Windows containers can't access the internet

[mattleibow]

• I have tried with the latest version of my channel (Stable or Edge)
• I have uploaded Diagnostics
• Diagnostics ID: C8AB291E-DF0F-4D7B-A810-178029BD5D49/20181017184316

Expected behavior

Access internet.

Actual behavior

No internet on Windows containers. My local VMs can access the internet. My linux containers are also connected. My Windows containers? 💥 It was working a few days ago, but for the life of me I can't recall if anything changed. I don't think so.

I tried uninstalling docker, Hyper-V and containers. uninstalled all the vethernet devices, and then reinstalled everything. nothing works.

Information

• Windows Version: 10.0 17763 (17763.1.amd64fre.rs5_release.180914-1434)
• Docker for Windows Version: 18.06.1-ce

Steps to reproduce the behavior

FROM microsoft/windowsservercore:1803
RUN ping bing.com

PS > docker stop testing ; docker rm testing ; docker build --tag testing . ; docker run --detach --name testing testing

I ran the Debug-ContainerHost.ps1 script, and this is the output (I also ran the LoggingAndCleanupAide.ps1 script with the extended edition flags):

Checking for common problems
Container Host OS Product Name: Windows 10 Enterprise
Container Host OS Build Label: 17763.1.amd64fre.rs5_release.180914-1434
Describing Windows Version and Prerequisites
 [+] Is Windows 10 Anniversary Update or Windows Server 2016 103ms
 [+] Has KB3192366, KB3194496, or later installed if running Windows build 14393 25ms
 [+] Is not a build with blocking issues 36ms
 [+] Has 'Containers' feature installed 44.92s
Describing Docker is installed
 [+] A Docker service is installed - 'Docker' or 'com.Docker.Service'  105ms
 [+] Service is running 64ms
 [+] Docker.exe is in path 2.1s
 [+] Docker is registered in the EventLog service 141ms
Describing User has permissions to use Docker daemon
 [+] docker.exe should not return access denied 98ms
Describing Windows container settings are correct
 [+] Do not have DisableVSmbOplock set to 1 62ms
 [+] Do not have zz values set 266ms
 [+] Do not have FDVDenyWriteAccess set to 1 286ms
Describing The right container base images are installed
 [+] At least one of 'microsoft/windowsservercore' or 'microsoft/nanoserver' should be installed 986ms
Describing Container network is created
 [+] At least one local container network is available 2.71s
 [+] At least one NAT, Transparent, or L2Bridge Network exists 55ms
 [+] NAT Network's vSwitch is internal 48ms
 [-] A Windows NAT is configured if a Docker NAT network exists 125ms
   Expected {0} to be greater than or equal to {1}
   226:        $winnatCount | Should Not BeLessThan $natCount
   at <ScriptBlock>, C:\Projects\SkiaSharp\samples\Basic\Docker\test.ps1: line 226
 [+] Specified Network Gateway IP for NAT network is assigned to Host vNIC 100ms
 [+] NAT Network's internal prefix does not overlap with external IP' 54ms
Showing output from: docker info
Containers: 0
 Running: 0
 Paused: 0
 Stopped: 0
Images: 1
Server Version: 18.06.1-ce
Storage Driver: windowsfilter
 Windows:
Logging Driver: json-file
Plugins:
 Volume: local
 Network: ics l2bridge l2tunnel nat null overlay transparent
 Log: awslogs etwlogs fluentd gelf json-file logentries splunk syslog
Swarm: inactive
Default Isolation: hyperv
Kernel Version: 10.0 17763 (17763.1.amd64fre.rs5_release.180914-1434)
Operating System: Windows 10 Enterprise Version 1809 (OS Build 17763.55)
OSType: windows
Architecture: x86_64
CPUs: 8
Total Memory: 15.93GiB
Name: Silver-Star
ID: PGAX:7I6H:IYDP:WH2J:FEIM:7HKK:MH74:EWZ5:CCEM:CSZL:5OMV:BQGM
Docker Root Dir: C:\ProgramData\Docker
Debug Mode (client): false
Debug Mode (server): true
 File Descriptors: -1
 Goroutines: 26
 System Time: 2018-10-17T18:46:02.7498576+02:00
 EventsListeners: 1
Registry: https://index.docker.io/v1/
Labels:
Experimental: false
Insecure Registries:
 127.0.0.0/8
Live Restore Enabled: false


