routing through virtual machine

Discussion in 'Parallels Desktop for Mac' started by mmulin, Apr 19, 2007.

  1. mmulin

    mmulin Member

    Messages:
    30
    Hi,

    I am using special VPN connection to company network through the XP in my VM. Sometimes, I also need to access the same network from my MacOSX.

    I wonder if it possible, and how, to route traffic from the MacOSX through the XP in the VM.

    I have two problems:

    1) to activate the routing feature in XP. I heard it is some registry setting.
    2) how to get the MacOSX traffic route to the VM in the first place

    Thanks for any tips
     
  2. Intersecting

    Intersecting Parallels Team

    Messages:
    19
    You should set the shared networking mode.
    To do it Run the VM, click devices -> network adapter -> shared networkaing.
    The traffic will be used by both the Mac OS and the VM.
     
  3. mmulin

    mmulin Member

    Messages:
    30
    Thanks, but you misunderstood. I want the MacOSX traffic routed through the VM aka using the VM as my router to the outside.
     
  4. constant

    constant Forum Maven

    Messages:
    1,010
    .
    Why don't you just use a router?
    .
     
  5. mmulin

    mmulin Member

    Messages:
    30
    1) Because I need the traffic routed through the VPN generated in the XP
    2) I don't want to carry a router around just to connect to my company network
     
  6. Eru Ithildur

    Eru Ithildur Forum Maven

    Messages:
    1,954
    I really don't know of the proper way of doing that... A router would be the easiest though.
     
  7. mmulin

    mmulin Member

    Messages:
    30
    Just for the sake of argument, what good is a router going to do? I still need all MacOSX outgoing traffic going through the VPN. This is a must! Of course, highly theoratically, I could buy two USB network adapter, register it in the VM (XP) only, connect the ethernet port on my macbook to a router, route the traffic back into the VM via USB1, through the VPN client out on USB2 to the internet. Guys, please !

    Maybe, i should explain different, as i have the feeling no-one is understanding the problem:

    1) The VPN is required to connect to company network
    2) The VPN client is XP only. There is no MacOSX/*NiX/etc version!
    3) I want to access everything inside the company network from the MacOSX

    The logical traffic flow will look like this:
    Company Network <- Internet <- VPN (XP only) <- VM <- MacOSX

    Of course, the physical layout is this:
    Internet <- MacOSX <- VM (XP)
     
  8. mmischke

    mmischke Hunter

    Messages:
    155
    The approach I tried (http://forum.parallels.com/showthread.php?p=55383#post55383) was to add a static route to OS X's routing table to funnel the appropriate IP range(s) into the XP VM and out through its VPN. I wasn't able to get it working but I do believe I was on the right path. Maybe you'll find it useful as a starting point for further investigation. If you do manage to get it working, please post what you did. Good luck!
     
  9. mmischke

    mmischke Hunter

    Messages:
    155
    I just reread your initial post and I wonder if your first question may hold the answer to your second question, as well as the answer to why my proposed solution only got me so far. It's likely that the 'sudo add route...' command worked correctly (OSX's routing table certainly looked correct after running it), but if XP wasn't set up to route, the traffic flow from OS X would have stopped there. I don't recall how to enable routing in XP, but I do know it's possible (even without resorting to manually mucking w/the routing table).
     
  10. mmulin

    mmulin Member

    Messages:
    30
    Hi,

    thanks for the encouragement. Actually, today, I was able to ping inside the VM from the MacOSX using the IP of the VM adapter as displayed in the MacOSX network preferences. I didn't continue there yet. However, my idea is, to create a 2nd network interface in the XP, possibly host-only, and use the share-internet connection feature of the XP to have a NAT to the VPN interface. This, at least, until I have figured out how to enable the real IP routing feature in XP. I think the routing in XP was your main problem, right? (edit: XP doesn't support configurable routing between interfaces by default. This is why I am thinking above until..)

    I'll let you know in the next days or if you can't wait knock yourself out ; )

    L8rs..
     
    Last edited: Apr 24, 2007
  11. Eru Ithildur

    Eru Ithildur Forum Maven

    Messages:
    1,954
    Here is how:
    Internet -> Router (connects to VPN) -> NAT -> OS X
    __________________________________NAT -> Windows
     
  12. mmulin

    mmulin Member

    Messages:
    30

    What?

    No offence but sorry to break your simplicism. The router can not connect to VPN. The VPN can only be created by an application running under XP.

    I still wonder what are you thinking though?!
     
