Need help with Airport (802.11b), Websharing, and NAT / Port Forwarding

[Digital_Guy]

I have been trying to figure out for some time now how to use Websharing in MacOS X 10.2 with an Airport (white 802.11b). It seemed very easy when I used my PowerBook under MacOS 9.2 with a dialup connection, but since the Airport was added to our home network, I can't seem to enable websharing. I do remember talking to someone on the telephone once about 14 months ago (October 2002), and was told that I needed to enable something known as NAT (Network Address Translation, also known as Port Mapping). Here are the details for the items on the network
(taken from Network Utility "Info." tab, Ethernet Interface (en1)):

iMac G4 800 IP address: 10.0.1.3
PowerBook G3 500 IP address: 10.0.1.2

The following information is taken from the Airport Admin. Utility:

Aiport Base Station IP address: 10.0.1.1

By clicking on "Configure" at the top of the Airport Admin. Utility, and then clicking on the "Show All Settings" box at the bottom left, and then choosing the "Port Mapping" tab at the top, I see the following information:

Public Port -------- Private IP Address -------- Private Port
80 --------------------- 10.0.1.2 --------------------- 80
427 -------------------- 10.0.1.2 -------------------- 427

I remember when I was talking to someone on the telephone about it, that NAT / Port Mapping was involved because the Airport was serving as a router. It seems I remember adding the ports mentioned above (80 and 427) to the "Port Mapping" list (I don't think they existed before I added them). I remember being told to check my Public (WAN) IP address (from the "Show Summary" box at the top, in the Airport Admin. Utility) (NOTE: I know this number is not static, and changes ... I always check the Public (WAN) IP address), and then being told to give this as my HTTP address, followed by my home directory. For example:

http://xx.xx.xx.xx/~myhomedirectoryname/

I was told of the importance of both the tilda ~ and the final forward slash. I was told giving this information would then allow users to access content in the "Sites" folder of my home directory. One brief question here ... I remember in MacOS 9.2 you could limit user's access by specifying which folder they would be able to browse, or look at, when connecting via Personal Websharing. Is this possible in OS X? Or do they have access to anything in the "Sites" folder"?

I then remember being told that if I had ports 80 and 427 forwarded (as I showed in the table above), that Personal Websharing would work. I do remember it working that night (and it was VERY slow), but I have been unable to get it to work anymore, and I am even more confused now because I switch between the iMac and PowerBook, and want to enable Personal Websharing on both machines (although at separate times, not enabling Personal Websharing on both machines at the same time). When I give my address to someone try to connect to now through Personal Websharing, I get the following message:

"The connection was refused when attempting to contact xx.xx.xx.xx"

(Do I need to include the Port Numbers after my Public (WAN) IP address, as in: http://xx.xx.xx.xx:80/ or http://xx.xx.xx.xx:427/ ? I have tried this also, and I still get a "connection refused" error.)

I want to use Personal Websharing to share pictures with relatives that I talk with via the Instant Messenger services. I am really frustrated at this point, because I know what I want to do is possible . Up until now, I have been sending the pictures to them via E-Mail. I am limited as to what I can send to some of them though, because of space restrictions placed on their inbox(es). Any help is sincerely appreciated, and would actually be considered a Christmas gift, because of the frustration I have had. In advance, thank you.

-D.G.

[mclbruce]

That's a long question, I'll try to keep my reply short:

A. Does your ISP give you some space on the web? Perhaps you could just upload the pages to your ISP provided web site.

B. Can your web pages be seen from inside your network? Try looking from the opposite computer using the internal 10.0.1.x IP address.

B-2 By the way you can put your files in a different place to skip the tilde and username:

yourharddisk/library/webserver/documents

C. Is the firewall turned off on the computer you want to use as a web server? That's in System Preferences: Sharing. You can also punch a hole on your firewall if you want. If item B works then the firewall is disabled or set up properly.

D. No need to use port numbers in the external address, 80 will be assumed and should work fine.

D-2 NAT is used to share one IP address among several computers. On your network it's always enabled.

