This message was deleted.
# rancher-desktopa
adamant-kite-43734
10/27/2022, 5:27 PMThis message was deleted.
w
wide-mechanic-33041
10/27/2022, 6:28 PMdid you try to reset RD or uninstall/reinstall? while RD running can you rdctl shell and see if any basic network operations work outside of the distro?
d
dazzling-smartphone-17242
10/27/2022, 7:01 PMI did try a reset and uninstall/reinstalll earlier. For rdctl, was there a specific command I should run? I executed some of the commands listed in the command reference and didn't see any errors.
w
wide-mechanic-33041
10/27/2022, 7:01 PMits just a shell so pinging your dns server as an example just shows network is live
d
dazzling-smartphone-17242
10/27/2022, 7:07 PMok so inside of that shell I can't seem to reach anything on the network
w
wide-mechanic-33041
10/27/2022, 7:07 PMyou have a VPN going?
d
dazzling-smartphone-17242
10/27/2022, 7:08 PMyes
w
wide-mechanic-33041
10/27/2022, 7:12 PMd
dazzling-smartphone-17242
10/27/2022, 7:14 PMI'll check it out thanks
dazzling-smartphone-17242
10/27/2022, 8:45 PMI tried the instructions listed in that article>
Get-NetIPInterface -InterfaceAlias "vEthernet (WSL)" | Set-NetIPInterface -InterfaceMetric 1
Get-NetIPInterface -InterfaceAlias "Ethernet 4" | Set-NetIPInterface -InterfaceMetric 5001
Next I started Rancher Desktop. This time I saw it downloading stuff for Kubernetes. No errors in the ui. However, I was not able to access any internal sites from a browser. Also noticed that from rdctl shell I still cannot successfully ping a public or internal hostname.
Next, I tried this.
Get-NetIPInterface -InterfaceAlias "Ethernet 4" | Set-NetIPInterface -InterfaceMetric 2
That got me access again to my companies internal servers outside the rdctl shell. Still cannot ping anything within that shell. Also it took a solid 5 minutes for the rd gui to start kubernetes. Not sure if that is related to the network interface priority.
w
wide-mechanic-33041
10/27/2022, 8:48 PMyeah each VPN plays with the route table just a little differently. your company may use a route control policy that resets any changes that you make to the route table so those workarounds may not work. i would startup RD and check the results of
route printd
dazzling-smartphone-17242
10/27/2022, 8:58 PMChecking the route with the rdctl shell
Copy code
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default host.rancher-de 0.0.0.0 UG 0 0 0 eth0
10.42.0.0 * 255.255.255.0 U 0 0 0 cni0
172.17.0.0 * 255.255.0.0 U 0 0 0 docker0
172.21.112.0 * 255.255.240.0 U 0 0 0 eth0dazzling-smartphone-17242
10/27/2022, 8:58 PMAnd from Poweshell
Copy code
PS C:\windows\system32> route print
===========================================================================
Interface List
59...00 15 5d 8a 1f 06 ......Hyper-V Virtual Ethernet Adapter #2
14...02 50 41 00 00 01 ......PANGP Virtual Ethernet Adapter
8...48 2a e3 92 f7 e9 ......Intel(R) Ethernet Connection (7) I219-LM
3...5c ff 35 d8 77 f6 ......Lenovo USB Ethernet
13...c8 b2 9b f7 96 a3 ......Intel(R) Wi-Fi 6 AX200 160MHz
23...c8 b2 9b f7 96 a4 ......Microsoft Wi-Fi Direct Virtual Adapter
7...ca b2 9b f7 96 a3 ......Microsoft Wi-Fi Direct Virtual Adapter #2
17...c8 b2 9b f7 96 a7 ......Bluetooth Device (Personal Area Network)
1...........................Software Loopback Interface 1
46...00 15 5d 9c 3a 91 ......Hyper-V Virtual Ethernet Adapter
===========================================================================
IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 10.0.0.1 10.0.0.107 25
0.0.0.0 0.0.0.0 On-link 10.242.132.202 2
10.0.0.0 255.255.255.0 On-link 10.0.0.107 281
10.0.0.0 255.255.255.0 On-link 10.242.132.202 2
10.0.0.107 255.255.255.255 On-link 10.0.0.107 281
10.0.0.255 255.255.255.255 On-link 10.0.0.107 281
10.0.0.255 255.255.255.255 On-link 10.242.132.202 2
10.242.132.202 255.255.255.255 On-link 10.242.132.202 258
127.0.0.0 255.0.0.0 On-link 127.0.0.1 331
127.0.0.1 255.255.255.255 On-link 127.0.0.1 331
127.255.255.255 255.255.255.255 On-link 127.0.0.1 331
170.40.0.100 255.255.255.255 On-link 10.242.132.202 2
170.40.127.100 255.255.255.255 On-link 10.242.132.202 2
172.21.112.0 255.255.240.0 On-link 172.21.112.1 257
172.21.112.0 255.255.240.0 On-link 10.242.132.202 2
172.21.112.1 255.255.255.255 On-link 172.21.112.1 257
172.21.127.255 255.255.255.255 On-link 172.21.112.1 257
172.21.127.255 255.255.255.255 On-link 10.242.132.202 2
192.168.32.0 255.255.240.0 On-link 192.168.32.1 5256
192.168.32.0 255.255.240.0 On-link 10.242.132.202 2
192.168.32.1 255.255.255.255 On-link 192.168.32.1 5256
192.168.47.255 255.255.255.255 On-link 192.168.32.1 5256
192.168.47.255 255.255.255.255 On-link 10.242.132.202 2
192.189.252.43 255.255.255.255 10.0.0.1 10.0.0.107 25
224.0.0.0 240.0.0.0 On-link 127.0.0.1 331
224.0.0.0 240.0.0.0 On-link 10.0.0.107 281
224.0.0.0 240.0.0.0 On-link 192.168.32.1 5256
224.0.0.0 240.0.0.0 On-link 10.242.132.202 258
224.0.0.0 240.0.0.0 On-link 172.21.112.1 257
255.255.255.255 255.255.255.255 On-link 127.0.0.1 331
255.255.255.255 255.255.255.255 On-link 10.0.0.107 281
255.255.255.255 255.255.255.255 On-link 192.168.32.1 5256
255.255.255.255 255.255.255.255 On-link 10.242.132.202 258
255.255.255.255 255.255.255.255 On-link 172.21.112.1 257
===========================================================================
Persistent Routes:
None
IPv6 Route Table
===========================================================================
Active Routes:
If Metric Network Destination Gateway
3 281 ::/0 fe80::aa70:5dff:fead:e7a8
1 331 ::1/128 On-link
3 281 2601:182:d81:25c0::/64 On-link
3 281 2601:182:d81:25c0::e949/128
On-link
3 281 2601:182:d81:25c0:49c:39c9:f960:2435/128
On-link
3 281 2601:182:d81:25c0:890e:3a60:877c:9e00/128
On-link
3 281 fe80::/64 On-link
46 5256 fe80::/64 On-link
59 257 fe80::/64 On-link
3 281 fe80::49c:39c9:f960:2435/128
On-link
59 257 fe80::1d85:21d1:a916:bbd7/128
On-link
46 5256 fe80::25ae:2feb:733c:b70/128
On-link
1 331 ff00::/8 On-link
3 281 ff00::/8 On-link
46 5256 ff00::/8 On-link
59 257 ff00::/8 On-link
===========================================================================
Persistent Routes:
Nonedazzling-smartphone-17242
10/27/2022, 8:58 PMI'm a bit outside my comfort zone here - hope this tells you something
w
wide-mechanic-33041
10/27/2022, 9:00 PMyeah no worries. This is why i added that feedback to that Issue. you are down in the weeds of the system and things working or not are dependent on how the product is implemented and how the organization has configured their policies
wide-mechanic-33041
10/27/2022, 9:02 PMwhat is the ip in use for the RD distro? I believe ifconfig works in alpine
wide-mechanic-33041
10/27/2022, 9:03 PMi am betting your distro is on that 192.168.32.0/20
d
dazzling-smartphone-17242
10/27/2022, 9:03 PMhey sorry but I am a bit of a newbie with containers. How am I getting what you asked for?
