cannot reach ipv6 only address

[andyli]

• Your Windows build number: 10.0.18980.1

• What you're doing and what's happening: (Copy&paste the full set of specific command-line steps necessary to reproduce the behavior, and their output. Include screen shots if that helps demonstrate the problem.)

I tried to access a ipv6 only website and failed. My commands run in Debian Buster with WSL 2:

$ curl -I https://ocaml.debian.net
curl: (7) Couldn't connect to server

$ sudo ping6 2001:913:c01:0:d52c:1903:be09:265f
connect: Network is unreachable

• What's wrong / what should be happening instead:

The curl command should succeed. Here is the result if I run it in Windows (outside of WSL):

>curl -I https://ocaml.debian.net
HTTP/1.1 200 OK
Server: nginx/1.14.2
Date: Wed, 18 Sep 2019 04:15:40 GMT
Content-Type: text/html
Content-Length: 341
Last-Modified: Sat, 03 Aug 2019 04:57:55 GMT
Connection: keep-alive
ETag: "5d451453-155"
Accept-Ranges: bytes

>ping 2001:913:c01:0:d52c:1903:be09:265f

Pinging 2001:913:c01:0:d52c:1903:be09:265f with 32 bytes of data:
Reply from 2001:913:c01:0:d52c:1903:be09:265f: time=208ms
Reply from 2001:913:c01:0:d52c:1903:be09:265f: time=206ms
Reply from 2001:913:c01:0:d52c:1903:be09:265f: time=206ms
Reply from 2001:913:c01:0:d52c:1903:be09:265f: time=206ms

Ping statistics for 2001:913:c01:0:d52c:1903:be09:265f:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 206ms, Maximum = 208ms, Average = 206ms

FYI, here is my network interface info:

C:\Users\Andy>ipconfig

Windows IP Configuration


Ethernet adapter VPN - VPN Client:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :

Ethernet adapter vEthernet (DockerNAT) 2:

   Connection-specific DNS Suffix  . :
   IPv4 Address. . . . . . . . . . . : 10.0.75.1
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . :

Ethernet adapter Ethernet:

   Connection-specific DNS Suffix  . : lan
   IPv6 Address. . . . . . . . . . . : 2002:d206:9dd2::100
   IPv6 Address. . . . . . . . . . . : 2002:d206:9dd2:0:7940:661e:9b71:38ca
   IPv6 Address. . . . . . . . . . . : fd3a:95fa:b06b::100
   IPv6 Address. . . . . . . . . . . : fd3a:95fa:b06b:0:7940:661e:9b71:38ca
   Temporary IPv6 Address. . . . . . : 2002:d206:9dd2:0:c8d1:e8bc:b818:9b48
   Temporary IPv6 Address. . . . . . : fd3a:95fa:b06b:0:c8d1:e8bc:b818:9b48
   Link-local IPv6 Address . . . . . : fe80::7940:661e:9b71:38ca%14
   IPv4 Address. . . . . . . . . . . : 192.168.1.100
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : fe80::7ad2:94ff:fe7e:41e9%14
                                       192.168.1.1

Ethernet adapter Ethernet 3:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :

Ethernet adapter Bluetooth Network Connection 4:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :

Ethernet adapter vEthernet (Default Switch):

   Connection-specific DNS Suffix  . :
   Link-local IPv6 Address . . . . . : fe80::e0:3fd0:91b9:ca2a%45
   IPv4 Address. . . . . . . . . . . : 172.17.96.1
   Subnet Mask . . . . . . . . . . . : 255.255.240.0
   Default Gateway . . . . . . . . . :

Ethernet adapter vEthernet (WSL):

   Connection-specific DNS Suffix  . :
   Link-local IPv6 Address . . . . . : fe80::d42c:c288:563c:b292%53
   IPv4 Address. . . . . . . . . . . : 172.29.48.1
   Subnet Mask . . . . . . . . . . . : 255.255.240.0
   Default Gateway . . . . . . . . . :

andy@Hawk:/mnt/c/Users/Andy$ ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 172.29.49.132  netmask 255.255.240.0  broadcast 172.29.63.255
        inet6 fe80::215:5dff:fed7:3bf8  prefixlen 64  scopeid 0x20<link>
        ether 00:15:5d:d7:3b:f8  txqueuelen 1000  (Ethernet)
        RX packets 856  bytes 101884 (99.4 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 39  bytes 3349 (3.2 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

[craigloewen-msft]

Could you please take some networking logs for us? Instructions on how to do so are here!