Showing output from: docker version
Client:
 Version:           18.06.1-ce
 API version:       1.38
 Go version:        go1.10.3
 Git commit:        e68fc7a
 Built:             Tue Aug 21 17:21:34 2018
 OS/Arch:           windows/amd64
 Experimental:      false

Server:
 Engine:
  Version:          18.06.1-ce
  API version:      1.38 (minimum version 1.24)
  Go version:       go1.10.3
  Git commit:       e68fc7a
  Built:            Tue Aug 21 17:36:40 2018
  OS/Arch:          windows/amd64
  Experimental:     false

Showing output from: docker network ls
NETWORK ID          NAME                DRIVER              SCOPE
1f61230597f8        Default Switch      ics                 local
17ab3aff5c12        nat                 nat                 local
9928093231a9        none                null                local

[xtremeperf]

This often happens when there are multiple networking adapters (Ethernet, Wi-Fi, etc.) present on the host. The priority of these adapters needs to be configured properly in order for the Windows networking stack to correctly choose gateway routes. You can fix this by setting your primary internet-connected networking adapter to have the lowest InterfaceMetric value. Try these Powershell commands from an elevated console:

Get-NetIPInterface -AddressFamily IPv4 | Sort-Object -Property InterfaceMetric -Descending

Again, you want your host's primary internet-connected network adapter to have the lowest InterfaceMetric value.

Use this command to make the change (example assumes primary adapter InterfaceAlias is 'Wi-Fi'):

Set-NetIPInterface -InterfaceAlias 'Wi-Fi' -InterfaceMetric 3

That should do it. If your host's primary network adapter is bridged because you have an External virtual switch setup in Hyper-V, then you will set the external virtual switch to have the lowest InterfaceMetric value.

You can verify your routing tables by using this command (the last line should show the primary adapter's gateway address along with it's ifMetric value):

Get-NetRoute -AddressFamily IPv4

I hope this helps!

[ghost]

@mattleibow I seem to have a closely related problem. (#2754)
Can you do a
docker exec -ti FULLNAME_OF_THE_CONTAINER ipconfig /all and check that you have an interface with an ip in 172.x.x.x ?
I tried @xtremeperf suggestion but it did not work.

[mattleibow]

@xtremeperf, thanks for getting back to me, but it does not appear to help.

ifIndex InterfaceAlias                  AddressFamily NlMtu(Bytes) InterfaceMetric Dhcp     ConnectionState PolicyStore
------- --------------                  ------------- ------------ --------------- ----     --------------- -----------
30      vEthernet (Default Switch)      IPv4                  1500            5000 Disabled Connected       ActiveStore
52      vEthernet (nat)                 IPv4                  1500            5000 Disabled Connected       ActiveStore
1       Loopback Pseudo-Interface 1     IPv4            4294967295              75 Disabled Connected       ActiveStore
4       Bluetooth Network Connection    IPv4                  1500              65 Enabled  Disconnected    ActiveStore
11      Local Area Connection* 10       IPv4                  1500              25 Enabled  Disconnected    ActiveStore
19      Local Area Connection* 9        IPv4                  1500              25 Enabled  Disconnected    ActiveStore
16      Wi-Fi                           IPv4                  1500               5 Enabled  Connected       ActiveStore
3       Ethernet 3                      IPv4                  1400                 Disabled Disconnected    ActiveStore

These are my network interfaces on the container:

Windows IP Configuration

   Host Name . . . . . . . . . . . . : 25c6af185ddc
   Primary Dns Suffix  . . . . . . . :
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No

