Issues with Bidirectional Communication Using IPvlan L3 Mode on WSL2 and Windows 11

I’m working on setting up a Docker-based development environment using IPvlan L3 mode in WSL2 on Windows 11. My main challenge is achieving bidirectional communication between a Docker container, the Windows host, and a physical camera device on the same network.

Current Setup:

  • Docker Container (172.19.0.30): Can ping the physical camera (172.19.0.60).
  • Windows Host (172.19.0.150): Can ping the camera but cannot ping the Docker container.

Problem:

In IPvlan L3 mode, it seems that communication is typically only one-way (from container to host or device). I need to configure the network so that both the Windows host and the camera can detect and communicate with the Docker container.

What I’ve Tried:

  • Adding routes on the Windows host.
  • Enabling IP forwarding in WSL2.
  • Checking iptables rules to ensure nothing is blocked.
  • Adjusting Docker network configurations in the docker-compose.yml.

Questions:

  1. How can I configure the Docker network and WSL2 to allow the host and camera to communicate with the container?
  2. Are there any specific configurations or workarounds that can help achieve this in IPvlan L3 mode?

Environment:

  • OS: Windows 11 Pro
  • WSL2 Distro: Ubuntu 20.04
  • Docker Version: 20.10.17
  • Docker Compose Version: 1.29.2

Any advice or guidance on resolving this networking challenge would be greatly appreciated!

Something is not right here. You chose the Windows Containers subcategory under “Docker Desktop for Windows”, but you mention WSL2 so you are using Linux which is also confirmed by your Environment section at the end of your question. Your Docker version and Compose version are old and Docker Desktop does not use Ubuntu, so a great way to avoid getting answers is choosing an unrelated category.

I don’t understand this either. how can your container IP be on the same network as your Windos host? Or is 172.19.0.150 in a different subnet using netmasks?

Can you explain in more details how your network looks like?

I would also recommend updating Docker and definitely Compose. Search for Compose v2.

EDIT:

After some minutes I realized you probably meant 172.19.0.150 was the IP of Windows on the network of WSL2 and you ran the container on IPVlan in the same LAN network. Right?

You’re right—the Windows host at 172.19.0.150 is on the WSL2 network, and the container is running with IPvlan in the same LAN.

My ultimate goal is to set up a dedicated network where the container and an external device (such as a camera, WSL, or the Windows host) can communicate bidirectionally. The issue is that I can only establish communication in one direction: from the container to the other devices.

For context, I initially used Docker Compose to simplify debugging, but I also tested by manually creating everything in the terminal, connecting the containers to the network, and performing the connection tests. The results were the same, so using Docker Compose was purely for easier debugging.

How did you configure your WSL2 distribution to not use a NATted private network? Even mirrored mode does not make the WSL2 distribution behave like it’s attached to a network bridge. If I am not mistaken WSL1 allows creating a network bridge (which then acts like a switch)

Furthermore, ipvlan l3 is supposed to have a different ip range than the host (in your case the wsl2 distribution), and it should route from the host network (again your wsl2 distro) to the container network (and the other way around). This ip range is also not the ip range of your lan.

I did some tests with wsl2 mirrored mode and ipvlan v2 and macvlan a while ago: Macvlan, transparent, and host netowork types? - #3 by meyay

It does not overcome the separation of the Windows host and the utility vm that runs the WSL2 distribution.

My WSL2 distribution is using a NATted private network, with an IP address of 172.24.28.102/20 assigned to eth0. The routing table confirms that traffic is routed through the gateway 172.24.16.1. I’m using WSL2 version 2, and there are no custom network bridge configurations in place.

Key Points:

  • The WSL2 distribution is attached to a NATted network by default, not a bridged one.
  • The Docker container network (192.168.200.0/24) is separate from both the host network (192.168.100.0/24) and the WSL2 network (172.24.28.102/20), which aligns with the expected behavior of IPvlan L3 mode.
  • Despite correct route configuration and IP forwarding being enabled, the host still cannot ping the container, likely due to Docker’s network isolation in this setup.

It appears that WSL2’s networking, even in mirrored mode, doesn’t behave like a true network bridge, which might be contributing to the issue.

I’ve continued troubleshooting the issue, but the host still can’t ping the container.
This time I tried a bridged subnet.