And then post the link to your feedback in this issue so we can easily find it. :) Thanks!

Also for reference for myself and the team this may be a similar issue to #4436, however it's different enough since this is accessing an external site.

[andyli]

Here you are: https://aka.ms/AA63cvl

[ghzhou]

I have same issue. In wsl2, I have a docker of oracle bind to tcp6. From inside wsl2, I can connect with ::1 or 127.0.0.1, which means it is dual-stack.
root@cnjiezhou01:/etc# netstat -an | grep 1521 | grep -i liste
tcp6 0 0 :::1521 :::* LISTEN
root@cnjiezhou01:/etc# telnet 127.0.0.1 1521
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
^]
telnet> quit
Connection closed.
root@cnjiezhou01:/etc# telnet ::1 1521
Trying ::1...
Connected to ::1.
Escape character is '^]'.
^]
telnet> quit
Connection closed.

From the host windows:

C:>netstat -an | findstr 1521 | findstr /i list
TCP [::1]:1521 [::]:0 LISTENING

C:>telnet 127.0.0.1 1521
Connecting To 127.0.0.1...Could not open connection to the host, on port 1521: Connect failed

[craigloewen-msft]

As of right now the Host Network service does not support ipv6 only websites. We've filed this as a feature request with them and we will post any updates on this thread as they become available! Thank you for filing this.

[WSLUser]

@craigloewen-msft any progress with this? Also I noticed the kernel doesn't have IPv6 enabled. Could you get the kernel bits done first if we're still waiting for underlying platform support?

[craigloewen-msft]

I don't have any updates for this feature request.

@WSLUser what kernel modules would you like added to the kernel? And what workflows would it enable for you?

[WSLUser]

Basically anything that lights up usage of IPv6. I'm thinking more of a network pen test perspective using Kali tools but I'm sure there are some more enterprise-y workflows that would benefit as well if hosted on Windows Server 2019. Something that comes to mind is mostly being able to serve up DHCPv6 and DNS from WSL2 for multiple hosts.

[hcooper]

@craigloewen-msft could the wsl2 upgrade docs be updated to explicit mention breaking IPv6? I would have probably waited a little longer had I know. Thanks.

[craigloewen-msft]

@hcooper Yes! I'll add that in, thank you for the suggestion. :)

[Daemoen]

... Wow... we're in February (nearly 6 months) and this is still an issue? That's disappointing.

[treysis]

In 2020 I would expect "IPv6 first, IPv4 second". Apparently not so at Microsoft. But good to know, so I will not update to WSL 2.

[ghshephard]

Thanks for this thread - I spent about 45 minutes trying to figure out how to get IPv6 working (I have an IPv6 only site I'm trying to connect to) from WSL 2. Looking forward to seeing the protocol added!

[Tiedye]

@craigloewen-msft Any update? WSL 2 is coming close to being widely available

[craigloewen-msft]

We're working on it! This feature won't be available in the initial general release of WSL2. Thanks for your patience here, this is something that we are actively looking into improving.

[zhihuiyuze]

WSL2 has no ipv6, and mapping to the external network requires port forwarding.

[royalpudding]

Is there any kind of work around for this? We recently went completely remote at our organization and all access is being handled using Direct Access. Direct Access is completely IP6, which means WSL2 does not have any access to our internal network. I manage several dozen Linux based servers behind the firewall and my workflow has been completely stopped in its tracks. Ansible can't access any of the servers etc...
Can I run WSL concurrently with WSL2?
Any thoughts or ideas?

[paulstelian97]

Can I run WSL concurrently with WSL2?
Any thoughts or ideas?

If you have multiple distros, you can pick and choose which of them uses WSL1 and which uses WSL2. Just do wsl --set-version "Distro name" 2 or wsl --set-version "Distro name" 1, and wait for the conversion process which can take a while and shows no progress bar (it takes longer or shorter dependent on the amount of data you already have in your distro)

[Nicholas-Johnson-opensource]

What is worse is that if you are on an IPv6-only network (NAT64 for IPv4 access), WSLv2 has no internet access whatsoever. Is there a timeline on the fix? Microsoft said they are working on it (good) but working on it could mean "will deliver in May 2021 update or even later".