Ethernet adapter Ethernet:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft Hyper-V Network Adapter
   Physical Address. . . . . . . . . : 00-15-5D-CD-4B-37
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::94af:e8d2:7eff:d63d%4(Preferred)
   IPv4 Address. . . . . . . . . . . : 172.21.248.88(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.240.0
   Default Gateway . . . . . . . . . : 172.21.240.1
   DHCPv6 IAID . . . . . . . . . . . : 67114333
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-23-5B-72-5A-00-15-5D-CD-4B-37
   DNS Servers . . . . . . . . . . . : 172.21.240.1
                                       10.50.10.50
   NetBIOS over Tcpip. . . . . . . . : Disabled

These are the network interfaces on my host machine

Windows IP Configuration

   Host Name . . . . . . . . . . . . : Silver-Star
   Primary Dns Suffix  . . . . . . . :
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No

Ethernet adapter Ethernet 3:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : PANGP Virtual Ethernet Adapter #2
   Physical Address. . . . . . . . . : 02-50-41-00-00-01
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Wireless LAN adapter Wi-Fi:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Marvell AVASTAR Wireless-AC Network Controller
   Physical Address. . . . . . . . . : C4-9D-ED-2C-6B-E9
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::fce6:ae80:f827:6468%16(Preferred)
   IPv4 Address. . . . . . . . . . . : 192.168.43.14(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : Friday, October 19, 2018 12:49:29 PM
   Lease Expires . . . . . . . . . . : Friday, October 19, 2018 1:49:29 PM
   Default Gateway . . . . . . . . . : 192.168.43.1
   DHCP Server . . . . . . . . . . . : 192.168.43.1
   DHCPv6 IAID . . . . . . . . . . . : 247766509
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-23-58-E5-48-58-82-A8-92-74-B5
   DNS Servers . . . . . . . . . . . : 192.168.43.1
   NetBIOS over Tcpip. . . . . . . . : Enabled

Wireless LAN adapter Local Area Connection* 9:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft Wi-Fi Direct Virtual Adapter
   Physical Address. . . . . . . . . : C6-9D-ED-2C-6A-E8
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes

Wireless LAN adapter Local Area Connection* 10:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft Wi-Fi Direct Virtual Adapter #2
   Physical Address. . . . . . . . . : C6-9D-ED-2C-6F-E8
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes

Ethernet adapter Bluetooth Network Connection:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Bluetooth Device (Personal Area Network)
   Physical Address. . . . . . . . . : C4-9D-ED-2C-6B-EA
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes

Ethernet adapter vEthernet (Default Switch):

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Hyper-V Virtual Ethernet Adapter
   Physical Address. . . . . . . . . : 44-15-90-BF-BA-DE
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::a84d:576d:f66c:93e%30(Preferred)
   IPv4 Address. . . . . . . . . . . : 172.17.146.193(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.240
   Default Gateway . . . . . . . . . :
   DHCPv6 IAID . . . . . . . . . . . : 503321949
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-23-58-E5-48-58-82-A8-92-74-B5
   DNS Servers . . . . . . . . . . . : fec0:0:0:ffff::1%1
                                       fec0:0:0:ffff::2%1
                                       fec0:0:0:ffff::3%1
   NetBIOS over Tcpip. . . . . . . . : Enabled

Ethernet adapter vEthernet (nat):

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Hyper-V Virtual Ethernet Adapter #3
   Physical Address. . . . . . . . . : 00-15-5D-CD-4C-E9
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::bd6e:8327:e05d:fc9d%52(Preferred)
   IPv4 Address. . . . . . . . . . . : 172.21.240.1(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.240.0
   Default Gateway . . . . . . . . . :
   DHCPv6 IAID . . . . . . . . . . . : 872420701
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-23-58-E5-48-58-82-A8-92-74-B5
   DNS Servers . . . . . . . . . . . : fec0:0:0:ffff::1%1
                                       fec0:0:0:ffff::2%1
                                       fec0:0:0:ffff::3%1
   NetBIOS over Tcpip. . . . . . . . : Enabled

[ghost]

I got my problems solved by running 18.06.1-ce on both Linux (Ubuntu/Debian) and Windows (server 1803) on physical servers. For Windows, you have to compile 18.06.1-ce yourself.