Current Situation:

  • Container (192.168.200.10) can ping the camera (192.168.100.2).
  • Host (192.168.100.1) can ping the camera.
  • Host can’t ping the container (“Destination host unreachable”).

Network Details:

  • Host IP (Ethernet): 192.168.100.1/24
  • Camera IP: 192.168.100.2/24
  • Docker Network Subnet: 192.168.200.0/24
  • Container IP: 192.168.200.10
  • Route: 192.168.200.0/24 via 192.168.100.1 is set on the host.
  • IP Forwarding: Enabled in WSL2.

What I’ve Tried:

  1. Route Addition: Confirmed that the route for 192.168.200.0/24 is correctly set on the host.
  2. IP Forwarding: Enabled in WSL2, but it didn’t resolve the issue.
  3. Traceroute: Shows packets aren’t routing correctly beyond the first hop.
  4. Firewall: Temporarily disabled, no change.

This can’t be right. Shouldn`t it be via the ip of your wsl distribution?

On the host you have the “Ethernet-Adapter vEthernet (WSL (Hyper-V firewall))” interface, which allows you to access the ip of the wsl distribution. The very same ip is configured as default gateway inside the wsl distribution.

I am perfectly able to ping the wsl distribution’s ip from my windows host.

Can you share how you created the ipvlan l3 network?

IP Address Summary

Component IP Address Subnet Mask Gateway
Windows Host Ethernet 192.168.100.1 255.255.255.0 None
Camera 192.168.100.2 255.255.255.0 192.168.100.1
Docker Container (IPvlan L3) 192.168.100.3 255.255.255.0 None
WSL (Hyper-V firewall) Interface 172.24.16.1 255.255.240.0 None
Debian (WSL) Interface 172.24.28.102 255.255.240.0 172.24.16.1

Summary of Configuration and Results

  • Route added: 192.168.100.3 via 172.24.16.1.
  • Ping Results:
    • Container can ping Camera.
    • Host cannot ping Container (Destination host unreachable).
  • Traceroute: Confirms no route from Host to Container.

Docker Compose File Used for This Test

networks:
  ethernet:
    driver: ipvlan
    driver_opts:
      parent: eth0
      ipvlan_mode: l3
    ipam:
      config:
        - subnet: 192.168.100.0/24

services:
  dev-container:
    build:
      context: .
      dockerfile: Dockerfile
    networks:
      ethernet:
        ipv4_address: 192.168.100.3
    cap_add:
      - NET_ADMIN
      - NET_RAW
    command: >
      /bin/bash -c "
      tail -f /dev/null
      "

Thank you for sharing the ipvlan l3 configuration. I didn’t expect it to be a straight forward configuration, as I tried to use ipvlan l3 in the past and failed.

The gateway 172.24.16.1 has no shared interface within the same subnet as 192.168.100.3. How do you expect it to route the traffic? I suggested to use the ip of the wsl distribution instead of the gateway - you just repeated a variation of what you tried before.

Issue Description

Thanks for your feedback.

I fixed the issue properly this time, but I noticed something that might be a better proxy to understand this problem:

Device Name: Debian WSL
IP Address: 172.24.28.102
Subnet: 172.24.16.0/20
Gateway: Not Defined
Network Interface: eth0
MAC Address: 00:15:5d:e1:e8:be
Broadcast Address: 172.24.31.255
Routing: Local Route 172.24.16.0/20 via eth0, Default Route via 172.24.16.1

Container Name: dev-container
IP Address: 172.24.16.11
Subnet: 172.24.16.0/20
Gateway: Not Defined
Network Interface: eth0
MAC Address: a6:e7:0c:02:22:84
Broadcast Address: 172.24.31.255
Routing: Local Route 172.24.16.0/20 via eth0, Default Route via eth0


Question:
Why could the dev-container successfully ping the Debian WSL device, but the Debian WSL device received “Destination Host Unreachable” when pinging the dev-container, despite both having correct network configurations and no firewall restrictions?

Now, I can see that the Windows host is correctly routing to the WSL interface, but the communication fails to complete. Therefore, I believe this test I just shared highlights the underlying issue that may be affecting the broader IPvlan L3 mode setup.