In Mirrored mode incoming packets from remote device on LAN are not received in WSL2

[Rybasum]

Windows Version

Microsoft Windows [Version 10.0.22631.2338]

WSL Version

2.0.0.0

Are you using WSL 1 or WSL 2?

• WSL 2
• WSL 1

Kernel Version

5.15.123.1-1

Distro Version

Ubuntu 22.04

Other Software

OpenBSD netcat (Debian patchlevel 1.218-4ubuntu1)
Mac Pro with the latest MacOS

Repro Steps

System description:

• Windows/WSL2 computer with an USB-Ethernet adapter, set to 192.168.1.33/24
• In .wslconfig:

[experimental]
networkingMode=mirrored

• Mac pro computer with an USB-Ethernet adapter, set to 192.168.1.77/24
• In Windows, Norton 360 firewall, set to allow traffic from device 192.168.1.77. Also tried with firewall disabled altogether.

Both computers can ping each other. Now start a server in WSL2 (Ubuntu):
$ nc -l 4333
and try connecting and sending data from the Mac:
$ nc 192.168.1.33 4333

Typing anything at any of the two terminals does not appear on the other computer. No connection.

Now, in the opposite direction (listening on the Mac and connecting from Ubuntu) works correctly - text typed on any terminal does appear on the other one.

Expected Behavior

When WSL2 runs a netcat server, packets from a remote computer on the same LAN should be received by the server on WSL2.

Actual Behavior

Packets sent from the remote computer on the same LAN into a mirrored NIC are not received in WSL2.

Diagnostic Logs

No response

[zcobol]

@Rybasum use New-NetFirewallHyperVRule to open the ports you want inside WSL, and it will work!

[Rybasum]

Yes, this worked! Many thanks!
For the record, what I did in Windows is:

New-NetFirewallHyperVRule -DisplayName "Devices on LAN 192.168.1.33" -Name "LAN_192_168_1_33" -Direction Inbound -LocalAddresses 192.168.1.33 -Action Allow -Enabled True

I hope this is safe enough, since the LAN in question has no connection to external world (it is for embedded Linux device development). Thank you (and Microsoft) very much - for the first time I have a full-featured embedded Linux development system in WSL2 - including NFS server and USB-to-serial port gadget enabled thanks to usbip-win. I can develop and debug a Linux kernel entirely from VS Code, awesome...

Still, I wonder if the issue I reported still qualifies as a bug. The WSL2 v2.0.0 blog (https://devblogs.microsoft.com/commandline/windows-subsystem-for-linux-september-2023-update) says that with firewall=true all of the existing firewall settings and rules that you have on Windows will be automatically applied to your WSL distros. A question then arises: I'm using Norton 360 Firewall and settings made in that firewall are seemingly not propagated to WSL2.

[yqs112358]

A question then arises: I'm using Norton 360 Firewall and settings made in that firewall are seemingly not propagated to WSL2.

It seems like a bug actually in WSL 2.0.

My WSL version is 2.0.4.0. I set firewall=true in my .wslconfig and allow tcp port 8000 in Windows firewall.
Both on WSL and Windows http://localhost:8000 is able to visit. But I cannot access http://<my-lan-ip>:8000 on another device in LAN.

[Rybasum]

@yqs112358 On another computer that uses Windows Firewall (not Norton) I observed that the firewall settings were not forwarded into Ubuntu (wsl2) either. Regardless what firewall I used, I had to set rules both in Windows and in Hyper-V.
Also, if the firewall=true option is not set in .wslconfig then no incoming traffic is allowed into wsl2 regardless of firewall settings.

[ckuhtz]

Yes, this worked! Many thanks! For the record, what I did in Windows is:

New-NetFirewallHyperVRule -DisplayName "Devices on LAN 192.168.1.33" -Name "LAN_192_168_1_33" -Direction Inbound -LocalAddresses 192.168.1.33 -Action Allow -Enabled True

I hope this is safe enough, since the LAN in question has no connection to external world (it is for embedded Linux device development). Thank you (and Microsoft) very much - for the first time I have a full-featured embedded Linux development system in WSL2 - including NFS server and USB-to-serial port gadget enabled thanks to usbip-win. I can develop and debug a Linux kernel entirely from VS Code, awesome...

Still, I wonder if the issue I reported still qualifies as a bug. The WSL2 v2.0.0 blog (https://devblogs.microsoft.com/commandline/windows-subsystem-for-linux-september-2023-update) says that with firewall=true all of the existing firewall settings and rules that you have on Windows will be automatically applied to your WSL distros. A question then arises: I'm using Norton 360 Firewall and settings made in that firewall are seemingly not propagated to WSL2.

This REALLY needs to go prominently into the WSL docs. I've spent hours tonight trying to figure this out until stumbling into this github issue. It's not safe at all to assume that a consumer of WSL is intimately familiar with how to modify HyperV to manage this. The info bubble in the existing docs is wildly insufficient.

[rz1027]

I am trying this mode (mirrored), my local ip is 192.168.1.103 and I am connected through an OpenVPN to a remote network so my tun0 ip is 10.10.16.25.
When listening to a callback on the Windows side (ncat.exe -nlvp 9001) it works just fine.
On Linux side with mirrored mode on (seeing the exact same network interfaces) my listener (nc -nlvp 9001) doesnt get the callback.
Which seems a weird case to me.

I tried establishing a hyperV firewall rules to allow traffic through this port, tried disabling both Windows and HyperV firewalls, tried connecting to VPN from inside WSL2 instance. Nothing seems to get me this call back inside WSL2...