[ronybarbosa]

I am having the same issue here. Any other suggestion of fix? I tried the @xtremeperf solution without success.

[Bhlowe]

I am having the same problem. My lan InterfaceMetric is the lowest number. I can't ping or nslookup. Running latest docker.
Easiest way to reproduce is:

docker run microsoft/windowsservercore powershell nslookup bing.com # Returns DNS request timed out

PS C:> ipconfig /all

Windows IP Configuration

Host Name . . . . . . . . . . . . : 1637d6c27125
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No

Ethernet adapter Ethernet 2:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft Hyper-V Network Adapter #2
Physical Address. . . . . . . . . : 00-15-5D-84-84-02
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::f976:1d53:9791:fc7b%5(Preferred)
IPv4 Address. . . . . . . . . . . : 172.28.10.218(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.240.0
Default Gateway . . . . . . . . . : 172.28.0.1
DHCPv6 IAID . . . . . . . . . . . : 83891549
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-24-10-78-3B-00-15-5D-84-84-02
DNS Servers . . . . . . . . . . . : 172.28.0.1
192.168.0.1
8.8.8.8
NetBIOS over Tcpip. . . . . . . . : Disabled

Attempt to ping virtual "router" fails:
PS C:> ping 172.28.0.1

Pinging 172.28.0.1 with 32 bytes of data:
Reply from 172.28.10.218: Destination host unreachable.

[andrewdmoreno]

@mattleibow Were you ever able to resolve your problem? Sadly, I am experiencing this as well.

[poke30744]

I had the same issue on my laptop. After I disabled the unused Ethernet adapter the issue disappeared.

[mrhockeymonkey]

Same again here. I am running slightly different versions from the initial comment:

• Windows Version: 10.0.17763.107 (LTSB 2019)
• Docker for Windows Version: 18.09.2

have tried suggestions from @xtremeperf but no success. has anyone found another solution/workaround?

[mrhockeymonkey]

So it turns out in my case that ping doesn't work but I can actually hit the API's I need. I should really have checked this first but i assumed no ping == no network. Is it possible that only ICMP traffic is the issue here?

Also on reading up on the topic I found this page from Microsoft that claims; for an overlay network that "Container to External" connectivity is "Not directly supported - requires second container endpoint attached to NAT network". (See table about half way down)

Perhaps giving the container another endpoint using one of the other driver options will fix this issue but I haven't been able to test this yet.

[MythreyaK]

I have the same issue.

Trying to reach the internet with the container mcr.microsoft.com/windows/nanoserver:1809 fails. Trying to ping 8.8.8.8 works with a response, but ping to google.com fails. Also, ping to the 'router' fails with a Request times out error.

System Info:

• Windows: Version 1809, Build 10.0.17763.316
• Docker Version: 18.09.2 CE (Latest version in my channel)
• Docker Diagnostic ID: B81956F0-D115-4F60-91A3-AB8D6A5C20C1/20190318224312

Other Info

Host IP Info (Click to expand)

Windows IP Configuration

    Host Name . . . . . . . . . . . . : Mythreya-PC
    Primary Dns Suffix  . . . . . . . : 
    Node Type . . . . . . . . . . . . : Hybrid
    IP Routing Enabled. . . . . . . . : No
    WINS Proxy Enabled. . . . . . . . : No
    DNS Suffix Search List. . . . . . : Mechyd.ad

    Ethernet adapter TunnelBear:

    Media State . . . . . . . . . . . : Media disconnected
    Connection-specific DNS Suffix  . : 
    Description . . . . . . . . . . . : TunnelBear Adapter V9
    Physical Address. . . . . . . . . : 00-FF-1F-EF-D1-DC
    DHCP Enabled. . . . . . . . . . . : Yes
    Autoconfiguration Enabled . . . . : Yes

    Ethernet adapter Ethernet:

    Media State . . . . . . . . . . . : Media disconnected
    Connection-specific DNS Suffix  . : TechMahindra.com
    Description . . . . . . . . . . . : Realtek PCIe FE Family Controller
    Physical Address. . . . . . . . . : 3C-A8-2A-AE-49-D8
    DHCP Enabled. . . . . . . . . . . : Yes
    Autoconfiguration Enabled . . . . : Yes

