mirrored networking mode doesn't allow host to use IP to reach the service in WSL

[bayeslearner]

Windows Version

Microsoft Windows [Version 10.0.22635.3061]

WSL Version

2.1.0.0

Are you using WSL 1 or WSL 2?

• WSL 2
• WSL 1

Kernel Version

5.15.137.3-1

Distro Version

Ubuntu 22.04

Other Software

No response

Repro Steps

After returning to WSL following a 3-year hiatus, I've found that things are still quite complicated. It seems like there's a real need for a comprehensive table that documents various connection scenarios in WSL. Maybe Microsoft should consider hiring me as a tester – just a thought, LOL!

Here's what I've observed in my tests, assuming all firewalls are disabled:

• The tests were conducted using the latest mirrored mode.
• I ran a server (python3 -m http.server) on either the WSL, the host, or remotely.
• A multipass Hyper-V VM was operational on the same host as the WSL.
• Another Windows machine was functioning on the same LAN as the WSL host.
• Port forwarding using netsh is NOT configured.

Using 127.0.0.1 Using IP Using Host Name
From: LAN, To: WSL NA + +
From: Host, To: WSL + ! (1) ! (2)
From: VM, To: WSL NA refused! (3) refused! (4)
From: WSL, To: Host + refused! (5) refused! (6)
From: WSL, To: LAN NA + -
From: WSL, To: VM NA NA NA
Key to the table:

• "+" indicates a successful connection.
• "!" signifies that the connection is expected to work but doesn't.
• "NA" means not applicable or untested.
• Rows represent different source-to-destination scenarios (e.g., "From: LAN, To: WSL").
• Columns denote the methods of connection (using 127.0.0.1, mirrored IP, or host name).

Question:

• Is this what people see?
• what of those 1-6 should we expect to work?
• note there is at least 1 + for each row (except the last row), so almost all connections can be made.
• note this is tested on a recently imaged windows laptop with 1 ethernet port and 1 wireless adapter.

host: route -4 print

===========================================================================
Interface List
 23...e0 73 e7 f0 8b 1c ......Realtek Gaming GbE Family Controller
 13...74 97 79 9f 3a d7 ......MediaTek Wi-Fi 6E MT7922 (RZ616) 160MHz PCIe Adapter
 24...76 97 79 9f 1a f7 ......Microsoft Wi-Fi Direct Virtual Adapter
  6...76 97 79 9f 0a e7 ......Microsoft Wi-Fi Direct Virtual Adapter #2
 17...00 50 56 c0 00 01 ......VMware Virtual Ethernet Adapter for VMnet1
  8...00 50 56 c0 00 08 ......VMware Virtual Ethernet Adapter for VMnet8
 14...74 97 79 9f 3a d8 ......Bluetooth Device (Personal Area Network)
  1...........................Software Loopback Interface 1
 42...00 15 5d 1f 45 25 ......Hyper-V Virtual Ethernet Adapter
===========================================================================



IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      192.168.1.1    192.168.1.173     25
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    331
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    331
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    331
      172.17.16.0    255.255.240.0         On-link       172.17.16.1   5256
      172.17.16.1  255.255.255.255         On-link       172.17.16.1   5256
    172.17.31.255  255.255.255.255         On-link       172.17.16.1   5256
      192.168.1.0    255.255.255.0         On-link     192.168.1.173    281
    192.168.1.173  255.255.255.255         On-link     192.168.1.173    281
    192.168.1.255  255.255.255.255         On-link     192.168.1.173    281
     192.168.24.0    255.255.255.0         On-link      192.168.24.1    291
     192.168.24.1  255.255.255.255         On-link      192.168.24.1    291
   192.168.24.255  255.255.255.255         On-link      192.168.24.1    291
    192.168.249.0    255.255.255.0         On-link     192.168.249.1    291
    192.168.249.1  255.255.255.255         On-link     192.168.249.1    291
  192.168.249.255  255.255.255.255         On-link     192.168.249.1    291
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    331
        224.0.0.0        240.0.0.0         On-link     192.168.249.1    291
        224.0.0.0        240.0.0.0         On-link      192.168.24.1    291
        224.0.0.0        240.0.0.0         On-link     192.168.1.173    281
        224.0.0.0        240.0.0.0         On-link       172.17.16.1   5256
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    331
  255.255.255.255  255.255.255.255         On-link     192.168.249.1    291
  255.255.255.255  255.255.255.255         On-link      192.168.24.1    291
  255.255.255.255  255.255.255.255         On-link     192.168.1.173    281
  255.255.255.255  255.255.255.255         On-link       172.17.16.1   5256
===========================================================================
Persistent Routes:
  None

wsl$ ip route

default via 192.168.1.1 dev eth0 proto kernel metric 25
192.168.1.0/24 dev eth0 proto kernel scope link metric 281
192.168.1.1 dev eth0 proto kernel scope link metric 25

host c:\ipconfig

Windows IP Configuration


Ethernet adapter vEthernet (Default Switch):