[paulstelian97]

IPv6 is actually a difficult mess, I think Hyper-V needs to learn prefix delegation like VMware and the ISP must provide that (my setup with TunnelBroker didn't). I had managed to make a manual setup, configure router advertisements on the "vEthernet (WSL)" interface and gave the VM an IP address in a /64 I had allocated (and also manually added a route in my Raspberry Pi so packets returning to WSL will reach it)

[qadmium]

@paulstelian97 Can you describe more? As I see, in my case host adapter and eth0 in wsl has different ipv6 prefixes. But I didn't manage to setup routing

upd: found your question here https://superuser.com/questions/1545629/how-can-i-give-ipv6-to-wsl2

[Daniel15]

Is there any ETA for a fix for this? At Facebook, our internal network is mostly IPv6-only (see https://www.internetsociety.org/blog/2014/06/facebook-moving-to-an-ipv6-only-internal-network/) so this issue limits the usefulness of WSL2 in this environment.

[paulstelian97]

@paulstelian97 Can you describe more? As I see, in my case host adapter and eth0 in wsl has different ipv6 prefixes. But I didn't manage to setup routing

upd: found your question here https://superuser.com/questions/1545629/how-can-i-give-ipv6-to-wsl2

I managed to setup routing because the WSL network is part of a /48 that is allocated for my tunnel. That's probably what went wrong in your case.

Unless WSL2 can either use prefix delegation or a bridged adapter you'll have issues (IPv6 doesn't have NAT)

[ichdasich]

Broken IPv6 is a serious deal breaker for me. I am sitting behind a DS-lite setup, with rather painfull v4. Are there any technical issues that prevent a feature/configuration for bridging the WSL system to the host IF (or rather the bridge over that IF i have anyway for my hyperv VMs)?

[vbifonixor]

Guys, come on! I've updated to w10 2004 only because of WSL2 and I can't connect to most of my intranet? How is it still not solved since first insider builds??
Looks more like a serious bug to me, since almost everybody now uses IPv6 primarily

[paulstelian97]

Guys, come on! I've updated to w10 2004 only because of WSL2 and I can't connect to most of my intranet? How is it still not solved since first insider builds??
Looks more like a serious bug to me, since almost everybody now uses IPv6 primarily

IPv6 is actually hard to do. Hyper-V only has IPv4 NAT support, for IPv6 NAT to be supported you need something else.

I have managed to do a workaround at home for this but what is supported (without the workaround) is IPv6 servers hosted in WSL. That does work just fine via the "automatic port forwarding" that is done for IPv4 as well.

While it is surprisingly difficult to deploy IPv6 to virtual machines (including WSL2) because NAT isn't exactly Kosher in the IPv6 world (and that may be the reason Hyper-V won't support it), it can be done after a lot of work. But I wouldn't be surprised if 20H2 didn't have it; maybe 21H1? It would be nice if DHCP prefix delegation were a thing.

[ichdasich]

Well, technically i'd argue that there should not be NAT, but the hyper-v host should actually do rfc4389 (https://tools.ietf.org/html/rfc4389) style proxy nd. This is v6 after all...

[craigloewen-msft]

Hi folks, we have put out a new update that aims to address networking issues in WSL. In your .wslconfig file you can set experimental.networkingMode=mirrored, as well as some other key settings that should improve your network compatibility, and add support for IPv6! Please try them out and let us know what you think.

More info on this release and the changes can be found here in the blog post.

Please note: You need to be on a Windows Insiders version to use the new networking settings (Any channel of Windows Insiders will do, including release preview). If you see the "These are not supported" messages it means that your current Windows version doesn't have support, and you will need to upgrade. These features will eventually be coming to Windows 11 22H2.

[NiKiZe]

Will the fix also reach win10?

[maurice-w]

@craigloewen-msft Good news! Could you elaborate on how this mirrored mode works? Does it create an external virtual switch just like you can in regular Hyper-V? This works great for Ethernet, but I never got it to work on WiFi, probably due to lack of an ND proxy.
I would be willing to switch to an Insiders version to get IPv6 in WSL, but only if WiFi is supported.

[craigloewen-msft]

These new networking features are now available on the latest version of Win11 22H2!

@NiKiZe currently this is not planned to go back to Win10.

Please make sure you're on the latest build to get these features, you can do that by clicking "Check for Updates" in Windows settings. You can check you have the right build by either ensuring you have KB5031354 installed, or run cmd.exe /c ver and ensure that your build number is 22621.2428 or higher (Including the minor build number which is after the . as this was a backport!)

