How to reach an Apple base station from outside your local network

A reader can't get the remote access feature to work; it's a bridge too far.

airport extreme large

Reader Philipp Englin has an Apple Time Capsule, and he’d like to be able to access its internal hard drive when he’s away from his network. He know there’s an option to share the internal disk—and with a Time Capsule or AirPort Extreme, any external disks—but the checkbox doesn’t appear for him.

I realized that if I set my router mode under Network to DHCP and NAT from the current Off (Bridge Mode), then the Share Disks over WAN option will appear. Major problem: the Internet no longer works when I do that.

Philipp has a FiOS connection that requires that he use its supplied modem to feed his internet service. And what he wants to do is perfectly reasonable, but it’s hard to accomplish without making some sort of change.

A DHCP server can assign out addresses automatically to any device that connects to a network. A NAT server maps private, “fake” addresses on a local network to a gateway address (or sometimes multiple addresses). (They’re fake because they can’t be reached from the rest of the internet, but they work within your network.) Together, NAT and DHCP on an Apple or other router let you have a single path to the internet that all your hardware can share without any configuration: it connects to the gateway, gets assigned a private address, and all its traffic has routes to the broader world.

mac911 share disks over wan

You can share an AirPort Extreme or Time Capsule disk over the internet if the base station is set up to hand out network addresses via DHCP and NAT.

Bridge mode lets a router act as an extension of another networked router that’s handling this address-assigning function. In Philipp’s case, the FiOS router handles DHCP and NAT.

With the Apple router not being able to manage the interaction with the rest of the internet, Apple opted to not play other games and just disable remote disk access, as well as not allowing remote configuration via AirPort Utility. This is a little odd, because Apple ostensibly relies on functionality like that used for Back to My Mac, which has been available for several years in macOS, and which lets you share access from one Mac to another, when both are logged into the same iCloud account, for screen sharing and connected drives.

One option is to turn the broadband modem into a bridge. Not all providers allow this, and I can’t offer any generic guidance, as every network operator and modem combination will be different. In general, see if your ISP offers tech-support documents or other help that will let you turn on bridge mode with its supplied router or one you obtained, and then you can enable DHCP and NAT on just the Apple Wi-Fi base station connected directly to the broadband modem. When I had Comcast service, I was able to purchase a Linksys router and set it to bridging.

A second option is to enable and cope with “double NAT.” That’s when your modem uses DHCP and NAT, and a base station connected to the modem, also offers its own. It’s like nesting layers. This gives you access to all the DHCP and NAT features of an Apple base station, but the two layers of NAT sometimes prevent connections from the outside world from breaking through. AirPort Utility will also warn you about the double NAT.

A third option is to install remote screen-sharing software on another Mac on your network, assuming you have a Mac that you can leave running. I use iTeleport to tunnel back in—it works via double NAT, even—for a screen-sharing session, and can then access drives and other items on the local network via that remote screen. It’s more tedious than simply mounting a drive remotely, but it does the trick.

More expensive business-oriented remote-access apps can provide the same remote screen-sharing feature, but also allow access to mounted and networked drives. TeamViewer may be the best solution, because it has file-transfer features, but is available at no cost for personal use. An identical corporate edition, intended for system administrators, is quite expensive.

Ask Mac 911

We’ve compiled a list of the most commonly asked questions we get, and the answers to them: read our super FAQ to see if you’re covered. If not, we’re always looking for new problems to solve! Email yours to including screen captures as appropriate. Mac 911 cannot reply to email with troubleshooting advice nor can we publish answers to every question.


Subscribe to the Best of Macworld Newsletter