wsl: Hyper-V firewall is not supported wsl: Mirrored networking mode is not supported, falling back to NAT networking

[Morrigan-Ship]

Windows Version

10.0.25931.1000

WSL Version

2.0.0.0

Are you using WSL 1 or WSL 2?

• WSL 2
• WSL 1

Kernel Version

5.15.123.1-1

Distro Version

ubuntu 22 and kali linux

Other Software

cmd

Repro Steps

wsl - kali or ubuntu:

error:
wsl: Hyper-V firewall is not supported
wsl: Mirrored networking mode is not supported, falling back to NAT networking

Expected Behavior

wsl - kali or ubuntu:

error:
wsl: Hyper-V firewall is not supported
wsl: Mirrored networking mode is not supported, falling back to NAT networking

but linux will start

Actual Behavior

wsl - kali or ubuntu:

error:
wsl: Hyper-V firewall is not supported
wsl: Mirrored networking mode is not supported, falling back to NAT networking

but linux will start

Diagnostic Logs

No response

[benhillis]

/logs

[microsoft-github-policy-service]

Hello! Could you please provide more logs to help us better diagnose your issue?

To collect WSL logs, download and execute collect-wsl-logs.ps1 in an administrative powershell prompt:

Invoke-WebRequest -UseBasicParsing "https://raw.githubusercontent.com/microsoft/WSL/master/diagnostics/collect-wsl-logs.ps1" -OutFile collect-wsl-logs.ps1
Set-ExecutionPolicy Bypass -Scope Process -Force
.\collect-wsl-logs.ps1

The scipt will output the path of the log file once done.

Once completed please upload the output files to this Github issue.

Click here for more info on logging

Thank you!

[Morrigan-Ship]

WslLogs-2023-09-19_08-58-05.zip

[mlankamp]

Have the same problem
WslLogs-2023-09-19_21-38-24.zip

[mrdev023]

WslLogs-2023-09-19_21-43-45.zip
Same problem

[Morrigan-Ship]

i think i know how we can fix it
but i cannot do it because important information
if anyone tested send the result
:

in first remove all linux distro then full remove wsl(dont remove wsl in first)
secend install wsl
install new distro
test with new network config and send result

[benhillis]

@keith-horton - Could we adjust the error message so it's clear that the version of Windows they are running does not support the feature? It's currently a little confusing.

[Morrigan-Ship]

@benhillis
i think its because some dll files not installed or registered

[sf467]

My win11 is dev, Build 23545 ,and have the same problem

[zhzy0077]

My PC1 with dev channel version: 23550 shows this error
While My PC2 with release preview channel version 22621 doesn't show this error.

[peigongdsd]

OS build 23545.1000 having this problem too.

[peigongdsd]

i think i know how we can fix it but i cannot do it because important information if anyone tested send the result :

in first remove all linux distro then full remove wsl(dont remove wsl in first) secend install wsl install new distro test with new network config and send result

No luck for me

[dotlineX]

Having the same issue. Running Windows 11 22621.2283 Home. Could this be related to Home vs Pro versions of Windows?

[AetherMagee]

Same issue. Windows 11 Pro 22621.2283

Having the same issue. Running Windows 11 22621.2283 Home. Could this be related to Home vs Pro versions of Windows?

I dont think so. Maybe it only works on Insider versions?

[LordMonoxide]

Same issue. Windows 11 Pro 22621.2283

Having the same issue. Running Windows 11 22621.2283 Home. Could this be related to Home vs Pro versions of Windows?

I dont think so. Maybe it only works on Insider versions?

I'm on the latest dev channel insider build of Windows 11 and I'm getting the unsupported message for every feature in the blog post that was listed as "Insider Only"

[The-Monkey-King]

From Craig's video, only autoProxy, autoMemoryReclaim, and sparseVHD can be accessed through Windows 11 22H2 now. You need insider's builds for the other networking.

What I thought was suggested but not confirmed is that some of these features would be backported to Windows 10. Is this true or not?

[keith-horton]

Sorry for the confusion.

Hyper-V Firewall and Mirrored networking support will soon be available on the latest Windows 11 release through a Windows Update. Until then, one must opt into Insider Builds - those build numbers will be in the range 255xx.

Opting into Windows Moments is different - those are feature updates to Windows 11, but those do not really go through the Windows Insider program. Those builds numbers will be in the range 235xx.

The traces I've seen so far are either from a Windows release that's not from the Windows Insiders, or the trace wasn't taken while WSL was attempted to be started.

If you have a 255xx build from Windows Insiders, I would be happy to look at the logs.
Features are enabled only when the required APIs are available :)

Thanks!

[LordMonoxide]

Sorry for the confusion.

Hyper-V Firewall and Mirrored networking support will soon be available on the latest Windows 11 release through a Windows Update. Until then, one must opt into Insider Builds - those build numbers will be in the range 255xx.

