Nat! bio photo


Senior Mull

Twitter Github Twitch

Bridging a wireless and an ethernet network with OS X 10.8, updated again

I made a modification to the script, because the proxy_all sysctl isn't really needed in my setup.

Below in the drawing is my current home setup. My DSL router ("") creates a WIFI network I then have another ethernet based network, with machines, that have no wireless capabilities.

This used to work fine, if one machine with an ethernet card ( and a wireless card ( running OS X, provided internet sharing for the wired net. But when I recently added a wireless only machine it became apparent, that this machine was not able to talk to the network.

It took me quite a while to figure out how to do it, although the information is available, if you know which keywords to google for.

First things first. Apple's "Internet Sharing" is doing NAT, which in this case is harmful. NAT and bridging can not be used reliably together (says the OpenBSD pf documentation). But I need to use "real" ethernet bridging, which can be done in OS X since 10.8 apparently.

So "Internet Sharing" has to be turned off. This could change the wired interface IP address!

Create a permanent ethernet bridge on OS X

I put this shell script into /usr/local/sbin as (on the machine with the interfaces and

#! /bin/sh
# ######################################
#  coded by Nat!
#  2013 Mulle kybernetiK
#  GPL


        sysctl -w net.inet.ip.forwarding=1
        sysctl -w net.inet.ip.fw.enable=1
        if [ "$proxyarp" != "no" ]
                sysctl -w

        ifconfig bridge0 create
        ifconfig bridge0 addm en0
        ifconfig bridge0 addm en1
        ifconfig bridge0 up
        if [ $? -eq 0 ]
                syslog -s "Mulle Ethernet Bridge is up"
                syslog -s "Mulle Ethernet Bridge failure"

        ifconfig bridge0 destroy

        sysctl -w net.inet.ip.forwarding=0
        sysctl -w net.inet.ip.fw.enable=0
        sysctl -w

        syslog -s "Mulle Ethernet Bridge is down"

case "$command" in
        start*) start

        stop*)  stop
and configured it for executability
chmod 755 /usr/local/sbin/
Then I put the following XML into /Library/LaunchDaemons as com.mulle-kybernetik.admin.ethernet-bridge.plist

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "">

<plist version="1.0">
and added it to launchd thusly

sudo chmod 644 /Library/LaunchDaemons/com.mulle-kybernetik.admin.ethernet-bridge.plist
sudo chown root:wheel /Library/LaunchDaemons/com.mulle-kybernetik.admin.ethernet-bridge.plist
sudo launchctl load /Library/LaunchDaemons/com.mulle-kybernetik.admin.ethernet-bridge.plist
Check with ifconfig that the bridge0 device has appeared now:
        ether ac:dc:18:48:20:13
                priority 0 hellotime 0 fwddelay 0 maxage 0
                ipfilter disabled flags 0x2
        member: en0 flags=3
                 port 4 priority 0 path cost 0
        member: en1 flags=3
                 port 5 priority 0 path cost 0

Configuring a wired box

I have a manually configured wired box with the address It's network settings are now like this:

But for ease of use I also run a DHCP server on the bridging machine ( Jacques Fortier has the neccessary information to set one up on Mac OS X, without having to install any packages.

Adding routes to the wireless boxes

The wired boxes will be able to send pings to the wireless boxes, but the wireless boxes will send the return packets to the, because NAT is disabled and any address doesn't mean anything for them yet. Conceivably the sends those replies then out to the interwebs, because it doesn't know the network eiher and the interwebs are the default route.

This information needs to be added to the static routing tables of the router. Thankfully the fritz box allows this in its expert settings. So I added:


With that the setup worked albeit not perfectly. I could now ping from the windows box to the debian box, but the packets would actually be running through both and one hop too much. This is especially bad, since the extra hop is wireless. Fortunately you can also add static routes in windows (using -p for a permanent route):
route -p add mask metric 1

Post a comment

All comments are held for moderation; basic HTML formatting accepted.

E-mail: (not published)