w
wide-mechanic-33041
10/27/2022, 9:04 PMbut there are a mess of duplicated routes in that table that make me think your metric changes went wonky
wide-mechanic-33041
10/27/2022, 9:04 PMrdctl shellifconfigd
dazzling-smartphone-17242
10/27/2022, 9:04 PMoh ok
dazzling-smartphone-17242
10/27/2022, 9:04 PMgotcha
dazzling-smartphone-17242
10/27/2022, 9:05 PM Copy code
/mnt/c/data # ifconfig
cni0 Link encap:Ethernet HWaddr C6:E2:95:35:03:DF
inet addr:10.42.0.1 Bcast:10.42.0.255 Mask:255.255.255.0
inet6 addr: fe80::c4e2:95ff:fe35:3df/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1450 Metric:1
RX packets:28839 errors:0 dropped:0 overruns:0 frame:0
TX packets:32143 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:5734492 (5.4 MiB) TX bytes:4152066 (3.9 MiB)
docker0 Link encap:Ethernet HWaddr 02:42:7A:FE:9C:55
inet addr:172.17.0.1 Bcast:172.17.255.255 Mask:255.255.0.0
UP BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
eth0 Link encap:Ethernet HWaddr 00:15:5D:27:FE:52
inet addr:172.21.115.14 Bcast:172.21.127.255 Mask:255.255.240.0
inet6 addr: fe80::215:5dff:fe27:fe52/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:3511 errors:0 dropped:0 overruns:0 frame:0
TX packets:3942 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:625548 (610.8 KiB) TX bytes:3816876 (3.6 MiB)
flannel.1 Link encap:Ethernet HWaddr E2:E8:34:F5:61:1F
inet addr:10.42.0.0 Bcast:0.0.0.0 Mask:255.255.255.255
inet6 addr: fe80::e0e8:34ff:fef5:611f/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1450 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:5 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:63610 errors:0 dropped:0 overruns:0 frame:0
TX packets:63610 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:16738980 (15.9 MiB) TX bytes:16738980 (15.9 MiB)
veth52c77457 Link encap:Ethernet HWaddr B6:BD:A9:F2:AC:F0
inet6 addr: fe80::b4bd:a9ff:fef2:acf0/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1450 Metric:1
RX packets:194 errors:0 dropped:0 overruns:0 frame:0
TX packets:220 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:14644 (14.3 KiB) TX bytes:21019 (20.5 KiB)
veth5fe9ccff Link encap:Ethernet HWaddr 56:98:4D:9E:82:86
inet6 addr: fe80::5498:4dff:fe9e:8286/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1450 Metric:1
RX packets:17345 errors:0 dropped:0 overruns:0 frame:0
TX packets:19919 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:4382115 (4.1 MiB) TX bytes:2761896 (2.6 MiB)
veth6179d0ae Link encap:Ethernet HWaddr FE:D0:4E:7C:03:14
inet6 addr: fe80::fcd0:4eff:fe7c:314/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1450 Metric:1
RX packets:5643 errors:0 dropped:0 overruns:0 frame:0
TX packets:5758 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:537654 (525.0 KiB) TX bytes:525864 (513.5 KiB)w
wide-mechanic-33041
10/27/2022, 9:05 PMwsl shares some key parts of the route table with the Host and the Internet Connection Sharing service provides NAT, but yeah this is the downside
wide-mechanic-33041
10/27/2022, 9:06 PMgot it… so 172.21.115.14 is in
Copy code
172.21.112.0 255.255.240.0 On-link 172.21.112.1 257
172.21.112.0 255.255.240.0 On-link 10.242.132.202 2
172.21.112.1 255.255.255.255 On-link 172.21.112.1 257wide-mechanic-33041
10/27/2022, 9:08 PMthat 2nd copy of the subnetIP is a problem. can you run a route delete in your Host (elevated prompt)
route delete 172.21.112.0 mask 255.255.240.0 10.242.132.202wide-mechanic-33041
10/27/2022, 9:08 PMthen do a route print and just copy that little section around that 172.21 space
wide-mechanic-33041
10/27/2022, 9:09 PMthe question is if the VPN policy puts the bad route back at the lower metric
d
dazzling-smartphone-17242
10/27/2022, 9:09 PMwouldnt surprise me
dazzling-smartphone-17242
10/27/2022, 9:10 PMI am doing all of this outside of the shell....just a normal elevated windows command prompt or powershell?