Opting into Windows Moments is different - those are feature updates to Windows 11, but those do not really go through the Windows Insider program. Those builds numbers will be in the range 235xx.

The traces I've seen so far are either from a Windows release that's not from the Windows Insiders, or the trace wasn't taken while WSL was attempted to be started.

If you have a 255xx build from Windows Insiders, I would be happy to look at the logs. Features are enabled only when the required APIs are available :)

Thanks!

I'm still a bit confused. I'm in the Windows 11 insider dev channel, and the latest build available to me is 23545.1000. Is it only available in the canary builds?

[keith-horton]

Right - sorry about that. This would be in the Canary Channel.

[Morrigan-Ship]

my self fixed issue :)
the reson of issue:
when you install new wsl version from github it need to remove old wslservice and recreate the service for this you should reboot your pc

but before reboot:
if you enter Get-NetFirewallHyperVPort command in powershell as Administrator user you will get invalid class error
you sould fix this issue i fixed by this link:

https://superuser.com/questions/1152280/get-net-powershell-cmdlets-failing-with-invalid-class
remember change "sc config winmgmt start= disabled" to "sc.exe config winmgmt start= disabled" sc to sc.exe and run as Administrator

if you followed link and get error from "sc.exe config winmgmt start= disabled" no problem ignore this error and continue

next step:
and remember to goto %windir%\System32\wbem\ folder and remove folder name repository or repository.001 or any name that have repository

now reboot your PC
wsl network mirrored problem fixed :)
also Get-NetFirewallHyperVPort problem fixed :) 👍

[Morrigan-Ship]

test my solution if not fixed report it here

[Morrigan-Ship]

but new problem issue:
if i enable vpn on windows wsl network will use windows vpn
but if enable proxy on windows you need to restart wsl to use proxy :// :|| :\\

[keith-horton]

Sadly, the Proxy API to detect a proxy can take a while, especially when set in a connectoid like with some VPNs. In those cases we opted to not slow down WSL startup while we waited to see if a proxy was detected; but it does mean you have to restart the container that first time :(

Sorry about that. We tried to balance the best user experience.

[Morrigan-Ship]

its very important for WSL Enterprise usage and should fix in future
Also i think you should add multi IP Address supporting for WSL in future
because all wsl distro have one IP Address now

[zcobol]

KB5030310 released yesterday (Sep. 16) adds the required support for the new WSL features. Tested on Windows 11 version 10.0.22621.2361

[craigloewen-msft]

This error is caused by not being on the right Windows version as @keith-horton said!
You need to be on the Windows Insider "Canary" channel or the "Release Preview" channel to get these features.
This will be coming to Windows 11 22H2 eventually as part of a backport.

[Morrigan-Ship]

This error is caused by not being on the right Windows version as @keith-horton said! You need to be on the Windows Insider "Canary" channel or the "Release Preview" channel to get these features. This will be coming to Windows 11 22H2 eventually as part of a backport.

please add support for bridge mod for wsl
and make special IP Address for each WSL distro

[sf467]

This error is caused by not being on the right Windows version as @keith-horton said! You need to be on the Windows Insider "Canary" channel or the "Release Preview" channel to get these features. This will be coming to Windows 11 22H2 eventually as part of a backport.

When I get a push from the dev channel, build23550, I see the following prompts
https://blogs.windows.com/windows-insider/2023/09/22/announcing-windows-11-insider-preview-build-23550-dev-channel/

but now,wsl have this problom,

[marcelloinfoweb]

I forced the upgrade to Canary and WSL now works perfectly.

[onomatopellan]

Windows Version	Last build	WSL2
Windows Insider Canary Channel	25951	🪞Mirrored networking support
Windows Insider Dev Channel	23555	❓
Windows Insider Beta Channel	22621.2338	❓
Windows Insider Release Preview Channel	22631.2361	🪞Mirrored networking support
Windows Public Release (KB5030310)	22621.2361	🪞Mirrored networking support

Dev and Beta channels should get the support in the next builds.

[Rajackar]

This error is caused by not being on the right Windows version as @keith-horton said! You need to be on the Windows Insider "Canary" channel or the "Release Preview" channel to get these features. This will be coming to Windows 11 22H2 eventually as part of a backport.

When I get a push from the dev channel, build23550, I see the following prompts https://blogs.windows.com/windows-insider/2023/09/22/announcing-windows-11-insider-preview-build-23550-dev-channel/

but now,wsl have this problom,

This confused me as well. It's specifically mentioned in this blog and I'm on 23555 as mentioned in the same blog.
Yet the feature is not working.