D-3 Port Mapping is what guides the outside web traffic to a specific machine. Looks like you have that set up right.

E. Are your computers getting their IP addresses via DHCP? If so the addresses can change depending on the order in which they are started up. That would mean making changes in port mapping in the Airport.

I think that's enough for now, I'll save F, G, and H for later if you need them.

[intrntmn]

How is your home network connected to the net ? Cable/DSL or Dialup.

Are you using a router (other than the Airport) or is your ISP connection direct to your iMac ? Once I have this info, i can better help you.

It's not complicated, but there are some settings that have to be exact in order to get it all working.

While MCLBruce provides a lot of great information, he is incorrect about NAT and Port Mapping. They are actually the same thing, just different terminology. NAT aka Port Mapping is usually disabled by default as it is insecure in most scenarios.


Jack

[Digital_Guy]

Thank you both mclbruce and intrntmn. I will give answers to both of you in this reply.

From mclbruce:

> A. Does your ISP give you some space on the web? Perhaps you could just upload the pages to your ISP provided web site.

As far as this goes, yes. But the whole point is to avoid having to take the time to either upload the images or email them. This is a step I want to avoid. I want to simply place the images in a folder, and give her the (my) URL, so that she can connect to my machine and look at the images. I have done this many, many times with MacOS 9.x and a dialup connection.

> B. Can your web pages be seen from inside your network? Try looking from the opposite computer using the internal 10.0.1.x IP address.

This, I haven't tried yet. I will try and let you know. I will venture a guess though (but I am not SURE) that it would work. It seems the problems arise when someone from beyond the local network want to access something.

> C. Is the firewall turned off on the computer you want to use as a web server? That's in System Preferences: Sharing. You can also punch a hole on your firewall if you want. If item B works then the firewall is disabled or set up properly.

Yes, the Firewall is turned off. I thought this was the problem in the first place, and the fact that I am still having trouble knowing that the Firewall is off makes me even more confused / frustrated. You mention "punching a hole" in the Firewall. How is this done? I guess if the Firewall is turned off, this isn't important though.

> D. No need to use port numbers in the external address, 80 will be assumed and should work fine.

I thought this was the case. Thanks.

> E. Are your computers getting their IP addresses via DHCP? If so the addresses can change depending on the order in which they are started up. That would mean making changes in port mapping in the Airport.

Yes, they are. The iMac is almost always the first computer on the network, the PowerBook is usually second. Any ideas you have on helping with this part especially are appreciated.

----------------------------------------

From intrntmn:

> How is your home network connected to the net ? Cable/DSL or Dialup?

I have Adelphia PowerLink (cable).

> Are you using a router (other than the Airport) or is your ISP connection direct to your iMac ?

The coaxial cable comes into the house and is connected in our spare bedroom to a Motorola Surfboard cable modem. The cable modem is connected via ethernet cable to the Airport base station (802.11b, white unit not graphite). The iMac is in our living room and has an Airport card in the base to receive the signal, and the PowerBook G3 is usually in my bedroom. It also has an Airport card.

Thank you both again for your help. I hope I can resolve this problem soon.

-D.G.

[mclbruce]

Trying to see the web pages from the other Mac in your network is a vital test. There's not much more to say until that's done.

Punching a hole in the firewall is done by turning on the firewall in System Preferences: Sharing: Firewall tab, and then clicking the checkbox next to Web Services. Any checkbox you click will allow that service to get through the firewall, or more casually, punch a hole in it.

[intrntmn]

With your setup, the Airport Base Station should be handing out IP addresses, which is good.

On your iMac, which i'm assuming is your WebServer, you want to make sure you have websharing turned on in your system preferences.

On your Powerbook, you should be able to view the webpages on your iMac by using it's ip address (http://10.0.1.3/~username).

If you can do this, as bruce said, we are one step closer to achieving your goal.

On a side note, you can also place your images/files into the /Library/WebServer/Documents directory of your iMac to eliminate the need for ~username.

Report back if your Powerbook can reach the iMac, then we'll tackle internet=>iMac routing.

