cannot reach ipv6 only address

[andyli]

• Your Windows build number: 10.0.18980.1

• What you're doing and what's happening: (Copy&paste the full set of specific command-line steps necessary to reproduce the behavior, and their output. Include screen shots if that helps demonstrate the problem.)

I tried to access a ipv6 only website and failed. My commands run in Debian Buster with WSL 2:

$ curl -I https://ocaml.debian.net
curl: (7) Couldn't connect to server

$ sudo ping6 2001:913:c01:0:d52c:1903:be09:265f
connect: Network is unreachable

• What's wrong / what should be happening instead:

The curl command should succeed. Here is the result if I run it in Windows (outside of WSL):

>curl -I https://ocaml.debian.net
HTTP/1.1 200 OK
Server: nginx/1.14.2
Date: Wed, 18 Sep 2019 04:15:40 GMT
Content-Type: text/html
Content-Length: 341
Last-Modified: Sat, 03 Aug 2019 04:57:55 GMT
Connection: keep-alive
ETag: "5d451453-155"
Accept-Ranges: bytes

>ping 2001:913:c01:0:d52c:1903:be09:265f

Pinging 2001:913:c01:0:d52c:1903:be09:265f with 32 bytes of data:
Reply from 2001:913:c01:0:d52c:1903:be09:265f: time=208ms
Reply from 2001:913:c01:0:d52c:1903:be09:265f: time=206ms
Reply from 2001:913:c01:0:d52c:1903:be09:265f: time=206ms
Reply from 2001:913:c01:0:d52c:1903:be09:265f: time=206ms

Ping statistics for 2001:913:c01:0:d52c:1903:be09:265f:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 206ms, Maximum = 208ms, Average = 206ms

FYI, here is my network interface info:

C:\Users\Andy>ipconfig

Windows IP Configuration


Ethernet adapter VPN - VPN Client:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :

Ethernet adapter vEthernet (DockerNAT) 2:

   Connection-specific DNS Suffix  . :
   IPv4 Address. . . . . . . . . . . : 10.0.75.1
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . :

Ethernet adapter Ethernet:

   Connection-specific DNS Suffix  . : lan
   IPv6 Address. . . . . . . . . . . : 2002:d206:9dd2::100
   IPv6 Address. . . . . . . . . . . : 2002:d206:9dd2:0:7940:661e:9b71:38ca
   IPv6 Address. . . . . . . . . . . : fd3a:95fa:b06b::100
   IPv6 Address. . . . . . . . . . . : fd3a:95fa:b06b:0:7940:661e:9b71:38ca
   Temporary IPv6 Address. . . . . . : 2002:d206:9dd2:0:c8d1:e8bc:b818:9b48
   Temporary IPv6 Address. . . . . . : fd3a:95fa:b06b:0:c8d1:e8bc:b818:9b48
   Link-local IPv6 Address . . . . . : fe80::7940:661e:9b71:38ca%14
   IPv4 Address. . . . . . . . . . . : 192.168.1.100
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : fe80::7ad2:94ff:fe7e:41e9%14
                                       192.168.1.1

Ethernet adapter Ethernet 3:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :

Ethernet adapter Bluetooth Network Connection 4:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :

Ethernet adapter vEthernet (Default Switch):

   Connection-specific DNS Suffix  . :
   Link-local IPv6 Address . . . . . : fe80::e0:3fd0:91b9:ca2a%45
   IPv4 Address. . . . . . . . . . . : 172.17.96.1
   Subnet Mask . . . . . . . . . . . : 255.255.240.0
   Default Gateway . . . . . . . . . :

Ethernet adapter vEthernet (WSL):

   Connection-specific DNS Suffix  . :
   Link-local IPv6 Address . . . . . : fe80::d42c:c288:563c:b292%53
   IPv4 Address. . . . . . . . . . . : 172.29.48.1
   Subnet Mask . . . . . . . . . . . : 255.255.240.0
   Default Gateway . . . . . . . . . :

andy@Hawk:/mnt/c/Users/Andy$ ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 172.29.49.132  netmask 255.255.240.0  broadcast 172.29.63.255
        inet6 fe80::215:5dff:fed7:3bf8  prefixlen 64  scopeid 0x20<link>
        ether 00:15:5d:d7:3b:f8  txqueuelen 1000  (Ethernet)
        RX packets 856  bytes 101884 (99.4 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 39  bytes 3349 (3.2 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

[craigloewen-msft]

Could you please take some networking logs for us? Instructions on how to do so are here!

