How to fix internet sharing that doesn't route packets except DNS?

I have a Mac mini running 10.8.2. It connects to the internet over Wi-Fi and everything seems to work. I want to make this Wi-Fi available to another computer connecting to the mini's Ethernet.

My Wi-Fi router is at 10.0.0.1.

I have experimented with a bunch of static and dynamic settings. This is what I have currently:

mini
Static IP: 192.168.2.1
Netmask:   255.255.255.0
Router:    10.0.0.1

Internet Sharing is set to go from Wi-Fi to Ethernet. In this configuration:

1. The mini will serve DHCP address over Ethernet.
2. The mini will provide DNS resolution over Ethernet.
3. The mini will NOT route packets for external hosts.
4. The connected computer can ping or ssh to the mini.
5. The connected computer can resolve DNS.
6. The connected computer cannot ping the router, Google, or any other external computers.

Here is a small dump of hopefully useful things from the command line:

boots@eiji:~$ ps ax | egrep '(bootp|natp)'
52502   ??  S      0:00.01 bootpd -d -P
52503   ??  S      0:29.94 natpmpd -d -y bridge0 en1
53729 s001  S+     0:00.00 egrep (bootp|natp)
boots@eiji:~$ ifconfig
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
    options=3<RXCSUM,TXCSUM>
    inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1 
    inet 127.0.0.1 netmask 0xff000000 
    inet6 ::1 prefixlen 128 
gif0: flags=8010<POINTOPOINT,MULTICAST> mtu 1280
stf0: flags=0<> mtu 1280
en0: flags=8963<UP,BROADCAST,SMART,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
    options=2b<RXCSUM,TXCSUM,VLAN_HWTAGGING,TSO4>
    ether 3c:07:54:58:2f:9c 
    media: autoselect (none)
    status: inactive
en1: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
    ether 68:a8:6d:58:06:e7 
    inet6 fe80::6aa8:6dff:fe58:6e7%en1 prefixlen 64 scopeid 0x5 
    inet 10.0.0.145 netmask 0xffffff00 broadcast 10.0.0.255
    media: autoselect
    status: active
p2p0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 2304
    ether 0a:a8:6d:58:06:e7 
    media: autoselect
    status: inactive
fw0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
    lladdr a4:b1:97:ff:fe:d9:44:ca 
    media: autoselect <full-duplex>
    status: inactive
bridge0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
    ether ac:de:48:65:39:32 
    inet 192.168.2.1 netmask 0xffffff00 broadcast 192.168.2.255
    Configuration:
        priority 0 hellotime 0 fwddelay 0 maxage 0
        ipfilter disabled flags 0x2
    member: en0 flags=3<LEARNING,DISCOVER>
             port 4 priority 0 path cost 0

Solution 1:

Matt's answer is actually not a solution but just a workaround. NAT in 10.8.2 is not working because of a bug in pf configuration files. You can find the solution here: http://support.apple.com/kb/TS4418?viewlocale=en_US&locale=en_US

Solution 2:

I had a slightly different symptom. Wifi-connected iPhones could connect to the Wifi, they got an IP (192.168.2.2) and a router (192.168.2.1) assigned via DHCP. The Mac could ping them and the iPhone could access services in the local network via IP address. However, the iPhone can't access any Internet service (e.g. Maps).

I discovered that no DNS was assigned. So I manually specified a DNS on the iPhone and now the connection works perfectly. It seems that Internet Sharing's DHCP server in 10.8.2 doesn't correctly assign the DNS to its clients.

See also rdar://12468765.