Jack

[Digital_Guy]

> On your iMac, which i'm assuming is your WebServer, you want to make sure you have websharing turned on in your system preferences.
>
> On your Powerbook, you should be able to view the webpages on your iMac by using it's ip address (http://10.0.1.3/~username).


I'm not sure you understand. The person that I want to share information with using Personal Websharing is in Virginia, and I am in West Virginia. I want to be able to use either the iMac OR the PowerBook, because I sometimes switch machines, and also would like to be able to use either one.

[mclbruce]

Quote: Originally posted by Digital_Guy I'm not sure you understand. The person that I want to share information with using Personal Websharing is in Virginia, and I am in West Virginia. I want to be able to use either the iMac OR the PowerBook, because I sometimes switch machines, and also would like to be able to use either one.

There are a lot of settings involved here, and if you can share your web pages from one computer to the other it will confirm that the computers are set up properly. That's an important step to your goal.

[RichB]

From Apple's "Designing Airport Networks for OS X:"

Quote: To use port mapping, you must configure TCP/IP manually on the computer that is running the Web, AppleShare, or FTP server.

With your setup you can assign static IPs up where they will never interfere within the DHCP range. Nothing needs to be changed on the base station. On your two Macs manually set up their IPs like this (Create a new Location rather than changing the current one. It would also help to disable the Network Port Configurations not being used for this location so Airport is the only one enabled.):

IP Addresses: 10.0.1.101 and 10.0.1.102
Subnet Mask: 255.255.255.0
Router: 10.0.1.1
DNS: 10.0.1.1 (this may work better if you know the actual DNS servers your ISP uses)

FYI, NAT is what allows one IP to be turned into many. Port forwarding is only necessary if running an Web, AppleShare, or FTP server.

Good Luck!

[robophilosopher]

Dude. Let's all stop beating aroudn the bush, and tell him how to do this :-) Do the following:

1. Enable web sharing on both macs. Test each from the other one to verify. It sounds like you've done this already.

2. Give each mac a static IP address on the internal network. Go to System Preferences -> Network, Create a new Location if you need to (for example, if you use your laptop on other networks). Select Airport in the "Show" dropdown thing, and type a manual IP address for each computer (Configure: Manually). Good choices for IP addresses would be 10.0.1.101 and 10.0.1.102. Remember which computer is which. Note that if you do this, when you bring one of them into a different network, you'll have to switch to its original location (in the apple menu), or else all hell will break loose*. If you don't use other networks, don't worry about it.

Like the previous dudes said, subnet mask = 255.255.255.0, router = 10.0.1.1, and DNS=10.0.1.1

3. Now, test the web servers again, just for fun.

4. Fire up Airport Admin Utility. Go to the Port Forwarding page. Delete those two things you already have and add:

PUBLIC PORT --------- HOST ----------- PRIVATE PORT
80 ---------------- 10.0.1.101 --------------- 80
8080 -------------- 10.0.1.102 --------------- 80

I don't know much about port 427, it's not http, but rather some kind of service discovery thing. Stick it in there if you want, but it's irrelevant to this discussion.

Apply those settings.

Now, you should be able to connect (from the outside network, and possibly the inside network) to:

http://my.wan.ip.here/ to get to 10.0.1.101
http://my.wan.ip.here:8080/ to get to 10.0.1.102

Also, to replace http://my.wan.ip.here with something cooler for free, check out http://www.dyndns.org

Hope this helps; reply if stuff isn't working out for you.


* It sounds by how I said this that it would be a big problem. Really, it won't break anything (probably), i'tll just make you go "darn, I can't get to the internet, I better change locations."

[mclbruce]

Quote: Originally posted by robophilosopher Dude. Let's all stop beating aroudn the bush, and tell him how to do this :-)

Well done. Nice job of explaining *everything* RP.

