Troubleshooting networking on macOS
Multipass uses “hyperkit” to run instances, which utilises MacOS’ Hypervisor.framework. This framework manages the networking stack for the instances.
On creation of an instance, Hypervisor.framework on the host uses MacOS’ “Internet Sharing” mechanism to
- create a virtual switch and connects each instance to it (subnet 192.168.64.*)
- provide DHCP and DNS resolution on this switch at 192.168.64.1 (via bootpd & mDNSResponder services running on the host); this is configured by an auto-generated file /etc/bootpd.plist - but editing this is pointless as MacOS re-generates it as it desires.
Note that according to “System Preferences” -> “Sharing”, the "Internet Sharing"service can appear disabled - this is ok. In the background, it will still be enabled to support instances.
Tools known to interfere with Multipass
- VPN software can be aggressive at managing routes, and may route 192.168.64 subnet through the VPN interface, instead of keeping it locally available.
- Possible culprits: OpenVPN, F5, Dell SonicWall, Cisco AnyConnect, Citrix/Netscaler Gateway, Jupiter Junos Pulse / Pulse Secure
- Tunnelblick doesn’t cause problems
- Cisco Umbrella Roaming Client it binds to localhost:53 which clashes with Internet Sharing, breaking instance’s DNS (ref: Umbrella Roaming Client OS X and Internet Sharing)
Default configuration binds to localhost port 53, clashing with Internet Sharing.
- another dnsmasq process bound to localhost port 53
- custom DHCP server bound to port 67? (“sudo lsof -iUDP:67 -n -P” should show launchd & bootpd only)
multipass shell <instance>fails
multipass shell <instance>works but the instance cannot connect to the internet
- go to “DNS” section
- extra IPs not reachable between instances
- go to “ARP” section
Unable to determine IP address usually implies some networking configuration is incompatible, or there is interference from a Firewall or VPN.
Troubleshooting (section to be expanded)
- Is Firewall enabled?
- If so it must not “Block all incoming connections”
- Blocking all incoming connections prevents a DHCP server from running locally, to give an IP to the instance.
- It’s ok to block incoming connections to “multipassd” however.
- Little Snitch - defaults are good, it should permit mDNSResponder and bootpd access to BPF
If you’re having trouble downloading images and/or see
Unknown errors when trying to
multipass launch -vvv, Little Snitch may be interfering with
multipassd's network access (ref. #1169)
- Internet Sharing - doesn’t usually clash
- Is the bootpd DHCP server alive? (
sudo lsof -iUDP:67 -n -Pshould mention
sudo route -nv add -net 192.168.64.0/24 -interface bridge100
If you get a “File exists” error, maybe delete and retry?
sudo route -nv delete -net 192.168.64.0/24 sudo route -nv add -net 192.168.64.0/24 -interface bridge100
-static route helps?
If using “Cisco AnyConnect” - try using “OpenConnect” (
brew install openconnect) instead as it messes with routes less (but your company sysadmin/policy may not permit/authorize this).
- It monitors the routing table so may prevent any customisation. Here is a very hacky workaround.
Does your VPN software provide a “Split connection” option - where VPN sysadmin can designate a range of IP addresses to not be routed through the VPN.
- Cisco does
- Pulse Secure / Jupiter Junos Pulse do
Potential workaround for VPN conflicts (ref: #495)
nat … line (if there is one, otherwise at the end) in
/etc/pf.conf, add this line:
nat on utun1 from bridge100:network to any -> (utun1)
and reload PF with
$ sudo pfctl -f /etc/pf.conf.
Possible other option - configure Multipass to use a different subnet?
/Library/Preferences/SystemConfiguration/com.apple.vmnet.plist to change the “Shared_Net_Address” value to something other than
- works if you edit the plist file and stay inside 192.168 range, as Multipass hardcoded for this
Note on this:
If you change the subnet and launch an instance, it will get an IP from that new subnet. But if you try changing it back, the change is reverted on next instance start. It appears that the dhcp server reads the last IP in
/var/db/dhcpd_leases, decides the subnet from that, and updates Shared_Net_Address to match. So only way to really revert this change is edit/delete
Can you ping IP addresses?
