  the deliberant model number you mentioned, at least that what the deliberant forum might be suggesting.
  2. But does a WET200 in place of the deliberant result in DHCP requests being dropped?
  (Since you have multiple WET200, it would be interesting to peruse this approach for diagnostic reasons and to confirm this in your mind.)
  But,  if you can't do step 2 above, and  are adventurous, maybe you can capture the DHCP server interaction.
  I'm guessing your network may look like the following, excuse the rough network diagram;
  PC---WET200~~~~~~~~~deliberant-------managed switch------------router
                                                                    |                |         |
                                                                 HUB              |        |------DHCP Server
                                                                             mirror port
  Beg borrow or steal a 'HUB' and they are hard to find these days, NOT a switch.
  Or as an alternative, if connected to a managed switch, mirror the Ethernet switch port that leads to  the deliberant AP to a PC running ethereal.
  Using ethereal or similar application,  just checkout the state  of ARP and DHCP packets that egress in and out of the switch port that is connected to the deliberant AP.  (I'm guess ARP is working otherwise you would not be getting anywhere from behind the WET200.)
  But  if you wish to post a ethereal trace, it would be fun to quickly check it out.
  If you do this please don't capture megabytes, try to capture just a bit before and after a DHCP request.
  The other option is to just keep doing what you are doing and statically define IP addresses.
  regards Dave

• Manual IP and DHCP conflicts

  My Barricade g died (SMC2804WBRP-G). I replaced it with an Airport Extreme (802.11g).
  With the Barricade g, I had manually assigned IP address to all the computers on the LAN (range 192.168.x.1-192.168.x.99). The router distributed IP addresses to the wireless clients via DHCP range (192.162.x.100-192.168.x.200)
  I've setup the AEBS to Distribute IP addresses and selected Share a single IP address (using DHCP and NAT).
  BUT, the AEBS is assigning some of the manual addresses to wireless client IP requests. Then the computer that is supposed to have a manual IP address doesn't have one. Basically, the manual and DHCP addresses are coming from the same pool and causing conflicts.
  How do I deal with manual IP addresses AND DHCP with this router?
  Thanks

  David,
  Thanks for the input. But, I may have misread my post.
  From my original post.
  'With the Barricade g, I had manually assigned IP address to all the computers on the LAN (range 192.168.x.1-192.168.x.99). The router distributed IP addresses to the wireless clients via DHCP range (192.162.x.100-192.168.x.200).'
  In other words, on the network, LAN=static IPs, Wireless clients=DHCP.
  You can have both static and DHCP on the same network.

• Static IP address and DHCP range

  Hi,
  A month back I decided to move over from Win to OS X and got my MB Pro RD. Along with that decided to replace my DLink DIR-655 wireless router with TC.
  My home network counts up to 15 devices that uses wireless AP. ISP ethernet cable comes out of wall and directly to TC, no other devices in between.
  Back in time when I had DLink in use it was using static IP 89.201.x.x and DHCP was assiging 192.168.x.x addresses to devices.
  Now when moved over to TC only DHCP range I can get is in range 89.201.x.x, it does not allow to change DHCP to something else than 89.201.x.x
  Question - is there a way to configure TC so that I use same static IP (89.201.x.x) but DHCP gives out 192.168.x.x to devices?
  Thanks in advance!
  BR
  UAUX

  Ok you must set the TC into router mode.. at the moment you have it in some other mode..
  You can use 192.168 if you want to but by default the TC is 10.0.1.x
  So the Internet tab should be set either dhcp or if you have static IP then you can apply that.
  Normally even a static IP from the ISP is still received by dhcp on the WAN interface.
  On the Network tab you must select DHCP + NAT.
  In the network options you change the IP and dhcp range..
  The TC always takes address 1.. and you do not set the TC address directly.. rather you set the dhcp range and the TC will follow.
  So in my example I have set 192.168.2.2-200 for dhcp and the TC will automatically become 192.168.2.1
  Set it as you prefer.

