NEPacketTunnelNetworkSettings excludedRoutes not working for few ip's such as: 239.255.255.250

Hi, We are observing few NEPacketTunnelNetworkSettings excludedRoutes ip's in PacketTunnel even-though it is added in exclude routes.

As you can see in network setting where we have added destinationAddress = 239.255.255.0 destinationSubnetMask = 255.255.255.0 in exclude route, still traffic of IP 239.255.255.250 coming to packet tunnel.

We also observing other IP's traffic that is not added in include route such as: 20.192.170.9

//Network Settings for Packet Tunnel  
IPv4Settings = {
        configMethod = PPP
        addresses = (
            10.10.10.10,
        )
        subnetMasks = (
            255.255.255.255,
        )
        includedRoutes = (
            {
                destinationAddress = 10.10.10.10
                destinationSubnetMask = 255.255.255.255
                gatewayAddress = 10.10.10.10
            },
        )
        excludedRoutes = (
            {
                destinationAddress = 192.168.0.0
                destinationSubnetMask = 255.255.0.0
            },
            {
                destinationAddress = 10.0.0.0
                destinationSubnetMask = 255.0.0.0
            },
            {
                destinationAddress = 127.0.0.1
                destinationSubnetMask = 255.255.255.255
            },
            {
                destinationAddress = 172.16.0.0
                destinationSubnetMask = 255.240.0.0
            },
            {
                destinationAddress = 239.255.255.0
                destinationSubnetMask = 255.255.255.0
            },
        )

am i doing something wrong in setting NEPacketTunnelNetworkSettings?

Answered by DTS Engineer in 763684022

is multicast ip gets forwarded to every packet tunnel utun interface even-though it is not added in include rule?

Most multicast programs explicitly control the interface, or interfaces, that they want to send on. That is, they look through the interface list, filter out the interfaces that they don’t care about, and explicitly send a copy of the multicast datagram to the remaining interfaces. In that case the system will pass the multicast datagram to your provider regardless of the routing rules.

This can happen with unicast datagrams as well, if the program binds a flow to a specific interface. You can learn more about this in the various posts hung off Extra-ordinary Networking. Search for the term scope.

What if we ignore these packets from packet tunnel readPacketObjects as we don't want to handle these packets?

The datagram gets dropped. As to whether that’ll cause problems, it depends on what the program is doing. For an SSDP client, it just won’t find any services.

when multicast entitlement needed?

See the Local Network Privacy FAQ.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Hi @eskimo,

any thoughts on this?

any thoughts on this?

Not off the top of my head.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Hi @eskimo

Looks like ip 239.255.255.250 is multicast address (Simple Service Discovery Protocol - SSDP)

I have following questions:

  • is multicast ip gets forwarded to every packet tunnel utun interface even-though it is not added in include rule?

  • What if we ignore these packets from packet tunnel readPacketObjects as we don't want to handle these packets?

  • when multicast entitlement needed?

Accepted Answer

is multicast ip gets forwarded to every packet tunnel utun interface even-though it is not added in include rule?

Most multicast programs explicitly control the interface, or interfaces, that they want to send on. That is, they look through the interface list, filter out the interfaces that they don’t care about, and explicitly send a copy of the multicast datagram to the remaining interfaces. In that case the system will pass the multicast datagram to your provider regardless of the routing rules.

This can happen with unicast datagrams as well, if the program binds a flow to a specific interface. You can learn more about this in the various posts hung off Extra-ordinary Networking. Search for the term scope.

What if we ignore these packets from packet tunnel readPacketObjects as we don't want to handle these packets?

The datagram gets dropped. As to whether that’ll cause problems, it depends on what the program is doing. For an SSDP client, it just won’t find any services.

when multicast entitlement needed?

See the Local Network Privacy FAQ.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

NEPacketTunnelNetworkSettings excludedRoutes not working for few ip's such as: 239.255.255.250
 
 
Q