Routing problems with bridge101 aka host-only in Sequoia (was Monterey, Ventura)

The only other ways I could see myself working around this issue were using IP-in-IP (or GRE) encapsulation to pass forwarded traffic across the vmnet interface - which would require a lot of config (and third party tools) on the vm and host, or to intstead forward to the vm via its external bridged interface. The latter works because the host interface in that bridge is not a vmnet interface. Finding that to work in an earlier test is actually what gave me the idea to use feth interfaces. The feth solution is much better though IMHO as it doesn't expose any of your private traffic to your local wifi or ethernet segment and doesn't require a bunch of scripts to handle those interfaces' dynamism. You can just create a launch daemon that is triggered to run by bridge101 coming up when Parallels starts.

 

To make this more useful you can add resolver config files to /etc/resolver/ to forward DNS requests for matched subdomains to the internal DNS on the other side of your VPN tunnel via your feth0 interface.

 

I have also tested directly bridging a VM interface to the feth0 host interface and found that it works. Parallels dutifully creates the bridge on demand when the VM starts and binds feth0 to it. The device topology makes less sense this way as you have a dangling, but required, feth1 peer but it offers the advantage of not requiring an additional launch daemon to bind the feth1 interface to the host-only network bridge (bridge101...) when Parallels starts. You can just add a very simple networking script to run on boot adding the feth interfaces. I already had such a script to add aliases for lo0. In case you don't already have this here is an example ...

Code:

erwhi@X15:~$ cat /opt/local/sbin/networking
#!/bin/sh

sysctl -w net.inet.ip.forwarding=1
#sysctl -w net.inet.ip.redirect=0
#sysctl -w net.inet.icmp.drop_redirect=1
#sysctl -w net.inet.tcp.mssdflt=1450
#sysctl -w net.inet.tcp.blackhole=1
#sysctl -w net.inet.tcp.icmp_may_rst=0
#sysctl -w net.inet.tcp.randomize_ports=1
#sysctl -w net.inet.udp.blackhole=1
sysctl -w net.inet6.ip6.forwarding=1
#sysctl -w net.inet6.ip6.redirect=0
#sysctl -w net.inet6.ip6.use_tempaddr=1
#sysctl -w net.inet6.ip6.auto_linklocal=0
#sysctl -w net.inet6.icmp6.rediraccept=0

# x15.local virtual hosts
/sbin/ifconfig lo0 alias 127.0.1.1/32
# local apache virtual hosts
/sbin/ifconfig lo0 alias 127.0.1.2/32
# local postgres
/sbin/ifconfig lo0 alias 127.0.1.3/32

# local nginx
#/sbin/ifconfig lo0 alias 127.0.2.1/32
# local flask
#/sbin/ifconfig lo0 alias 127.0.2.2/32

/sbin/ifconfig lo0 alias 127.0.2.4/32
/sbin/ifconfig lo0 alias 127.0.2.5/32
/sbin/ifconfig lo0 alias 127.0.2.6/32
erwhi@X15:~$

Code:

erwhi@X15:~$ cat /Library/LaunchDaemons/net.devocean.networking.plist
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
    <dict>
        <key>Label</key><string>net.devocean.networking</string>
        <key>ProgramArguments</key>
        <array>
            <string>/opt/local/sbin/networking</string>
        </array>
        <key>RunAtLoad</key><true/>
        <key>KeepAlive</key><false/>
        <key>ServiceDescription</key><string>Custom networking configuration</string>
        <key>StandardErrorPath</key><string>/var/log/network.log</string>
        <key>StandardOutPath</key><string>/var/log/network.log</string>
        <key>WatchPaths</key>
        <array>
            <string>/opt/local/etc/network.conf</string>
        </array>
    </dict>
</plist>
erwhi@X15:~$

 

Oops, the networking script above should have read (for the minimum requirement of forwarding traffic to parallels) ...

Code:

#!/bin/sh

sysctl -w net.inet.ip.forwarding=1
sysctl -w net.inet6.ip6.forwarding=1

ifconfig feth0 create
ifconfig feth1 create
ifconfig feth0 peer feth1
ifconfig feth0 10.99.98.1/24