  13. joem

    joem Forum Maven

    Messages:
    1,247
    I haven't tried this, but if I were faced with the problem, I'd use bridged networking to effectively make the Mac and VM two machines on the local network, then share the XP VPN connection on the local network if possible. Once the XP connection is shared, the Mac could use the XP IP address as its gateway. This should work as long as the VPN connection can be shared from XP. If it can't, that technique won't work.

    Good luck.
     
  14. mmulin

    mmulin Member

    Messages:
    30
    Good thinking. It might be another possibility though the priciple is the same that XP will need to do the routing of the incoming traffic to the outgoing. ICS is my best hope here right now. I will check it.
     
  15. mmischke

    mmischke Hunter

    Messages:
    155
    Yes, I'm thinking that I didn't enable XP's routing capabilities, nor did I set up a 2nd NIC. Routing can be enabled in XP by toggling HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\IPEnableRouter to 1 (& rebooting). For sanity's sake, you may want to configure OS X & the XP VM to use static IPs. That way, you'll know that the addresses can't be changed by DHCP (unlikely because of the way IPs are leased, but why add another potential variable to the mix?...)

    Also, I'd probably try a nonroutable class B address (172.16.x.y/16) on the 2nd XP NIC. The reason for this is that you're probably already running nonroutable class Cs (192.168.x.y/24) on your LAN and it's a decent bet that your VPN will give you a nonroutable class A (10.x.y.z/8) once it's connected. Many companies are using 10.x.y.z internally these days.

    Having said all that, perhaps ICS will be the simplest solution, as you've suggested. I've been messing around a bit more with the above scenarios, but still no luck. Even though I don't currently need this solution myself, I soon might. If my wife gets a MacBook & runs XP under Parallels, she'll be in the same boat you are: VPN client exists for XP, but not for OS X. Actually in her case, there is one for OS X, but it's $100 for a license, whereas the XP version is free (Contivity VPN).
     
  16. constant

    constant Forum Maven

    Messages:
    1,010
    .
    A second nic?

    Intersecting, how do I setup a second nic?
    .
     
  17. mmulin

    mmulin Member

    Messages:
    30
    Yes, I have been this far by now. Also found the routing feature ; ). But my company VPN is giving me problems. Basically, it is blocking the 2nd XP NIC. I'll figure it out with more time. The ICS, or shall we call it crappy ICS, is a no-go. It will force the 2nd XP NIC to dummy IP 192.168.0.1. There is no way around it. And the internal parallels DHCP/ gateway server already has this IP to establish connection between the MacOSX parallels adapter and the 2nd XP NIC. M$ really creeps me out at times..

    Anyways, the good news is that without my VPN running, we jave a proof of concept. I managed to route traffic through XP using IProute.

    Well. Now it is just up to me to get around my company's security policies enforced on the VPN client. Btw, you are right with 10.* ; )

    And, thanks for your suggestions.
     
    Last edited: Apr 25, 2007
  18. mmischke

    mmischke Hunter

    Messages:
    155
    Parallels lets us configure up to 5 NICS per VM. Go to your VM config screen (guest OS should be powered off - not just suspended), hit the Add button and select Network Adapter. Supposedly multiple virtual NICs can be mapped to multiple physical NICs (if your machine is so equipped) as well as to a single physical NIC. I haven't played too much with this feature yet, but it seems to work OK.
     
  19. mmischke

    mmischke Hunter

    Messages:
    155
    It's amazing how much effort we often have to expend circumventing corporate access restrictions in order to get our work done. :)

    I guess it makes sense that some VPN software might be smart enough to defeat attempts to manually force a route through it. Bummer. I didn't see that one coming.

    If you find a solution, pls post your results, and I'll do the same. Even though this isn't currently a problem for me, it's an interesting project to play around with.
     
  20. mmulin

    mmulin Member

    Messages:
    30
    the solution you find above as proof of concept - to route traffic from the MacOSX through the VM. however, to circumevent company restriction depends on a) your VPN client and, more importantly, b) on the security policies enforced by your company via the client. for this, there is no general answer.

    one more thing. the cICS feature in XP apparently works fine with my VPN client. I tested it on a regular PC. now, it deducts a new feature request to Parallels:

    -- make the internal DHCP routing address either configurable or at least differrent then xxx.xxx.xxx.1. this in effort to comply with the cICS feature in XP - since Parallels is already focusing so much on Windows --

    this would make it much more easier for the general user to achieve such feats.
     

Share This Page