Friday, July 26, 2013

Mac Mini Server + Time Capsule LAN for Comcast Cable Business

I have a static IP address and a registered domain name as well as a Time Capsule, Mac Mini Server and two iMacs. I want to create a small office LAN with the Mac Mini Server running behind a firewall that is publicly accessible.

Final LAN Configuration:

 /173.nnn.mmm.122 gateway  \
| subntmsk  |- COMCAST SMC 8014 router
|     WAN dns1  |  (DHCP / NAT disabled) 
 \     WAN dns2 /
 /173.nnn.mmm.121 Static IP\  
| 173.nnn.mmm.122 gateway   |- Time Capsule ... USB Printer
| subntmsk  |  (DHCP and NAT mode)
|     WAN dns1  |
|     WAN dns2  |
| ========================= | 
|        LAN IP    | 
|       subntmsk  |   
 \       LAN dns  / 
     |              |             |
 / Mac Mini\   / iMac #1 \   / iMac #2 \
| | | | | | < Private IP
| | | | | | < LAN subntmsk
|  | |  | |  | < LAN gateway
 \   \ /   \ /  < LAN dns

Configuration Method:
This describes the procedure I followed to obtain the above LAN configuration.
Configure LAN
The Mac Mini Server, Time Capsule (TC) and two iMacs were manually configured to a 10.0.0.x subnet with TC as Router and the Mac Mini Server as DNS server. The Private IP address of the Comcast Cable modem/router was changed from the default to to match one of the DHCP ranges available in TC. Note that TC is currently in "Bridge" mode but will eventually be configured for "DHCP and NAT." 
Configure DNS
Do not skip DNS configuration. It is absolutely essential to get your LAN working right.
. on the Mac Mini Server was uninstalled with this command in Terminal:  
sudo rm /var/db/.ServerSetupDone
Install 2.2.1 for a private network. Re-configure DNS service by first deleting all of the zones setup by the installer, then adding a Primary Zone, a Nameserver Record and a Machine Record. The real registered domain name was used to setup DNS service.
Test DNS Configuration
From Terminal on the Mac Mini Server run: sudo changeip -checkhostname and verify that the Current HostName and DNS HostName match. From Terminal on one of the iMacs run: sudo dig and sudo dig -x to make sure domain names and IP addresses are properly resolved.
Disable the Comcast Cable Modem
Port forwarding, DMZ and 1-to-1 NAT were disabled on the Comcast Cable modem. "Disable Firewall for True Static IP Subnet Only" and "Disable Gateway Smart Packet Detection" were checked. "Disable Ping on WAN Interface" was unchecked.
Change Time Capsule Router Mode
The router mode of the Time Capsule was changed from "Off(Bridge Mode)" to "DHCP and NAT" via the pull-down menu on the "Network" tab of AirPort Utility. In "Network Options..." choose a DHCP range of to That is the same subnet as the Mac Mini Server, Time Capsule and the two iMacs, but beyond the IP range of those manually configured devices.
Once  changed to "DHCP and NAT" router mode, the TC takes on the LAN IP of (which was configured in the Comcast Cable modem) and the Comcast Cable modem is accessible from its WAN gateway address only.
Enable Services
Go to the Mac Mini Server and add users and groups. Give them access to File Sharing and FTP services. Turn on FTP, Open Directory, Websites and Wiki services on the Mac Mini Server. Go to the Websites tab, Edit "Server Website" and configure a redirect to "Server Website (SSL)."
Using Workgroup Manager for, select the single person button at the top of the left pane, then choose the "Advanced" tab. Select each user and make sure their Login Shell is set to "/bin/bash" using the pull-down menu.
Port Settings
"FTP Access" port 21 and "Personal Web Sharing" port 80 were mapped to Private IP "Personal Web Sharing (SSL)" port 443 was also mapped to Private IP The FTP and Wiki site can now be accessed by authorized users from as well as 
Woo whooo!
Now I need to update my trusted certificates!