    Wireless LAN adapter Wi-Fi:

    Connection-specific DNS Suffix  . : Mechyd.ad
    Description . . . . . . . . . . . : Realtek RTL8723BE 802.11 bgn Wi-Fi Adapter
    Physical Address. . . . . . . . . : D8-5D-E2-62-E9-4B
    DHCP Enabled. . . . . . . . . . . : Yes
    Autoconfiguration Enabled . . . . : Yes
    Link-local IPv6 Address . . . . . : fe80::a519:2d9f:3bef:9e79%22(Preferred) 
    IPv4 Address. . . . . . . . . . . : 10.59.100.154(Preferred) 
    Subnet Mask . . . . . . . . . . . : 255.255.240.0
    Lease Obtained. . . . . . . . . . : 18 March 2019 19:13:09
    Lease Expires . . . . . . . . . . : 19 March 2019 20:45:16
    Default Gateway . . . . . . . . . : 10.59.96.1
    DHCP Server . . . . . . . . . . . : 10.59.121.105
    DHCPv6 IAID . . . . . . . . . . . : 165174754
    DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-23-CD-CC-98-3C-A8-2A-AE-49-D8
    DNS Servers . . . . . . . . . . . : 10.59.121.100
                                        10.59.121.200
    NetBIOS over Tcpip. . . . . . . . : Enabled

    Ethernet adapter vEthernet (VirtualBox Host-Only Network):

    Connection-specific DNS Suffix  . : 
    Description . . . . . . . . . . . : Hyper-V Virtual Ethernet Adapter #4
    Physical Address. . . . . . . . . : 0A-00-27-00-00-11
    DHCP Enabled. . . . . . . . . . . : No
    Autoconfiguration Enabled . . . . : Yes
    Link-local IPv6 Address . . . . . : fe80::d84d:cac8:2d4d:2a0c%33(Preferred) 
    IPv4 Address. . . . . . . . . . . : 192.168.30.1(Preferred) 
    Subnet Mask . . . . . . . . . . . : 255.255.255.0
    Default Gateway . . . . . . . . . : 
    DHCPv6 IAID . . . . . . . . . . . : 554303527
    DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-23-CD-CC-98-3C-A8-2A-AE-49-D8
    DNS Servers . . . . . . . . . . . : fec0:0:0:ffff::1%1
                                        fec0:0:0:ffff::2%1
                                        fec0:0:0:ffff::3%1
    NetBIOS over Tcpip. . . . . . . . : Enabled

    Wireless LAN adapter Local Area Connection* 1:

    Media State . . . . . . . . . . . : Media disconnected
    Connection-specific DNS Suffix  . : 
    Description . . . . . . . . . . . : Microsoft Wi-Fi Direct Virtual Adapter
    Physical Address. . . . . . . . . : DA-5D-E2-62-E9-4B
    DHCP Enabled. . . . . . . . . . . : Yes
    Autoconfiguration Enabled . . . . : Yes

    Wireless LAN adapter WiFi-Direct:

    Connection-specific DNS Suffix  . : 
    Description . . . . . . . . . . . : Microsoft Wi-Fi Direct Virtual Adapter #2
    Physical Address. . . . . . . . . : D8-5D-E2-62-E9-4B
    DHCP Enabled. . . . . . . . . . . : No
    Autoconfiguration Enabled . . . . : Yes
    Link-local IPv6 Address . . . . . : fe80::1c0b:da09:ee5e:eb2c%26(Preferred) 
    IPv4 Address. . . . . . . . . . . : 192.168.137.1(Preferred) 
    Subnet Mask . . . . . . . . . . . : 255.255.255.0
    Default Gateway . . . . . . . . . : 
    DHCPv6 IAID . . . . . . . . . . . : 416832994
    DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-23-CD-CC-98-3C-A8-2A-AE-49-D8
    DNS Servers . . . . . . . . . . . : fec0:0:0:ffff::1%1
                                        fec0:0:0:ffff::2%1
                                        fec0:0:0:ffff::3%1
    NetBIOS over Tcpip. . . . . . . . : Enabled