[Digital_Guy]

Thanks for all the help. I will try the suggestions that robophilosopher gave. Although, I am not sure that any suggestions will work. I spent a good deal of time on the telephone both with Adelphia and Apple. The people at Apple were pretty helpful ... although the guy I spoke to at Adelphia seems to think I am attempting to run a full-fledged server. He kept incessantly asking what program I was using, almost as if he were trying to get me to say something other than Apple's Personal Websharing. I can't count the times that I told him it was part of the System Preferences. I still don't think he believed me. I was told that port 80 is blocked by Adelphia ... and when I asked if it could be opened for my account ... I was told "No, that is not something that can be done for individual accounts". It seems that if they open port 80, it has to be done for everyone. I'm not too familar with Networking ... someone might want to help me out here. Is this true? Or is does this guy really think I'm going to try to run a full-fledged webserver? I would think a DHCP lease of several hours, combined with upload speeds of ~ 110k/sec. would be a real deterrant to ANYONE wanting to run a webserver. Personal Websharing was made for what I want to do, no? I'm fine with those limitations, as long as someone can tell me if port 80 can in fact be opened up for my specific account only (is the port on the Motorola modem, or is it a setting on some of Adelphia's hardware, far away?), or if what I'm being told about opening port 80 would have to be done for all of Adelphia's customers.

As mentioned, I will try the suggestion that robophilosopher gave. I'm not too sure what MCLBruce meant by "Well done. Nice job of explaining *everything*" though. Was this sarcasm? Sorry ... I don't understand.

Thanks again to everyone. I will reply on Tuesday letting the group here know if the suggestion(s) robophilosopher gave work.

-D.G.

[robophilosopher]

Lots of ISPs block port 80. They do it for two reasons: to discourage people from running web servers, and because several windows viruses (Code Red, I think?) spread along port 80. The trick, then is to not run your webserver on that port.

Here's how to set it all up. I'm including steps to beautify your URLs.

1-3. Take steps 1-3 from my previous post.

4. Fire up Airport Admin Utility. Go to the Port Forwarding page. Delete those two things you already have and add:

PUBLIC PORT --------- HOST ----------- PRIVATE PORT
2001 -------------- 10.0.1.101 --------------- 80
2002 -------------- 10.0.1.102 --------------- 80

Apply those settings and let your airport restart.

5. This is technically all you need to do. Try having a friend connect to http://your.wan.ip.address:2001/ and http://your.wan.ip.address:2002/ The rest of this is to make your URLs slightly nicer.

6. Go to http://www.dyndns.org and sign up for a free account ("Sign Up Now" in the upper-right hand corner). I've used Dyndns.org for a few years, and they're really great about.. well, everything. Free, too. Send them money if you're the type who has some to spare

7. After you've logged in to Dyndns.org, click "Services" at the top of the screen and then "Dynamic DNS" on the left hand side. (If you know you have a static IP address, use "Static DNS" instead, but if you're on cable or DSL, chances are it's dynamic.) Click "Add Host" on the left-hand side under "Dynamic DNS".

8. Type a hostname you like. For the remainder of this howto, I'll assume you chose "digitalguy.kicks-ass.net" Leave the rest of the things as they are. (Your WAN IP address should already be filled in.) Click "Add Host".

9. After giving the Dyndns servers a few minutes to populate the DNS server, try having a friend connect to http://digitalguy.kicks-ass.net:2001/ and http://digitalguy.kicks-ass.net:2002/

10. Click "WebHop" on the left of the Dyndns.org page. (Don't click "MyWebHop", which requires a money-involved registration.) Click "Add Redirect" to the left of the screen under "WebHop".

11. Type a Hostname you like. I'll assume you chose "digitaltower.webhop.org". For the Redirect URL, type "http://digitalguy.kicks-ass.net:2001/" Leave the rest of the options blank (you can come back and change them later if you read about them and decide you want to). Click "Add Redirection", and wait a few minutes for the DNS servers to populate.

12. Try having a friend go to http://digitaltower.webhop.org

13. Repeat step 11, using "digitallaptop.webhop.org" as the Hostname, and "http://digitalguy.kicks-ass.net:2002" as the Redirect URL.

