I need to set the IP Prefix precidence on MacOS. On windows I can do this with the command:
netsh interface ipv6 set prefixpolicy ::ffff:0:0/96 45 4 store=persistent
on Linux I edit the File /etc/gai.conf
How do I set MacOS to prefer IPv4 over IPv6 at the system level in the same way as Windows and Linux?
I need to do this for multiple people on multiple MacOS versions from 10.10 to 10.15.
MacBook Air 13", macOS 10.15
I am trying to mitigate a VPN unreliability in various home internet configurations causing both name resolution and connectivity issues for split tunnel DNS users on the corporate VPN. The VPN client has issues when either the VPN or the home LAN provide a IPv6 DNS server and the other doesn't, it results in either not being able to resolve internal or external addresses. There is also some other subtle configuration issue that I have yet to identify, that causes connectivity issues. The primary workaround currently is to completely disable IPv6 on the interface, but I would prefer a more nuanced approach and just tweak the prefix precidence priority.
You probably have a corporate need for VPN but many on here advise against VPN. Is passing all your traffic through a third party server really safer than normal encrypted or firewalled traffic?
It also seems to be the main reason for sys admins "patching" network ipv4/6 discrepancies. - Fix the discrepancies?
Our other favorite bugbear is IT depts insisting Mac users install antivirus software with all the misery spilled out here.
(The above is my low tech view - I used to employ sys admins to do the thinking.)
It is our corporate VPN, specifically so our traffic is not passing through third party servers unencrypted. It is both a neccacery security requirement, and a legal regulatory one. The problem isn't the devices I control, it is the infinite configurations that home users and public hotspots have, combined with the failure of the VPN application to properly fail smoothly between IPv6 and IPv4.
I partially agree about using public VPN, the free ones are a bit dogy, how are they funding their service, or what is their incentive, it is probably not completely altruistic. The good quality paid for services I think can add value and security, as you are their customer, not their fuel. The main question is do you trust them more than your ISP? I trust neither completely, but I would trust someone like NordVPN more than I trust Comcast or Verison. Also VPNs are very useful if traveling, or you are in a country with an untrustworthy Government or poor regulation. The VPN only really protects against marketing type snooping the important stuff should be independantly encrypted with TLS and trusted root certs, but that is a whole other discussion about who do you trust.
@RoboBeaver Did you ever find an answer? I have a different use case: home connection with dual-WAN (one FAST but no native IPv6 and another SLOW but does have IPv6). Since most apps/browsers do DNS requests as A+AAAA, and the OS gives preference to V6, this results in most apps loading via the SLOW connection. I wish to reverse the behavior, prioritizing V4 over V6 — only use v6 when no v4 route to the service exists. Is there tweak for this?
Might be review, might not be...
VPN clients connecting directly into an organization’s private network, yes.
VPN clients into a commercial VPN provider, no.
Those provide easily breached security due to the pre-determined credentials, and you should already be using VPNs (TLS or otherwise) for your connections.
If the local part of the network path is a concern and a commercial VPN provider client is of interest, consider running your own VPN server and connect to that, if you don’t trust your ISP or first hop. Or migrate your connections to trusted DNS and connections to TLS, as should already have happened as that protects all the hops.
As for IP connections, macOS is dual-stack and whichever is the lower-cost path will be used.
When DNS servers are in the mix, whichever one is first up and that then returns an authoritative answer will be used. If you have a private internal IPv6 DNS configuration in the target network, that’ll need to be the selected DNS server or hosts known (only) to that DNS server will not translate.
It has been 7 hours since you asked. So probably needs my bump.
So I ask you, what specialist usage means you need to do this where most people don't feel the need?
IPv4/IPv6 Precidence