    Ethernet adapter Bluetooth Network Connection:

    Media State . . . . . . . . . . . : Media disconnected
    Connection-specific DNS Suffix  . : 
    Description . . . . . . . . . . . : Bluetooth Device (Personal Area Network)
    Physical Address. . . . . . . . . : D8-5D-E2-62-E9-4C
    DHCP Enabled. . . . . . . . . . . : Yes
    Autoconfiguration Enabled . . . . : Yes

    Ethernet adapter vEthernet (Default Switch):

    Connection-specific DNS Suffix  . : 
    Description . . . . . . . . . . . : Hyper-V Virtual Ethernet Adapter
    Physical Address. . . . . . . . . : 86-15-70-16-CF-A1
    DHCP Enabled. . . . . . . . . . . : No
    Autoconfiguration Enabled . . . . : Yes
    Link-local IPv6 Address . . . . . : fe80::dab:a4e2:4ab2:32bf%16(Preferred) 
    IPv4 Address. . . . . . . . . . . : 172.17.192.17(Preferred) 
    Subnet Mask . . . . . . . . . . . : 255.255.255.240
    Default Gateway . . . . . . . . . : 
    DHCPv6 IAID . . . . . . . . . . . : 277222768
    DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-23-CD-CC-98-3C-A8-2A-AE-49-D8
    DNS Servers . . . . . . . . . . . : fec0:0:0:ffff::1%1
                                        fec0:0:0:ffff::2%1
                                        fec0:0:0:ffff::3%1
    NetBIOS over Tcpip. . . . . . . . : Enabled

    Ethernet adapter vEthernet (nat):

    Connection-specific DNS Suffix  . : 
    Description . . . . . . . . . . . : Hyper-V Virtual Ethernet Adapter #3
    Physical Address. . . . . . . . . : 00-15-5D-68-2C-B4
    DHCP Enabled. . . . . . . . . . . : No
    Autoconfiguration Enabled . . . . : Yes
    Link-local IPv6 Address . . . . . : fe80::651a:5b:9990:655d%51(Preferred) 
    IPv4 Address. . . . . . . . . . . : 172.29.112.1(Preferred) 
    Subnet Mask . . . . . . . . . . . : 255.255.240.0
    Default Gateway . . . . . . . . . : 
    DHCPv6 IAID . . . . . . . . . . . : 855643485
    DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-23-CD-CC-98-3C-A8-2A-AE-49-D8
    DNS Servers . . . . . . . . . . . : fec0:0:0:ffff::1%1
                                        fec0:0:0:ffff::2%1
                                        fec0:0:0:ffff::3%1
    NetBIOS over Tcpip. . . . . . . . : Enabled

Host Route Info (Click to expand)

    ===========================================================================
    Interface List
      4...3c a8 2a ae 49 d8 .............. Realtek PCIe FE Family Controller
     22...d8 5d e2 62 e9 4b .............. Realtek RTL8723BE 802.11 bgn Wi-Fi Adapter
     33...0a 00 27 00 00 11 .............. Hyper-V Virtual Ethernet Adapter #4
      3...da 5d e2 62 e9 4b .............. Microsoft Wi-Fi Direct Virtual Adapter
     26...d8 5d e2 62 e9 4b .............. Microsoft Wi-Fi Direct Virtual Adapter #2
     12...d8 5d e2 62 e9 4c .............. Bluetooth Device (Personal Area Network)
      1................................... Software Loopback Interface 1
     16...86 15 70 16 cf a1 .............. Hyper-V Virtual Ethernet Adapter
     51...00 15 5d 68 2c b4 .............. Hyper-V Virtual Ethernet Adapter #3
    ===========================================================================

