Enable guest Win7 networking over host Mac OS X VPN

Discussion in 'Windows Virtual Machine' started by ErlingJ, Feb 29, 2016.

  1. ErlingJ

    ErlingJ Junior Member

    Messages:
    11
    It seems PD 10 does not deal properly with DNS when the host has an active VPN connection.

    I use F5 VPN under Mac OS X to connect to the work network from home, and while this works well on the Mac side, the PD guest Win7 VM (and CentOS VM for that matter) can't see anything on the work network (except for things that are using static IP). Also, Internet sites can't be reached from the VMs over the host VPN connection. (This is with Parallels setting up a shared local network for the VMs, ie not bridged mode).

    It was not clear at first that the issue was related to PD and DNS (could be due to anything including corporate policy), but a re-evaluation of VM tools revealed that the issue is not there with Fusion (8 at least), it works right out of the box in this regard. My evaluation could easily have ended up with PD not fit for purpose, had I not found the non-obvious manual steps required to fix the issue.

    FWIW, the workaround is to run "scutil --dns" in the Mac Terminal (with VPN connected), and then setup DNS manually on the dark side using the first nameserver[0] entry echoed by scutil as the primary DNS, and the DNS setup by PD as the secondary.
     
  2. Elric

    Elric Parallels Team

    Messages:
    1,718
    It is interesting. I'd appreciate if you could do the next:
    1. revert the dns to default
    2. Enable verbose logging
    3. try to access a few sites that doesn't work
    4. send a problem report and post here its number
    Then disable the verbose logging and set dns to the address that works for you
     
  3. ErlingJ

    ErlingJ Junior Member

    Messages:
    11
    Done. The problem report number is 91745843.

    BTW, I was afraid the manually configured DNS would create problems when using the VM at work (ie without VPN), since the DNS setup is referring to a non-existent server in this case, and not the actual DNS at work. What happens in practice is that the following is echoed on the Windows event log:

    "The client was unable to validate the following as active DNS server(s) that can service this client. The server(s) may be temporarily unavailable, or may be incorrectly configured. 10.220.220.220"

    However, DNS lookups works despite of this warning. It seems Windows reverts to the DNS info from DHCP when DNS is otherwise misconfigured. I am not extremely happy with this kludge though. Configuration with an undocumented, private DNS address on multiple machines seems to be asking for trouble to happen down the road.
     
  4. Elric

    Elric Parallels Team

    Messages:
    1,718
    Sorry, a couple of things went badly wrong on Problem Report server (it is the first time when this happens with me). The report was lost.. Would you mind to repeat the steps.
    It is strange, it must not revert to DNS from DHCP if manually cofigured servers doesn't work.. I'd recommend to configure as DNS two servers: one is VPN'd-one and another 10.211.55.1 - parallels shared networking dns proxy.
     
  5. ErlingJ

    ErlingJ Junior Member

    Messages:
    11
    OK. Problem report number is now 91797911.
     
  6. ErlingJ

    ErlingJ Junior Member

    Messages:
    11
    It seems like the "supplemental" DNS in the parallels.log (the one and only DNS address that actually works when VPN is active) is used only for select domains on the work network. Everything else is sent to the ISP DNS addresses, one after the other, until they are considered dead, after which all requests are sent to the local router. That can't work.
     
  7. Elric

    Elric Parallels Team

    Messages:
    1,718
    > It seems like the "supplemental" DNS in the parallels.log (the one and only DNS address that actually works when VPN is active) is used only for select domains on the work network
    > That can't work.
    I see that in the parallels.log. It should work. Could we organize a remote session with you? We'd want to collect few more details. I expect that session will take about 30 minutes. I'll send my email-address and available timeframe via forum's private messages. Please reply if you agree with the session.
     

Share This Page