• Howto: Zones in private subnets using ipfilter's NAT and Port forwarding

  This setup supports the following features:
  * Requires 1 Network interface total.
  * Supports 1 or more public ips.
  * Allows Zone to Zone private network traffic.
  * Allows internet access from the global zones.
  * Allows direct (via ipfilter) internet access to ports in non-global zones.
  (change networks to suit your needs, the number of public and private ip was lowered to simplify this doc)
  Network setup:
  iprb0 65.38.103.1/24
  defaultrouter 65.38.103.254
  iprb0:1 192.168.1.1/24 (in global zone)
  Create a zone on iprb0 with an ip of 192.168.1.2
  ### Example /etc/ipf/ipnat.conf
  # forward from a public port to a private zone port
  rdr iprb0 65.38.103.1/32 port 2222 -> 192.168.1.2 port 22
  # force outbound zone traffic thru a certain ip address
  # required for mail servers because of reverse lookup
  map iprb0 192.168.1.2/32 -> 65.38.103.1/32 proxy port ftp ftp/tcp
  map iprb0 192.168.1.2/32 -> 65.38.103.1/32 portmap tcp/udp auto
  map iprb0 192.168.1.2/32 -> 65.38.103.1
  # allow any 192.168.1.x zone to use the internet
  map iprb0 192.168.1.0/24 -> 0/32 proxy port ftp ftp/tcp
  map iprb0 192.168.1.0/24 -> 0/32 portmap tcp/udp auto
  map iprb0 192.168.1.0/24 -> 0/32For testing purposes you can leave /etc/ipf/ipf.conf empty.
  Be aware the you must "svcadm disable ipfilter; svcadm enable ipfilter" to reload rules and the rules stay loaded if they are just disabled(bug).
  Zones can't modify their routes and inherit the default routes of the global zone. Because of this we have to trick the non-global zones into using a router that doesn't exist.
  Create /etc/init.d/zone_route_hack
  Link this file to /etc/rc3.d/S99zone_route_hack.
  #/bin/sh
  # based on information found at
  # http://blogs.sun.com/roller/page/edp?entry=using_branded_zones_on_a
  # http://forum.sun.com/jive/thread.jspa?threadID=75669&messageID=275741
  fake_router=192.168.1.254
  public_net=65.38.103.0
  router=`netstat -rn | grep default | grep -v " $fake_router " | nawk '{print $2}'`
  # send some data to the real network router so we look up it's arp address
  ping -sn $router 1 1 >/dev/null
  # record the arp address of the real router
  router_arp=`arp $router | nawk '{print $4}'`
  # delete any existing arp address entry for our fake private subnet router
  arp -d $fake_router >/dev/null
  # assign the real routers arp address to our fake private subnet router
  arp -s $fake_router $router_arp
  # route our private subnet through our fake private subnet router
  route add default $fake_router
  # Can't create this route until the zone/interface are loaded
  # Adjust this based on your hardware and number of zones
  sleep 300
  # Duplicate this line for every non-global zone with a private ip that
  # will have ipfilter rdr (redirects) pointing to it
  route add -net $public_net 192.168.1.2 -ifaceNow we have both public and private ip addresses on our one iprb0 interface. If we'd really like our private zone network to really be private we don't want any non-NAT'ed 192.168.1.x traffic leaving the interface. Since ipfilter can't block traffic between zones because they use loopbacks we can just block the 192.168.1.x traffic and the zones can still talk.
  The following /etc/ipf/ipf.conf defaults to deny.
  # ipf.conf
  # IP Filter rules to be loaded during startup
  # See ipf(4) manpage for more information on
  # IP Filter rules syntax.
  # INCOMING DEFAULT DENY
  block in all
  block return-rst in proto tcp all
  # two open ports one of which is redirected in ipnat.conf
  pass in quick on iprb0 proto tcp from any to any port = 22 flags S keep state keep frags
  pass in quick on iprb0 proto tcp from any to any port = 2222 flags S keep state keep frags
  # INCOMING PING
  pass in quick on iprb0 proto icmp from any to 65.38.103.0/24 icmp-type 8 keep state
  # INCOMING GLOBAL ZONE UNIX TRACEROUTE FIX PART 1
  #pass in quick on iprb0 proto udp from any to 65.38.103.0/24 keep state
  # OUTGOING RULES
  block out all
  # ALL INTERNAL TRAFFIC STAYS INTERNAL (Zones use non-filtered loopback)
  # remove/edit as needed to actually talk to local private physical networks
  block out quick from any to 192.168.0.0/16
  block out quick from any to 172.16.0.0/12
  block out quick from any to 10.0.0.0/8
  block out quick from any to 0.0.0.0/8
  block out quick from any to 127.0.0.0/8
  block out quick from any to 169.254.0.0/16
  block out quick from any to 192.0.2.0/24
  block out quick from any to 204.152.64.0/23
  block out quick from any to 224.0.0.0/3
  # Allow traffic out the public interface on the public address
  pass out quick on iprb0 from 65.38.103.1/32 to any flags S keep state keep frags
  # OUTGOING PING
  pass out quick on iprb0 proto icmp from 65.38.103.1/32 to any icmp-type 8 keep state
  # Allow traffic out the public interface on the private address (needs nat and router arp hack)
  pass out quick on iprb0 from 192.168.1.0/24 to any flags S keep state keep frags
  # OUTGOING PING
  pass out quick on iprb0 proto icmp from 192.168.1.0/24 to any icmp-type 8 keep state
  # INCOMING TRACEROUTE FIX PART 2
  #pass out quick on iprb0 proto icmp from 65.38.103.1/32 to any icmp-type 3 keep stateIf you want incoming and outgoing internet in your zones it is easier if you just give them public ips and setup a firewall in the global zone. If you have limited public ip address(I'm setting up a colocation 1u server) then you might take this approach. One of the best things about doing thing this way is that any software configured in the non-global zones will never be configured to listen on an ip address that might change if you change public ips.