And then post the link to your feedback in this issue so we can easily find it. :) Thanks!

Also for reference for myself and the team this may be a similar issue to https://github.com/microsoft/WSL/issues/4436, however it's different enough since this is accessing an external site.

[andyli]

Here you are: https://aka.ms/AA63cvl

[ghzhou]

I have same issue. In wsl2, I have a docker of oracle bind to tcp6. From inside wsl2, I can connect with ::1 or 127.0.0.1, which means it is dual-stack. root@cnjiezhou01:/etc# netstat -an | grep 1521 | grep -i liste tcp6 0 0 :::1521 :::* LISTEN root@cnjiezhou01:/etc# telnet 127.0.0.1 1521 Trying 127.0.0.1... Connected to 127.0.0.1. Escape character is '^]'. ^] telnet> quit Connection closed. root@cnjiezhou01:/etc# telnet ::1 1521 Trying ::1... Connected to ::1. Escape character is '^]'. ^] telnet> quit Connection closed.

From the host windows:

C:>netstat -an | findstr 1521 | findstr /i list TCP [::1]:1521 [::]:0 LISTENING

C:>telnet 127.0.0.1 1521 Connecting To 127.0.0.1...Could not open connection to the host, on port 1521: Connect failed

[craigloewen-msft]

As of right now the Host Network service does not support ipv6 only websites. We've filed this as a feature request with them and we will post any updates on this thread as they become available! Thank you for filing this.

[WSLUser]

@craigloewen-msft any progress with this? Also I noticed the kernel doesn't have IPv6 enabled. Could you get the kernel bits done first if we're still waiting for underlying platform support?

[craigloewen-msft]

I don't have any updates for this feature request.

@WSLUser what kernel modules would you like added to the kernel? And what workflows would it enable for you?

[WSLUser]

Basically anything that lights up usage of IPv6. I'm thinking more of a network pen test perspective using Kali tools but I'm sure there are some more enterprise-y workflows that would benefit as well if hosted on Windows Server 2019. Something that comes to mind is mostly being able to serve up DHCPv6 and DNS from WSL2 for multiple hosts.

[hcooper]

@craigloewen-msft could the wsl2 upgrade docs be updated to explicit mention breaking IPv6? I would have probably waited a little longer had I know. Thanks.

[craigloewen-msft]

@hcooper Yes! I'll add that in, thank you for the suggestion. :)

[Daemoen]

... Wow... we're in February (nearly 6 months) and this is still an issue? That's disappointing.

[treysis]

In 2020 I would expect "IPv6 first, IPv4 second". Apparently not so at Microsoft. But good to know, so I will not update to WSL 2.

[ghshephard]

Thanks for this thread - I spent about 45 minutes trying to figure out how to get IPv6 working (I have an IPv6 only site I'm trying to connect to) from WSL 2. Looking forward to seeing the protocol added!

[Tiedye]

@craigloewen-msft Any update? WSL 2 is coming close to being widely available

[craigloewen-msft]

We're working on it! This feature won't be available in the initial general release of WSL2. Thanks for your patience here, this is something that we are actively looking into improving.

[zhihuiyuze]

WSL2 has no ipv6, and mapping to the external network requires port forwarding.

[royalpudding]

Is there any kind of work around for this? We recently went completely remote at our organization and all access is being handled using Direct Access. Direct Access is completely IP6, which means WSL2 does not have any access to our internal network. I manage several dozen Linux based servers behind the firewall and my workflow has been completely stopped in its tracks. Ansible can't access any of the servers etc... Can I run WSL concurrently with WSL2? Any thoughts or ideas?

[paulstelian97]

Can I run WSL concurrently with WSL2? Any thoughts or ideas?

If you have multiple distros, you can pick and choose which of them uses WSL1 and which uses WSL2. Just do wsl --set-version "Distro name" 2 or wsl --set-version "Distro name" 1, and wait for the conversion process which can take a while and shows no progress bar (it takes longer or shorter dependent on the amount of data you already have in your distro)

[Nicholas-Johnson-opensource]

What is worse is that if you are on an IPv6-only network (NAT64 for IPv4 access), WSLv2 has no internet access whatsoever. Is there a timeline on the fix? Microsoft said they are working on it (good) but working on it could mean "will deliver in May 2021 update or even later".