$ ping 188.8.131.52 PING 184.108.40.206 (220.127.116.11) 56(84) bytes of data. ^C --- 18.104.22.168 ping statistics --- 3 packets transmitted, 0 received, 100% packet loss, time 2030ms
Note that macOS’s firewall can block the ICMP packets that
ping uses, which will interfere with this test. Make sure you disable “Stealth Mode” in “System Preferences”->“Security & Privacy” -> “Firewall” just for this test.
If you try again:
multipass@x:~$ ping 22.214.171.124 PING 126.96.36.199 (188.8.131.52) 56(84) bytes of data. 64 bytes from 184.108.40.206: icmp_seq=1 ttl=53 time=7.02 ms 64 bytes from 220.127.116.11: icmp_seq=2 ttl=53 time=5.91 ms 64 bytes from 18.104.22.168: icmp_seq=3 ttl=53 time=5.12 ms ^C --- 22.214.171.124 ping statistics --- 3 packets transmitted, 3 received, 0% packet loss, time 2143ms rtt min/avg/max/mdev = 5.124/6.020/7.022/0.781 ms
This means the instance can indeed connect to the internet, but DNS resolution is broken. Testing DNS resolution using the
dig tool now may show it broken:
multipass@x:~$ dig google.ie ; <<>> DiG 9.10.3-P4-Ubuntu <<>> google.ie ;; global options: +cmd ;; connection timed out; no servers could be reached
But if it shows this, it’s all working:
multipass@x:~$ dig google.ie ; <<>> DiG 9.10.3-P4-Ubuntu <<>> google.ie ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48163 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;google.ie. IN A ;; ANSWER SECTION: google.ie. 15 IN A 126.96.36.199 ;; Query time: 0 msec ;; SERVER: 192.168.64.1#53(192.168.64.1) ;; WHEN: Thu Aug 01 15:17:04 IST 2019 ;; MSG SIZE rcvd: 54
To test further, try supplying an explicit DNS server
multipass@x:~$ dig @188.8.131.52 google.ie ; <<>> DiG 9.10.3-P4-Ubuntu <<>> @184.108.40.206 google.ie ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11472 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1452 ;; QUESTION SECTION: ;google.ie. IN A ;; ANSWER SECTION: google.ie. 39 IN A 220.127.116.11 ;; Query time: 6 msec ;; SERVER: 18.104.22.168#53(22.214.171.124) ;; WHEN: Thu Aug 01 15:16:27 IST 2019 ;; MSG SIZE rcvd: 54
This implies the problem is with macOS’s “Internet Sharing” feature - for some reason its built-in DNS server is broken.
The built-in DNS server should be “mDNSResponder” which binds to localhost on port 53.
If using Little Snitch or another per-process firewall, ensure mDNSResponder can establish outgoing connections. MacOS’ built-in firewall should not interfere with it.
Check what is bound to that port on the host with
$ sudo lsof -iTCP:53 -iUDP:53 -n -P COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME mDNSRespo 191 _mdnsresponder 17u IPv4 0xa89d451b9ea11d87 0t0 UDP *:53 mDNSRespo 191 _mdnsresponder 25u IPv6 0xa89d451b9ea1203f 0t0 UDP *:53 mDNSRespo 191 _mdnsresponder 50u IPv4 0xa89d451b9ea8b8cf 0t0 TCP *:53 (LISTEN) mDNSRespo 191 _mdnsresponder 55u IPv6 0xa89d451b9e2e200f 0t0 TCP *:53 (LISTEN)
The above output shows the correct state while a instance is running. If no instance is running (and Internet Sharing disabled in System Preferences), the command should return nothing.
Any other command appearing in that output means a process is conflicting with Internet Sharing, and thus will break DNS in the instance.
- Configure DNS inside the instance to use an external working DNS server. Can do so by appending this line to /etc/resolv.conf manually:
“126.96.36.199” is a free DNS service provided by CloudFlare, but you can use your own.
- Use a custom cloud-init to set /etc/resolv.conf for you on first boot.
The macOS bridge used for hyperkit filters packets so that only the IP address originally assigned to the VM is allowed through. If you add an additional address (e.g. IP alias) to the VM, the ARP broadcast will get through but the ARP response will be filtered out.