  Instead of using the script as a legacy_run script, set it up in SMF.
  First create the file /var/svc/manifest/system/ip-route-hack.xml with
  the following
  ---Start---
  <?xml version="1.0"?>
  <!DOCTYPE service_bundle SYSTEM
  "/usr/share/lib/xml/dtd/service_bundle.dtd.1">
  <!--
  ident "@(#)ip-route-hack.xml 1.0 09/21/06"
  -->
  <service_bundle type='manifest' name='NATtrans:ip-route-hack'>
  <service
  name='system/ip-route-hack'
  type='service'
  version='1'>
  <create_default_instance enabled='true' />
  <single_instance />
  <dependency
  name='physical'
  grouping='require_all'
  type='service'
  restart_on='none'>
  <service_fmri value='svc:/network/physical:default' />
  </dependency>
  <dependency
  name='loopback'
  grouping='require_all'
  type='service'
  restart_on='none'>
  <service_fmri value='svc:/network/loopback:default' />
  </dependency>
  <exec_method
  type='method'
  name='start'
  exec='/lib/svc/method/svc-ip-route-hack start'
  timeout_seconds='0' />
  <property_group name='startd' type='framework'>
  <propval name='duration' type='astring'
  value='transient' />
  </property_group>
  <stability value='Unstable' />
  <template>
  <common_name>
  <loctext xml:lang='C'>
  Hack to allow zone to NAT translate.
  </loctext>
  </common_name>
  <documentation>
  <manpage
  title='zones'
  section='1M'
  manpath='/usr/share/man' />
  </documentation>
  </template>
  </service>
  </service_bundle>
  ---End---
  then modify /var/svc/manfiest/system/zones.xml and add the following
  dependancy
  ---Start---
  <dependency
  name='inet-ip-route-hack'
  type='service'
  grouping='require_all'
  restart_on='none'>
  <service_fmri value='svc:/system/ip-route-hack' />
  </dependency>
  ---End---
  Finally create the file /lib/svc/method/svc-ip-route-hack with the
  contents of S99zone_route_hack, minus the sleep timer (perms 0755). Run
  'svccfg import /var/svc/manifest/system/ip-route-hack.xml' and 'svccfg
  import /var/svc/manifest/system/zones.xml'.
  This will guarantee that ip-route-hack is run before zones are started,
  but after the interfaces are brought on line. It is worth noting that
  zones.xml may get overwritten during a patch, so if it suddenly stops
  working, that could be why.

• Static NAT and same IP address for two interfaces

  We have a Cisco ASA 5520 and in order to conserve public IP addresses and configuration (possibly) can we use the same public IP address for a static NAT with two different interfaces? Here is an example of what I'm refering too where 10.10.10.10 would be the same public IP address.
  static (inside,Outside) 10.10.10.10  access-list inside_nat_static_1
  static (production,Outside) 10.10.10.10  access-list production_nat_static_1
  Thanks for any help.
  Jeff

  Hi Jeff,
  Unfortunately this cannot be done, on the ASA packet classification is done on the basis of mac-address, destination nat and route, and here you are confusing the firewall, to which interface does the ip belong to. I haven't ever tried to do it, but it should cause you issues.
  Thanks,
  Varun Rao
  Security Team,
  Cisco TAC

• Adobe Bridge CS4 Hangs and whole system goes down.

  Adobe Bridge CS4 Hangs and whole system goes down.
  This is happening when I just finished edition RAW files in ACR and hit DONE, right after that a Bridge hangs, Cannot open Explorer, PC functions are down, cannot start anything, cannot stop Bridge process, cannot properly restart. Only holding power button shuts donw PC forcefylly.
  I happens once per 10 edits of RAW files and super annoying.
  Pleeeeease help!

  No wonder I think this is Bridge.
  That is indeed a tempting thought, have you already tried the refresh preferences for Bridge using ctrl key pressed down while restarting Bridge?
  But Bridge is very critical in reacting on odd system behavior, so also keep the advice of Station-Two in mind. On a Mac repairing permissions often solves problems, don't know the PC equivalent of this.