[paulstelian97]

IPv6 is actually a difficult mess, I think Hyper-V needs to learn prefix delegation like VMware and the ISP must provide that (my setup with TunnelBroker didn't). I had managed to make a manual setup, configure router advertisements on the "vEthernet (WSL)" interface and gave the VM an IP address in a /64 I had allocated (and also manually added a route in my Raspberry Pi so packets returning to WSL will reach it)

[qadmium]

@paulstelian97 Can you describe more? As I see, in my case host adapter and eth0 in wsl has different ipv6 prefixes. But I didn't manage to setup routing

upd: found your question here https://superuser.com/questions/1545629/how-can-i-give-ipv6-to-wsl2

[Daniel15]

Is there any ETA for a fix for this? At Facebook, our internal network is mostly IPv6-only (see https://www.internetsociety.org/blog/2014/06/facebook-moving-to-an-ipv6-only-internal-network/) so this issue limits the usefulness of WSL2 in this environment.

[paulstelian97]

@paulstelian97 Can you describe more? As I see, in my case host adapter and eth0 in wsl has different ipv6 prefixes. But I didn't manage to setup routing

upd: found your question here https://superuser.com/questions/1545629/how-can-i-give-ipv6-to-wsl2

I managed to setup routing because the WSL network is part of a /48 that is allocated for my tunnel. That's probably what went wrong in your case.

Unless WSL2 can either use prefix delegation or a bridged adapter you'll have issues (IPv6 doesn't have NAT)

[ichdasich]

Broken IPv6 is a serious deal breaker for me. I am sitting behind a DS-lite setup, with rather painfull v4. Are there any technical issues that prevent a feature/configuration for bridging the WSL system to the host IF (or rather the bridge over that IF i have anyway for my hyperv VMs)?

[vbifonixor]

Guys, come on! I've updated to w10 2004 only because of WSL2 and I can't connect to most of my intranet? How is it still not solved since first insider builds?? Looks more like a serious bug to me, since almost everybody now uses IPv6 primarily

[paulstelian97]

Guys, come on! I've updated to w10 2004 only because of WSL2 and I can't connect to most of my intranet? How is it still not solved since first insider builds?? Looks more like a serious bug to me, since almost everybody now uses IPv6 primarily

IPv6 is actually hard to do. Hyper-V only has IPv4 NAT support, for IPv6 NAT to be supported you need something else.

I have managed to do a workaround at home for this but what is supported (without the workaround) is IPv6 servers hosted in WSL. That does work just fine via the "automatic port forwarding" that is done for IPv4 as well.

While it is surprisingly difficult to deploy IPv6 to virtual machines (including WSL2) because NAT isn't exactly Kosher in the IPv6 world (and that may be the reason Hyper-V won't support it), it can be done after a lot of work. But I wouldn't be surprised if 20H2 didn't have it; maybe 21H1? It would be nice if DHCP prefix delegation were a thing.

[ichdasich]

Well, technically i'd argue that there should not be NAT, but the hyper-v host should actually do rfc4389 (https://tools.ietf.org/html/rfc4389) style proxy nd. This is v6 after all...

[paulstelian97]

Well, technically i'd argue that there should not be NAT, but the hyper-v host should actually do rfc4389 (https://tools.ietf.org/html/rfc4389) style proxy nd. This is v6 after all...

Wasn't aware that existed, it's definitely the better path. This would allow it to work in any IPv6 network, including those that only have autoconfig (and router advertisements), like my old mock network via TunnelBroker (my ISP doesn't provide me IPv6, although I'm also in an interesting conundrum in this sense)

[yoursunny]

I found that WSL2 also does not support dual-stack listeners.

nginx site:

  listen [::]:443 default_server ipv6only=off ssl http2;

This creates one listening socket, and it should be reachable on both IPv4 and IPv6. However, in WSL2 this socket is not reachable via IPv4.

I have to use a separate IPv4 socket for the website to be accessible on IPv4:

  listen 0.0.0.0:443 default_server ssl http2;
  listen [::]:443 default_server ipv6only=on ssl http2;

[paulstelian97]

How does Node support IPv6 automatically when I listen on IPv4? Does it manually create both IPv4 and IPv6 sockets?

[treysis]

Why should listening on [::] include listening on 0.0.0.0? There are systems without IPv4-stack out there (rare, but they do exist). Also, this is the expected case for nginx. Especially since you use ipv6only=on. It's in the documentation.

And, this doesn't really belong into this discussion.