w
wide-mechanic-33041
10/27/2022, 9:10 PMdoing a preflight WSL2 health check for folks would really help. this isn’t really an RD thing, but more the WSL2 framework
wide-mechanic-33041
10/27/2022, 9:11 PMyeah that is in an elevated/UAC’d posh or cmd window
d
dazzling-smartphone-17242
10/27/2022, 9:11 PM Copy code
PS C:\windows\system32> route delete 172.21.112.0 mask 255.255.240.0 10.242.132.202
The route deletion failed: Element not found.dazzling-smartphone-17242
10/27/2022, 9:11 PMtypo ?
w
wide-mechanic-33041
10/27/2022, 9:12 PMwouldn’t put it past me. 😉
d
dazzling-smartphone-17242
10/27/2022, 9:12 PM Copy code
172.21.112.0w
wide-mechanic-33041
10/27/2022, 9:12 PMcan never remember if windows requires the specific interface the route is on
wide-mechanic-33041
10/27/2022, 9:14 PMyou can always do
route delete 172.21.112.0route add 172.21.112.0 mask 255.255.240.0 172.21.112.1d
dazzling-smartphone-17242
10/27/2022, 9:14 PMok
w
wide-mechanic-33041
10/27/2022, 9:15 PMsorry route print doesn’t provide all the info so it then needs info from the adapters to then drive another command. not the easiest to do over a chat. 😅
d
dazzling-smartphone-17242
10/27/2022, 9:15 PM Copy code
172.21.112.0 255.255.240.0 On-link 172.21.112.1 2
172.21.112.1 255.255.255.255 On-link 172.21.112.1 257
172.21.127.255 255.255.255.255 On-link 172.21.112.1 257
192.168.32.0 255.255.240.0 On-link 192.168.32.1 5256
192.168.32.0 255.255.240.0 On-link 10.242.132.202 2
192.168.32.1 255.255.255.255 On-link 192.168.32.1 5256
192.168.47.255 255.255.255.255 On-link 192.168.32.1 5256
192.168.47.255 255.255.255.255 On-link 10.242.132.202 2
192.189.252.43 255.255.255.255 10.0.0.1 10.0.0.107 25
224.0.0.0 240.0.0.0 On-link 127.0.0.1 331
224.0.0.0 240.0.0.0 On-link 10.0.0.107 281
224.0.0.0 240.0.0.0 On-link 192.168.32.1 5256
224.0.0.0 240.0.0.0 On-link 10.242.132.202 258
224.0.0.0 240.0.0.0 On-link 172.21.112.1 257
255.255.255.255 255.255.255.255 On-link 127.0.0.1 331
255.255.255.255 255.255.255.255 On-link 10.0.0.107 281
255.255.255.255 255.255.255.255 On-link 192.168.32.1 5256
255.255.255.255 255.255.255.255 On-link 10.242.132.202 258
255.255.255.255 255.255.255.255 On-link 172.21.112.1 257w
wide-mechanic-33041
10/27/2022, 9:16 PMk that looks pretty good. can you ping things in your intranet
wide-mechanic-33041
10/27/2022, 9:16 PMsorry from
rdctl shelld
dazzling-smartphone-17242
10/27/2022, 9:17 PMell from intranet I cant - lost access to internal servers again
w
wide-mechanic-33041
10/27/2022, 9:17 PMhmmm. the rest of your route table had a bunch of duplicate routes
wide-mechanic-33041
10/27/2022, 9:18 PMor your VPN is seeing you messing w the route table so it drops and restores the broken one
d
dazzling-smartphone-17242
10/27/2022, 9:18 PMand from shell I can ping public servers, not internal
w
wide-mechanic-33041
10/27/2022, 9:19 PMk that is interesting as normally VPNs leverage a force tunnel, but they may just send intranet traffic to them and everything else to the internet
wide-mechanic-33041
10/27/2022, 9:20 PMi might suggest reboot and start fresh. make sure you can access your intranet machines from the host. browser type stuff
d
dazzling-smartphone-17242
10/27/2022, 9:20 PMI obviously need to get internal server access back....