14. Have a friend connect to http://digitallaptop.webhop.org (if your laptop is on and ready).

This should be pretty much it. If you got stuck on any particular step, give details and we'll try to help some more. You can tell your friends to look at your pictures on http://digitaltower.webhop.org, or http://digitallaptop.webhop.org, depending on which computer you're on. Here's what happens when somebody goes to http://digitaltower.webhop.org:

1. The client connects to http://digitaltower.webhop.org, which is owned by a Dyndns server. The dyndns server says "you really want http://digitalguy.kicks-ass.net:2001"

2. The client connects to http://digitalguy.kicks-ass.net:2001. The Dyndns DNS server gives the client your WAN IP address, which is your airport's outside IP.

3. The client asks your airport "do you have a webserver going on port 2001?" (Since this isn't port 80, your ISP's firewall won't bother it.)

4. Your airport forwards that connection to port 80 of 10.0.1.101 on the internal network, which should be your tower. Your tower does indeed have a webserver running on port 80, and makes the connection.

One important thing that I left out is that because you (presumably) have a dynamic IP address, which changes all the time, you need to keep Dyndns.org's servers up to date on your current address. You can do this by going to http://www.dyndns.org every once in a while (every 30 days or it will expire, I believe) and refreshing it, or (and I recommend this option) you can download a client, install it on your tower, and it will notify Dyndns.org whenever your IP address changes. My preferred client is at http://www.dnsupdate.org/ If I remember right, its documentation is all right, so go ahead and try to install it if you get everything else working. You'll get an e-mail from the Dyndns.org people if your Dynamic DNS entry is about to expire, so don't worry about it too much.


Hope this helps

[mclbruce]

Quote: Originally posted by Digital_Guy I'm not too sure what MCLBruce meant by "Well done. Nice job of explaining *everything*" though. Was this sarcasm? Sorry ... I don't understand. Thanks again to everyone. I will reply on Tuesday letting the group here know if the suggestion(s) robophilosopher gave work. -D.G.

I think that what you want to do should be easy, but is actually quite complicated. I and others were trying to nibble around the edges of your problem/project, RoboPhilosopher went for the whole enchilada, which I am impressed by. No sarcasm intended.

If what Adelphia said is true and port 80 is blocked, that explains a lot of your problems. Once again, RP has posted the solution.

[Digital_Guy]

Sorry, I feel so stupid. None of the suggestions are working. I repeatedly get a ""Connection Refused ... " error. I'm starting to think that this actually is more difficult than just spending the time to adjust the image and file sizes and sending them via e-mail in the first place. If anyone has an IM client, please let me know, I would like to establish direct contact as a last resort to see if what I want to do is possible.

Again, sorry ... I've tried all of your suggestions.

-D.G.

[robophilosopher]

I just sent my screen name to you as a private message; talk to you soon

[Digital_Guy]

Thank you to all that contributed to this topic. This issue has been resolved. If you are interested in the solution reached, please send me a private message.

[cappados]

Quote: Originally Posted by Digital_Guy Thank you to all that contributed to this topic. This issue has been resolved. If you are interested in the solution reached, please send me a private message.

I keep connecting but get the message "the server has refused the connection."

My set up is essentially the same: a G4 Tower and a Powerbook behind an Airport basestation. I've set the airport to forward to the FTP port (21), opened FTP, and manually set an IP on the tower.

Any help would be very much appreciated.

[cappados]

Quote: Originally Posted by Digital_Guy Thank you to all that contributed to this topic. This issue has been resolved. If you are interested in the solution reached, please send me a private message.

I feel like I got to the end of a 1500 page novel and the last chapter was ripped out. I waded through this long thread, and when you guys get the solution, you don't post it???

What's up with that?

[robophilosopher]

Quote: Originally Posted by cappados I feel like I got to the end of a 1500 page novel and the last chapter was ripped out. I waded through this long thread, and when you guys get the solution, you don't post it??? What's up with that?

Sorry about that. The solution ended up being that I walked him through the instructions in my post step by step; it can be a little confusing, so having each step verified before you go on to the next can only help.