[maurice-w]

Thanks @craigloewen-msft, tried it and it works great for me on WiFi! Windows 11 22H2 10.0.22621.2428, WSL 2.0.6. I now understand that mirrored mode is indeed not a bridge, but shares the IPv6 addresses of the host system. No NAT and no ND proxy required. 👍

Will this eventually make its way into Windows Subsystem for Android?

[TurnOffNOD]

These new networking features are now available on the latest version of Win11 22H2!

@NiKiZe currently this is not planned to go back to Win10.

Please make sure you're on the latest build to get these features, you can do that by clicking "Check for Updates" in Windows settings. You can check you have the right build by either ensuring you have KB5031354 installed, or run cmd.exe /c ver and ensure that your build number is 22621.2428 or higher (Including the minor build number which is after the . as this was a backport!)

Hi, does "latest version of Win11 22H2" mean latest stable, which is 22H2 or latest insider version, which belongs to 22H2 branch?

[maurice-w]

@TurnOffNOD Latest stable, you don't need an Insiders version anymore.

[githubsean]

For those playing at home, you may need to run: wsl --update --pre-release

[gund]

For me it did not work initially even though I had the latest version.
Then I tried wsl --update --pre-release which completely broke WSL2 for me (distro was just crashing after startup).
After that I ran just wsl --update and magically everything was fixed and IPv6 started working!

[Flipez]

For everyone having issues, in the meantime it's without the experimental prefix

[wsl2]
networkingMode=mirrored

[nileshgr]

This one worked for me: https://www.marvinweber.net/posts/wsl2-ipv6-support/

It's in bridge mode though.

But I already run a VM in Hyper V in bridge mode, so as long as it doesn't break other stuff I will continue with this.

[fedorzh]

These new networking features are now available on the latest version of Win11 22H2!

@NiKiZe currently this is not planned to go back to Win10.

Please make sure you're on the latest build to get these features, you can do that by clicking "Check for Updates" in Windows settings. You can check you have the right build by either ensuring you have KB5031354 installed, or run cmd.exe /c ver and ensure that your build number is 22621.2428 or higher (Including the minor build number which is after the . as this was a backport!)

I am actually on Version 10.0.22631.3296 and still cannot reach ipv6 websites...

ping 6 google.com
ping: google.com: Temporary failure in name resolution

Setting .wslconfig with

[wsl2]
# Changes how DNS requests are proxied from WSL to Windows
dnsTunneling=true

networkingMode=mirrored

doesn't help either.

[githubsean]

Mine now works on windows 11

sean@ANTEC:~$ uname -a
Linux ANTEC 5.15.133.1-microsoft-standard-WSL2 #1 SMP Thu Oct 5 21:02:42 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux
sean@ANTEC:~$ ping -6 google.com
PING google.com(syd15s17-in-x0e.1e100.net (2404:6800:4006:812::200e)) 56 data bytes
64 bytes from syd15s17-in-x0e.1e100.net (2404:6800:4006:812::200e): icmp_seq=1 ttl=119 time=2.94 ms
64 bytes from syd15s17-in-x0e.1e100.net (2404:6800:4006:812::200e): icmp_seq=2 ttl=119 time=3.03 ms
64 bytes from syd15s17-in-x0e.1e100.net (2404:6800:4006:812::200e): icmp_seq=3 ttl=119 time=2.63 ms
^C
--- google.com ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2003ms
rtt min/avg/max/mdev = 2.633/2.865/3.025/0.167 ms
sean@ANTEC:~$

[megamisan]

[wsl2]
networkingMode=mirrored

Worked for me too.

>ver

Microsoft Windows [version 10.0.22631.3447]

[xairoo]

[wsl2]
networkingMode=mirrored

Have done that on 2 systems. One worked, one not. Both running WSL 2.2.4.0. I tried also the [experimental] config.

I can ping the own WSL IPv6 but not a IPv6 outside of WSL... Network is unreachable.
I can connect to any IPv6 from Windows, but not the WSL IPv6.

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 00:15:5d:cd:1b:fb brd ff:ff:ff:ff:ff:ff
    inet 172.23.124.191/20 brd 172.23.127.255 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::215:5dff:fecd:1bfb/64 scope link
       valid_lft forever preferred_lft forever