   Connection-specific DNS Suffix  . :
   Link-local IPv6 Address . . . . . : fe80::8e0b:65f9:a9ac:c24a%42
   IPv4 Address. . . . . . . . . . . : 172.17.16.1
   Subnet Mask . . . . . . . . . . . : 255.255.240.0
   Default Gateway . . . . . . . . . :

Ethernet adapter Ethernet:

   Connection-specific DNS Suffix  . : lan
   Link-local IPv6 Address . . . . . : fe80::1e11:94a3:5a8b:c680%23
   IPv4 Address. . . . . . . . . . . : 192.168.1.173
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.1.1

Wireless LAN adapter Local Area Connection* 1:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :

Wireless LAN adapter Wi-Fi:

   Connection-specific DNS Suffix  . : lan
   Link-local IPv6 Address . . . . . : fe80::c0dc:1221:50da:36ec%13
   IPv4 Address. . . . . . . . . . . : 192.168.1.6
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.1.1

Ethernet adapter VMware Network Adapter VMnet1:

   Connection-specific DNS Suffix  . :
   Link-local IPv6 Address . . . . . : fe80::1ff4:3e2c:2d67:2ce%17
   IPv4 Address. . . . . . . . . . . : 192.168.249.1
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . :

Ethernet adapter VMware Network Adapter VMnet8:

   Connection-specific DNS Suffix  . :
   Link-local IPv6 Address . . . . . : fe80::50e:c52b:7dad:13%8
   IPv4 Address. . . . . . . . . . . : 192.168.24.1
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . :

Ethernet adapter Bluetooth Network Connection:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :

wsl $ ip addr

 ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether e0:73:e7:f0:8b:1c brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.173/24 brd 192.168.1.255 scope global noprefixroute eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::1e11:94a3:5a8b:c680/64 scope link nodad noprefixroute
       valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST> mtu 1500 qdisc mq state DOWN group default qlen 1000
    link/ether 00:50:56:c0:00:01 brd ff:ff:ff:ff:ff:ff
4: eth2: <BROADCAST,MULTICAST> mtu 1500 qdisc mq state DOWN group default qlen 1000
    link/ether 00:50:56:c0:00:08 brd ff:ff:ff:ff:ff:ff
5: loopback0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 00:15:5d:27:5c:b3 brd ff:ff:ff:ff:ff:ff
7: eth3: <BROADCAST,MULTICAST> mtu 1500 qdisc mq state DOWN group default qlen 1000
    link/ether 74:97:79:9f:3a:d7 brd ff:ff:ff:ff:ff:ff

Expected Behavior

nc -zv 192.168.1.173 8000 from host to WSL should work when WSL runs the service.
nc -zv 192.168.1.173 8000 from WSL to host should work when host runs the service.

Actual Behavior

doesn't work in either case

Diagnostic Logs

see above.

[github-actions]

Hi I'm an AI powered bot that finds similar issues based off the issue title.

Please view the issues below to see if they solve your problem, and if the issue describes your problem please consider closing this one and thumbs upping the other issue to help us prioritize it. Thank you!

Open similar issues:

• Networking mirrored can't work on WSL2 (#10632), similarity score: 0.81
• Mirrored mode - WSL chooses to mirror the disconnected host wifi adapter instead of the connected host ethernet adapter (#10884), similarity score: 0.77

Closed similar issues:

• WSL cannot use proxy with networkingMode=mirrored (#10794), similarity score: 0.81
• Can't ssh into wsl with networking mode mirrored (#10597), similarity score: 0.81
• Mirrored network, port listen in Windows not accessable from WSL using external LAN ip. (#10611), similarity score: 0.77

Note: You can give me feedback by thumbs upping or thumbs downing this comment.

[pmartincic]

I believe mirrored has changed to only mirror binds on loopback addresses by default?

@keith-horton to clarify here

[keith-horton]

That's correct. In order to work around some Docker and namespace issues, by default WSL will only route loopback address traffic to the host (only 127.0.0.1). If you would also like to use the IP address assigned to the host, you can enable that option: hostAddressLoopback.

Please see the experimental settings: https://learn.microsoft.com/en-us/windows/wsl/wsl-config#experimental-settings

Thanks!

