This post will show how you can use an configure an AirPort Extreme for NAT only mode so that you can allow an additional DHCP server on your network to handle IP address allocation. The instructions are for the AirPort Extreme in the Time Capsule, but I believe this should be the same for a standard AirPort Extreme as well.

I recently got an Apple Time Capsule to replace my old linksys cable router. It’s a great little unit but one thing was causing me an issue with my home setup and I couldn’t initially get it to play nice with my home network.

Due to the nature of my work I have quite a few machines on my home network. These are using for testing out various bits of Microsoft software such as System Center Configuration Manager and MDT. This involves a number of virtual and physical hosts, a full Microsoft Active Directory, DHCP and DNS setup. I also have a number of virtual client machines which are constantly rebuilt for testing. The way I have it setup is that the Microsoft DHCP server is responsible for allocating IP addresses and it causes the clients to use the Microsoft DNS (along with the Dynamic DNS registrations) along with some other specific DHCP scope options. The Microsoft DNS is setup to forward external DNS requests to the router. This ensures that all the Microsoft clients can correctly register themselves in the Microsoft DNS but can still access the internet directly. All my other non-Microsoft devices (laptop, iPad, TV, etc.) can work normally as well.

The Problem

For this setup to work, all I do is to turn off the DHCP server on the router so that the Microsoft DHCP server can take over. This is where the problems started because you don’t have that option in the interface for the Router Mode. You only get these options:

  • DHCP and NAT – This is the default mode and it runs a DHCP server and lets clients access the internet.
  • DHCP Only – This runs a DHCP server but doesn’t function as a router.
  • Off (Bridge Mode) – This is just used for acting as a wifi extender.

None of these modes work for me. What I actually need is an AirPort Extreme “NAT Only” router mode that doesn’t exist.

If you have more than one DHCP server on a LAN then both will try and hand out IP addresses to clients, but the client will register with the first server that responds. My solution was to configure the Time Capsule so that it was running in the DHCP and NAT mode so that it could be correctly used as an internet gateway, but I would configure it so that it had no free IP addresses to hand out. This would mean that any clients would only be able to successfully request an IP address from my Microsoft DHCP server.

The Solution

My solution is:

  • Set the Router Mode to “DHCP and NAT”.
  • Create the smallest possible DHCP range (2 IP addresses in the AirPort software).
  • Create “dummy” reservations for the DHCP range so that the addresses can’t actually be used.

Here is how I configured it. I’ll be using the IP range of 192.168.0.x

Open the AirPort utility and go to the Network tab. Set the Router Mode to “DHCP and NAT” as shown in the screenshot above.

Click the Network Options… button and setup the DHCP for the 192.168 network and the range will be from 253 to 254 then click Save.

This will mean that the AirPort Extreme will have the address and it will hand out the and addresses to clients. But we don’t want to the hand out any addresses! We get around this be creating a couple of dummy reservations. From the Network tab and in the DHCP Reservations section, click the + symbol.

Now enter a new reservation with the name DummyReservation1 and a MAC address of 00:00:00:00:00:00 and click Save.

Add a second reservation with the name DummyReservation2 and a MAC address of 00:00:00:00:00:01 and click Save. (Note: the two reservations must have different MAC addresses or they will vanish when you save the configuration).

The DHCP Reservation list should now look like this:

Finally click Update to store and activate the new configuration. Remember that your other DHCP server is now in charge of handing out IP addresses in that range – in this case that is to