How Mac OSX Prioritizes Network Interfaces When Routing

ifconfigmacosnetstatnetworking

To give a concrete example, how does OSX choose which of these default entries from netstat -nr to route to?

Destination        Gateway            Flags        Refs      Use   Netif Expire
0/1                10.10.99.100       UGSc            0        0    ppp0
default            192.168.1.1        UGSc            5        0     en0
default            192.168.1.1        UGScI           1        0     en1
default            192.0.2.1          UGScI         157        2    ppp0

From what I have been able to tell OSX uses metrics on its interfaces rather than on its routing table entries. But by default all of those interface metrics are 0 so how does it choose? Last created interface?

I've seen some folks suggest its the order in the Network preferences, but in my case the ppp0 interface (from SonicWall NetExtender) isn't listed there.

There is some discussion in this thread, but no answer that I see.

Best Answer

Most systems follows these rules when choosing which route to use:

Find the most specific ones (i.e. the ones with the longest matching prefix).
Choose the one with the highest priority.

On Linux (and, I think, on Windows) priority is determined by metric, but it is not the case on macOS as you correctly pointed out. Instead of assigning metrics to individual routes, macOS assigns priorities to interfaces. You can use networksetup -listnetworkserviceorder to view this order and networksetup -ordernetworkservices to change it.

Now, this route from your output makes me think that in your case specificity also plays its role:

Destination        Gateway            Flags        Refs      Use   Netif Expire
0/1                10.10.99.100       UGSc            0        0    ppp0

This route covers the bottom half of the address space and therefore I would expect to also find:

128.0/1            10.10.99.100       UGSc            0        0    ppp0

in your routing table. This is a standard trick VPN software uses to prioritise its routes over default: it adds two routes which together cover all IP addresses, but each of them is more specific than default, so they win.

Related Solutions

Networking – pfSense 2.1 OpenVPN client not using tunnelled interface

Normally, you must provide an instruction to forward IPv4 traffic from the LAN to the new interface which the VPN provides, be it tun0 or tap0.

I am way too rusty with pf to try and suggest how to do it. With iptables you would use this command:

 iptables --table nat --append POSTROUTING --out-interface tap0/tun0 -j MASQUERADE

I hope this will provide a push in the right direction, even though this is not a solution.

How to set route specific interface metrics under Mac OS X

The simplest solution to this doesn't involve having to define (and find a way to persist) static routes.

I would recommend that you use a different subnet (over the same physical network) for storage.

Turn off DHCP on en0 on your Mac and set it to have a static IP on this new subnet on en0, with no gateway defined on that interface. Say, for example, 192.168.1.1 with subnet mask 255.255.255.0.
Give the NAS an IP on this subnet too. Say, for example, 192.168.1.2 with subnet mask 255.255.255.0.
Any other device on the network that needs to reach the NAS can also have an IP on this subnet and will be able to communicate with it. No special routing is necessary. It can even have two IP adresses, one on the 0.0 net and one on the 1.0 net, as long as only one of them has a gateway assigned.
Your Mac will now have one route to the gateway (en1, Wi-Fi) and one route to the NAS (en0, Ethernet).

Best Answer

Related Solutions

Networking – pfSense 2.1 OpenVPN client not using tunnelled interface

How to set route specific interface metrics under Mac OS X

Related Question