dazzling-smartphone-17242
10/27/2022, 9:20 PMthen address WSL issue
w
wide-mechanic-33041
10/27/2022, 9:20 PMthan start up RD (or any wSL2 distro) and see what happens to the route table
d
dazzling-smartphone-17242
10/27/2022, 9:20 PMok will do
dazzling-smartphone-17242
10/27/2022, 9:21 PMappreciate the assistance thus far
w
wide-mechanic-33041
10/27/2022, 9:21 PMand then be very precise with the routes that you change if you can.
wide-mechanic-33041
10/27/2022, 9:22 PMlots of folks have WSL2 issues and VPNs. Very few suppliers built with virtual networking in mind so even though those routes in the virtual switch are all local (the on-link) they step all over them
d
dazzling-smartphone-17242
10/27/2022, 9:22 PMok I am rebooting now
👍 1
w
wide-mechanic-33041
10/27/2022, 9:24 PMneed to start feeding the fam, but will check back tonight or tomorrow morn. just make sure you have a known good experience in the host with traffic going to the intranet and internet that is supposed to. than make small changes and test for success. avoid big loops that might grab the wrong thing. And snap the
route printd
dazzling-smartphone-17242
10/27/2022, 9:29 PMsounds good Justin. I am finishing up for the day shortly. FYI I have intranet access back after a reboot. Thats good news.
dazzling-smartphone-17242
10/28/2022, 12:54 PMHi @wide-mechanic-33041. I am in the office this morning(no VPN), but can revisit this in the afternoon(ET). I found this link and in particular it mentions wsl-vpnkit . Any experience with this? Maybe worth a try?
w
wide-mechanic-33041
10/28/2022, 1:12 PMCant speak for the Rancher team, but it follows a hostforwarder model like was done for DNS in RD so it is a pattern that some folks are using rather than the netflows via hyper-v vswitch. As you can see adding that project in is a bit interesting. If it works for your case def flag back here and the rancher team could eval what pulling that model in for Windows similar to pulling hostforwarder from lima.
d
dazzling-smartphone-17242
10/28/2022, 1:13 PMok will do. I am also checking some channels within our company to see what others have done to get this going. I will report back so it could possibly help others. So far I am in waiting mode.
w
wide-mechanic-33041
10/28/2022, 1:21 PMlike for my vpn supplier there is no active blocking to the interface its due to a broken route for the subnet ip which breaks traffic to the gateway so there is rarely a silver bullet with all these situations. So working upstream to get our suppliers to wise up on modern tooling.
p
prehistoric-keyboard-66463
10/28/2022, 3:05 PMHello,
vtunnel (https://github.com/rancher-sandbox/rancher-desktop/tree/main/src/go/vtunnel) is not here to solve such issue ?
w
wide-mechanic-33041
10/28/2022, 5:38 PMsame basic model as vpnkit, but don’t know if it is in place. and if it is well doesn’t seem to fix the issues for some of us. 😉
d
dazzling-smartphone-17242
10/28/2022, 9:06 PMUpdate....I am working with the networking team within my company to hopefully resolve this. I won't be trying vpnkit at the moment as it may not be necessary.
p
prehistoric-keyboard-66463
11/08/2022, 12:43 PMI also tried on my side. To sum up:
prehistoric-keyboard-66463
11/08/2022, 12:50 PM• I have McAfee/Trellix (Including endpoint security : a local firewall
• I have a VPN client (Cisco Anyconnect)
So I face 2 problems, like a lot of Rancher Desktop users.
1. McAfee is filtering network flows from WSL2. Even if you activate the wsl2 support in the McAfee profile, default rules blocks incoming traffic. And WSL2 network flows are considered as incoming traffic.
2. VPN Client is tunneling all local network traffic, so it broke all WSL2 -> Windows host traffic (since wsl2 is goign trough windows host to access network)
prehistoric-keyboard-66463
11/08/2022, 12:57 PMYou can find solutions to solve those 2 problems but secops may be angry about weaknesses you introduce.
My thought is that the DD value for enterprises lies in the way they dealt this issue : by translating all network flows in userspace with vpnkit. This bypass firewall locking & vpn routing. And it works surprinsingly well.
prehistoric-keyboard-66463
11/08/2022, 1:00 PMSo it would be an amazing improvment if Rancher Desktop could implement a slirp solution!
Please check this
711 Views