nat on Mac OSX Yosemite (the last OS version from Apple (that was the latest OS from Apple when this post was written) is not that simple to configure since natd binary (used for network address translation rules) or ipfw (used to create firewall rules on Mac OSX) are missing completely from the operating system. There were replaces with another tool. The new tool is pfctl (which has built-in network address translation support).
First of all you have to enable packet forwarding on your Mac computer. This can be done with 2 simple commands:
1 2 | sudo sysctl -w net.inet.ip.forwarding=1 sudo sysctl -w net.inet.ip.fw.enable=1 |
Now for the (Network Address Translation) part, the basic syntax is as follows:
nat on $ext_if from $localnet to any -> ($ext_if)
$ext_if = external interface (or the interface you use to connect to internet; could be an ethernet interface or wireless or even your wan interface, if your mac is directly connected to the internet.
Assuming your network interface is en0 (ethernet or wireless), in order to do NAT you have to create a pfctl rule. Let’s create a file called nat-rules
# cat > nat-rules
nat on en0 from $localnet to any -> (en0)
Save the file and now start pfctl using the rule from the file we have created earlier:
1 2 3 | # pfctl -d # pfctl -F all # pfctl -f ./nat-rules -e |
First rule disables pfctl. The second one, flushes all pfctl rules. The third one starts pfctl and loads the rules from nat-rules file. That’s it!
These aren’t working in Yosemite 10.10.4. I get errors:
No ALTQ support in kernel
ALTQ related functions disabled
I guess you could just ignore that message, the ALTQ support in the kernel has nothing to do with the nat (the nat still works with our without ALTQ).
sh-3.2# pfctl -d
No ALTQ support in kernel
ALTQ related functions disabled
pf disabled
sh-3.2# pfctl -F all
No ALTQ support in kernel
ALTQ related functions disabled
rules cleared
nat cleared
dummynet cleared
0 tables deleted.
0 states cleared
source tracking entries cleared
pf: statistics cleared
pf: interface flags reset
Try this rule in nat-rules:
nat on en0 from en1 to any -> (en0)
As you can see, at the end, the rules are loaded despite of the ALTQ message
sh-3.2# pfctl -f ./nat-rules -e
pfctl: Use of -f option, could result in flushing of rules
present in the main ruleset added by the system at startup.
See /etc/pf.conf for further details.
No ALTQ support in kernel
ALTQ related functions disabled
pf enabled
Hope it works!
Hi Linuxmaster, it isn’t an off the shelf solution, cause most people landing here probably don’t have the $localnet macro defined, causing you’re rule to fail. A universal substitute would be something like:
nat on en0 from en0:network to any -> (en0)
Which obviously limits the rule to the one interface, which fit’s my scenario. Another option is to define $localnet first.
Thanks to for your article though, it pointed me in the right direction more clearly than anything else out there. 🙂
No problem. Thanks for the recommendation. I am happy that you have found my post useful.
I’v tried in El Capitan 10.11.4 but get errors:
pfctl: Use of -f option, could result in flushing of rules
present in the main ruleset added by the system at startup.
See /etc/pf.conf for further details.
No ALTQ support in kernel
ALTQ related functions disabled
./nat-rules:1: syntax error
pfctl: Syntax error in config file: pf rules not loaded
my nat-rules file just have one code:
nat on en0 from any to any -> (en0)
First you should do this:
#enable packet forwarding
sudo sysctl -w net.inet.ip.forwarding=1
sudo sysctl -w net.inet.ip.fw.enable=1
Then nat-rules file should have this line:
nat on en1 from en0 to any -> (en1)
Of course you should replace en1 and/or en0 accordingly (depends on your actual config). On my macbook pro en1 is the wireless adapter card.
Also did you configure your tap adapter?
I am runnning OSX El Capitan 10.11.4 (latest version)
Hi, thanks for the excellent post. Is there an update for macOS Sierra? The following line fails for me: –
sudo sysctl -w net.inet.ip.fw.enable=1
sysctl: unknown oid ‘net.inet.ip.fw.enable’
Jim,
I haven’t tested that on Mac OSX Sierra but I will try and let you know. Thanks for mentioning the fact that is not working on Sierra
Any news on Mac OS Sierra?
Hi Linux Master,
yes. Any news on MacOS sierra.
Your script does not work anymore with the lates MacOS.
Unfortunatelly I have no news about Mac OSX Sierra. My macbook pro laptop is not compatibile with Sierra. I have managed to install it but it was really slow so I had to switch back to El Capitan.