Crc on macos(hyperkit) network(bridge mode) issue

[gsustek]

On macOs after crc version 1.2, hyperkit is the only hypervisor supported. Currently, Hyperkit network is configured in bridged mode and not configured as a NAT mode, which makes an issue with VPN clients which only allow/pass connections from domicile host.
Is it possible to start/configure crc/hyperkit to switch to NAT mode or bring back vmware support.

Regards,
Goran.

[gbraad]

We will not support VMware (we never did for CRC), as it is the same story for VirtualBox #838

However, I am not familiar with NAT for Hyperkit? Where did you see this possibility?

[gbraad]

did look into this again, and the situation hasn't changed; the way around this is to use vpnkit. at the moment we do not support this.

[gsustek]

Vmware is an typo, so the actual situation would be if you install crc localy and need to reach from the inside of crc resources like DB's, which are only available from VPN. So you fire up your favorite VPN, and the issue it that VPN discards all packets which doesn't have(originate) source IP address of your local machine where the VPN is fired up. Because hyperkit has such routing that packets from VM are not SNAT-ed to local machine IP VPN discard those packets. VritualBOX has the "right way"NAT implementation. I read about vpnkit, and it sound that it would be a solution for this situation. Is it possible for me to get prerelease version of crc which does have vpnkiti implemented?

[gsustek]

The issue is solved with enabling ip.forwarding and NAT-ing traffic from crc host interface to VPN interface with VPN interface IP(sNAT).

[gbraad]

the issue it that VPN discards all packets

Right, and this is related to how the VPN is condfigured (the route-all rule). We will look into possible solutions, but for now this would be to reconfigure your client and disallow the netwerksegments for libvirt and crc, or even 192.168./16

Is it possible for me to get prerelease version of crc which does have vpnkiti implemented?

Currently not worked on. You can however use a VM with VPNkit alongside it for now as a workaround.

[Cantek]

Hello, I am having exact same issue.

My deployments should access certain sources which are accessible only with the VPN.
But CRC can not access the source because it is not using my host computers VPN connection.

@gsustek mentioned
The issue is solved with enabling ip.forwarding and NAT-ing traffic from crc host interface to VPN interface with VPN interface IP(sNAT).

@gsustek Can you please guide me? How can I do the same? Using MAC OS Catalina, and
crc version: 1.6.0+8ef676f
OpenShift version: 4.3.0 (embedded in binary)

Thank you.

[gsustek]

sources= https://apple.stackexchange.com/questions/265237/corresponding-ipfw-rules-in-macos-for-this-iptables-rules
https://apple.stackexchange.com/questions/230300/what-is-the-modern-way-to-do-port-forwarding-on-el-capitan-forward-port-80-to/230331#230331
https://docs.mitmproxy.org/stable/howto-transparent/
https://unix.stackexchange.com/questions/505712/how-to-setup-simple-port-forwarding-on-macos-with-pf-rules-must-be-in-order-o

https://serverfault.com/questions/791181/redirecting-traffic-to-a-specific-address-and-port-using-pf-on-macos
https://kfigiela.github.io/2014/11/07/using-native-os-x-nat-with-virutalbox/
https://forums.freebsd.org/threads/generic-nat-firewall-pf-config-template.60144
#first enable routing on your mac
sudo sysctl net.inet.ip.forwarding=1

example of anchor file:`

com.apple anchor point

###pflog_logfile="/var/log/pflog"
scrub-anchor "com.apple/"
#fix mtu
scrub on ppp0 all max-mss 1314
nat-anchor "com.apple/"
#add nat
nat on ppp0 from bridge100:network to any -> (ppp0)
rdr-anchor "com.apple/"
#add state
pass from ppp0 to bridge100:network keep state
dummynet-anchor "com.apple/"
anchor "com.apple/*"
load anchor "com.apple" from "/etc/pf.anchors/com.apple"`

#check
sudo pfctl -vnf /etc/pf.conf

#execute
sudo pfctl -Eef /etc/pf.conf

#add dns entry on your interface

Hope it helps...