[oidualc]

I'm on build 25951 and WSL 2.0.2, I enabled networkingMode=mirrored, but I still cannot access the linux IPv4 address from Windows, let alone another device in the same local network.
To test it I just did a simple python -m http.server from within linux, and from the Windows host I tried to reach it via the local network address http://192.168.1.200:8000, I just get a ERR_CONNECTION_TIMED_OUT error.
If I understand correctly, with this new feature I should be able to access a WSL distro from a smartphone in the same network, what could I be missing?

[keith-horton]

Hi there.
When setting Mirrored Mode, please ensure that it's supported by the OS you have installed - either from looking for a warning during startup (if it's not supported), or running 'ip a' in a Linux prompt to see if the IP addresses assigned in the Linux container are the same as the IP addresses assigned to Windows.

If they are the same, and you want to access port 8000, you'll need to add a Hyper-V Firewall rule to allow that inbound traffic. You can use the New-NetFirewallHyperVRule powershell command'let to add a new rule.

[sf467]

Even the Release version works, but not the dev version, this can be seen as a bug in the dev version, right?

[sysulq]

Even the Release version works, but not the dev version, this can be seen as a bug in the dev version, right?

I completely agree. This should be considered a bug in the development version, as it caused a lot of confusion for me until I came across this issue.

[oidualc]

running 'ip a' in a Linux prompt to see if the IP addresses assigned in the Linux container are the same as the IP addresses assigned to Windows.

Confirmed.

You can use the New-NetFirewallHyperVRule powershell command'let to add a new rule.

My understanding was that using "firewall=true" in .wslconfig and disabling the Windows Firewall altogether, WSL should have picked it up automatically. Not working this way, could you be more specific about what command to run? I tried something like this one with no luck.

[keith-horton]

Hi there.

Setting firewall=true in the .wslconfig file will enable Hyper-V Firewall for that WSL container instance. If the host Windows Firewall is enabled, we will mirror all Windows Firewall rules that are based on IP addresses or port numbers (not user ids or applications). And you can run NetFirewallHyperVRule powershell command'lets to view/add/remove rules for Hyper-V Firewall.

If you have an OS with the necessary updates, these powershell commands should work. Both of these must work for Hyper-V Firewall to be enabled.

get-NetFirewallHyperVVMCreator

this should show something like;
VMCreatorId : {40E0AC32-46A5-438A-A0B2-2B479E8F2E90}
FriendlyName : WSL

get-NetFirewallHyperVProfile

this should show Public, Private, and Domain profiles like

Name : {40E0AC32-46A5-438A-A0B2-2B479E8F2E90}
Profile : Public
.
.
.

[isaali93]

Windows Version Last build WSL2
Windows Insider Canary Channel 25951 🪞Mirrored networking support
Windows Insider Dev Channel 23555 ❓
Windows Insider Beta Channel 22621.2338 ❓
Windows Insider Release Preview Channel 22631.2361 🪞Mirrored networking support
Windows Public Release (KB5030310) 22621.2361 🪞Mirrored networking support
Dev and Beta channels should get the support in the next builds.

Hey, you guys have any word on when this is coming to Dev? It's been sometime already

[lc-guy]

Any information on having support for this on windows 10, or is it just not coming to it at all?

[keith-horton]

Sorry, we have asked. As of today, we do not have plans to take this back to Windows 10.

[isaali93]

Looks like mirrored networking is enabled on the dev channel as of today's 23580 build.

[hanxinimm]

Error code: Wsl/Service/CreateInstance/CreateVm/ConfigureNetworking/0x803b0015

[keith-horton]

Hi there. If you are hitting a new error code, can you open a new GitHub issue + capturing traces?

[K2ouMais]

Can someone explain, why this doesnt work under Windows 10?

It is a shame, because corporate machines will stay on Windows 10 for a long time and Windows 11 ist still not an option for many corporations.

[experimental]
networkingMode=mirrored
dnsTunneling=true

I have a corporate Laptop without any Admin rights, so I have only this way of getting wsl configured.

I really want to get rid of "wsl-vpnkit" when I am behind a VPN.

[keith-horton]

Sorry, those features are not available on Windows 10. They are only on Windows 11.

[boan-jfm]

Sorry, those features are not available on Windows 10. They are only on Windows 11.

But here it states "Entries with an ** after the value type require Windows version 22H2 or higher.": https://learn.microsoft.com/en-us/windows/wsl/wsl-config

[K2ouMais]

It's a shame this is Windows 11 only where almost every company is still using Windows 10. Sometimes I really question some decisions.

[jtrenaud1s]

It's a shame this is Windows 11 only where almost every company is still using Windows 10. Sometimes I really question some decisions.

Same boat. Super annoying. Though I do have local administrator privileges, I still have not found any workaround to the VPN issue. Also stuck on windows 10.

[K2ouMais]

@jtrenaud1s

The only way right now to get WSL to work on a vpn is this tool:
https://github.com/sakai135/wsl-vpnkit