[bayeslearner]

it's enabled and no go.

# Settings apply across all Linux distros running on WSL 2
[wsl2]
#autoMemoryReclaim = gradual
firewall = false
#hostAddressLoopback = true

# Limits VM memory to use no more than 4 GB, this can be set as whole numbers using GB or MB
#memory = 4GB

# Sets the VM to use two virtual processors
#processors = 2

# Specify a custom Linux kernel to use with your installed distros. The default kernel used can be found at https://github.com/microsoft/WSL2-Linux-Kernel
#kernel = C:\\temp\\myCustomKernel

# Sets additional kernel parameters, in this case enabling older Linux base images such as Centos 6
#kernelCommandLine = vsyscall=emulate

# Sets amount of swap storage space to 8GB, default is 25% of available RAM
#swap = 8GB

# Sets swapfile path location, default is %USERPROFILE%\AppData\Local\Temp\swap.vhdx
#swapfile = C:\\temp\\wsl-swap.vhdx

# Disable page reporting so WSL retains all allocated memory claimed from Windows and releases none back when free
#pageReporting = false

# Disables nested virtualization
#nestedVirtualization = false

# Turns on output console showing contents of dmesg when opening a WSL 2 distro for debugging
#debugConsole = true

# networking mode, run the following too:
# Set-NetFirewallHyperVVMSetting -Name ‘{40E0AC32-46A5-438A-A0B2-2B479E8F2E90}’ -DefaultInboundAction Allow
networkingMode = mirrored

# Turn on default connection to bind WSL 2 localhost to Windows localhost
localhostforwarding = true

# use host external Address for host<->wsl addressing
hostAddressLoopback = true


vmIdleTimeout = -1

# Enable experimental features
[experimental]
sparseVhd = true
autoMemoryReclaim = gradual
#dnsTunneling = true

[keith-horton]

Sorry, it looks like our documentation is incorrect. I just double-checked the code: hostAddressLoopback must be under [experimental]. I'll look to get our docs fixed.

[linG5821]

I think it's the same problem
Test

# 10.1.2.3 is Intranet IP
# ON WSL
telnet 10.1.2.3 8888 OK
telnet 127.0.0.1 8888 OK
telnet localhost 8888 OK
# ON Windows
telnet 10.1.2.3 8888 LOSE(This is the only one that won't pass)
telnet 127.0.0.1 8888 OK
telnet localhost 8888 OK(but slow)

I set up this configuration, but I still can't access the docker service mapped port on windows through the local Intranet ip
.wslconfig

[experimental]
sparseVhd=true
autoMemoryReclaim=gradual
networkingMode=mirrored
dnsTunneling=true
firewall=true
autoProxy=true
hostAddressLoopback=true

[keith-horton]

@linG5821 - right:

• telnet to 10.1.2.3 will only work if you set hostAddressLoopback to true (https://learn.microsoft.com/en-us/windows/wsl/wsl-config)
• telnet to localhost is slow because that will resolve first to ::1 (the IPv6 loopback address), which cannot work due to Linux APIs only existing for IPv4 which we use to 'route' loopback packets.

Thanks!

[linG5821]

@linG5821 - right:

• telnet to 10.1.2.3 will only work if you set hostAddressLoopback to true (https://learn.microsoft.com/en-us/windows/wsl/wsl-config)
• telnet to localhost is slow because that will resolve first to ::1 (the IPv6 loopback address), which cannot work due to Linux APIs only existing for IPv4 which we use to 'route' loopback packets.

Thanks!

But I set hostAddressLoopback to true, telnet 10.1.2.3 8888 not OK in Windows, This is the main problem I have. It seems to me that this config is not in effect

I would like to know how to make Windows able to access ports mapped by Docker containers through the Intranet IP, otherwise my colleague will not be able to access the service I started.

Thanks!

[keith-horton]

Thanks. did you add a Hyper-V Firewall rule to allow port 8888 inbound - to allow non-loopback traffic inbound to the container over that port?

[linG5821]

@keith-horton

Sorry !

My firewall is off, but when I tested it today, the problem didn't exist.

Last test:
After modifying the .wslconfig configuration, I stopped wsl with 'wsl --shutdown' and then restarted the docker test.

The differences between this test and the last one:

1. I restarted my computer this morning
2. Reinstalled WSA(Windows Sub Android) and restarted the Windows virtual service

I'm confused right now, and it seems like the reboot fixed the problem, but I'm 100% sure I didn't hallucinate the last test

[keith-horton]

Thanks for the follow-up. Yes, you must run wsl --shutdown before new settings take effect. Glad it's working now!