    IPv4 Route Table
    ===========================================================================
    Active Routes:
    Network Destination        Netmask          Gateway       Interface  Metric
              0.0.0.0          0.0.0.0       10.59.96.1    10.59.100.154     20
           10.59.96.0    255.255.240.0         On-link     10.59.100.154    276
        10.59.100.154  255.255.255.255         On-link     10.59.100.154    276
        10.59.111.255  255.255.255.255         On-link     10.59.100.154    276
            127.0.0.0        255.0.0.0         On-link         127.0.0.1    331
            127.0.0.1  255.255.255.255         On-link         127.0.0.1    331
      127.255.255.255  255.255.255.255         On-link         127.0.0.1    331
        172.17.192.16  255.255.255.240         On-link     172.17.192.17   5256
        172.17.192.17  255.255.255.255         On-link     172.17.192.17   5256
        172.17.192.31  255.255.255.255         On-link     172.17.192.17   5256
         172.29.112.0    255.255.240.0         On-link      172.29.112.1   5256
         172.29.112.1  255.255.255.255         On-link      172.29.112.1   5256
       172.29.127.255  255.255.255.255         On-link      172.29.112.1   5256
         192.168.30.0    255.255.255.0         On-link      192.168.30.1    281
         192.168.30.1  255.255.255.255         On-link      192.168.30.1    281
       192.168.30.255  255.255.255.255         On-link      192.168.30.1    281
        192.168.137.0    255.255.255.0         On-link     192.168.137.1    311
        192.168.137.1  255.255.255.255         On-link     192.168.137.1    311
      192.168.137.255  255.255.255.255         On-link     192.168.137.1    311
            224.0.0.0        240.0.0.0         On-link         127.0.0.1    331
            224.0.0.0        240.0.0.0         On-link     10.59.100.154    276
            224.0.0.0        240.0.0.0         On-link     172.17.192.17   5256
            224.0.0.0        240.0.0.0         On-link     192.168.137.1    311
            224.0.0.0        240.0.0.0         On-link      172.29.112.1   5256
            224.0.0.0        240.0.0.0         On-link      192.168.30.1    281
      255.255.255.255  255.255.255.255         On-link         127.0.0.1    331
      255.255.255.255  255.255.255.255         On-link     10.59.100.154    276
      255.255.255.255  255.255.255.255         On-link     172.17.192.17   5256
      255.255.255.255  255.255.255.255         On-link     192.168.137.1    311
      255.255.255.255  255.255.255.255         On-link      172.29.112.1   5256
      255.255.255.255  255.255.255.255         On-link      192.168.30.1    281
    ===========================================================================
    Persistent Routes:
      None

    IPv6 Route Table
    ===========================================================================
    Active Routes:
     If Metric Network Destination             Gateway
      1    331 ::1/128                         On-link
     22    276 fe80::/64                       On-link
     16   5256 fe80::/64                       On-link
     26    311 fe80::/64                       On-link
     51   5256 fe80::/64                       On-link
     33    281 fe80::/64                       On-link
     16   5256 fe80::dab:a4e2:4ab2:32bf/128    On-link
     26    311 fe80::1c0b:da09:ee5e:eb2c/128   On-link
     51   5256 fe80::651a:5b:9990:655d/128     On-link
     22    276 fe80::a519:2d9f:3bef:9e79/128   On-link
     33    281 fe80::d84d:cac8:2d4d:2a0c/128   On-link
      1    331 ff00::/8                        On-link
     22    276 ff00::/8                        On-link
     16   5256 ff00::/8                        On-link
     26    311 ff00::/8                        On-link
     51   5256 ff00::/8                        On-link
     33    281 ff00::/8                        On-link
    ===========================================================================
    Persistent Routes:
      None

Container IP Info (Click to expand)

Windows IP Configuration
    Host Name . . . . . . . . . . . . : 51bdbf6a9cc9
    Primary Dns Suffix  . . . . . . . :
    Node Type . . . . . . . . . . . . : Hybrid
    IP Routing Enabled. . . . . . . . : No
    WINS Proxy Enabled. . . . . . . . : No

    Ethernet adapter Ethernet:

    Connection-specific DNS Suffix  . :
    Description . . . . . . . . . . . : Microsoft Hyper-V Network Adapter
    Physical Address. . . . . . . . . : 00-15-5D-68-25-59
    DHCP Enabled. . . . . . . . . . . : Yes
    Autoconfiguration Enabled . . . . : Yes
    Link-local IPv6 Address . . . . . : fe80::820:641b:e723:be68%4(Preferred)
    IPv4 Address. . . . . . . . . . . : 172.29.112.169(Preferred)
    Subnet Mask . . . . . . . . . . . : 255.255.240.0
    Default Gateway . . . . . . . . . : 172.29.112.1
    DHCPv6 IAID . . . . . . . . . . . : 67114333
    DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-24-21-88-16-00-15-5D-68-25-59
    DNS Servers . . . . . . . . . . . : 172.29.112.1
                                        172.18.10.1
    NetBIOS over Tcpip. . . . . . . . : Disabled

[MythreyaK]

I noticed that passing the --dns 8.8.8.8 to the cli while starting the containers fixed internet connectivity. But this adds the problem of not bring able to resolve local network (containers etc...)

Discussion here in this issue

[andreujuanc]

I spend hours with different fixes. And doing
Set-NetIPInterface -InterfaceAlias 'Wi-Fi' -InterfaceMetric 3
Actually did the trick.
Can we get this into the homepage or something? It's really REALLY important that it gets visibility.

EDIT: Will test if this still works if I disconnect wifi and connect to an ethernet network.

[MythreyaK]

@andreujuanc I think you must ensure DockerNAT has a higher metric (in the numerical sense) when compared to WiFi so that containers can resolve each other.

[andreujuanc]

I understand that, but if i do that then I cant reach the "outside world".

[andreujuanc]

The fact that it works on linux containers (on windows) and not on windows containers shows, clearly, that there is a serious bug going on. I say this without trying to undermine the severity and complexity of it. I totally understand how difficult is to implement all of this.

[MythreyaK]

@andreujuanc Temporary fix, works for me; you could try this, docker run --rm -it --dns=<container-network> --dns=8.8.8.8 <image>. Allows me to ping containers and also access Internet, without having to mess with Metrics that the host uses. Gives you something like so,

You could also add your local network's DNS server to interact with local machines (You'll probably need to expose the container over a bridge to give it an IP on your local network).

[Bhlowe]

@MythreyaK Can you see if the following works:

docker run --dns=172.17.48.1 --dns=8.8.8.8 microsoft/windowsservercore powershell nslookup bing.com

I still get:

*** UnKnown can't find bing.com: Server failed
Server: UnKnown
Address: 172.17.48.1

my ipconfig shows the vEthernet (nat) 2 as having an IP address of 172.17.48.1

replacing nslookup with ping doesn't work either.. Adding --rm didn't help either.

[andreujuanc]

I tried setting dns via --dns parameter and didn't work.
I guess there are more than one issue here.

[MythreyaK]

@Bhlowe I've tried that, and as you said, nslookup fails. I don't think that server is set up to resolve internet addresses, but only container hostnames. Perhaps, to resolve internet facing servers, you must specify one of the other DNS servers. For example;

To check internet connectivity, try ping google.com. Also, more info on the network adapters you have on your host and the ones connected to the container would help.

@andreujuanc I'm sorry that didn't work out! Could you post the network details of the host and the container?

[Bhlowe]

Thanks for trying @MythreyaK . I used nslookup as the simplest command I could think of to demonstrate the problem. ping doesn't work either. I still don't have a sense of whether this affects everyone or just some unfortunate subset of users. I'm on windows 10 pre-release. Haven't done a clean install in a long time, so who knows if an old VirtualBox, wireshark or VPN driver is causing problems. But I've tried disabling pretty much everything I can think of.

[andreujuanc]

@MythreyaK here you go, if you need anything else let me know.
PD: please note that I got it working after changing InterfaceMetric to a lower value.

NETWORK ID          NAME                DRIVER              SCOPE
55548d0468e6        nat                 nat                 local
7ef903c4adb2        none                null                local

    "Name": "nat",
    "Id": "55548d0468e6ff1f825359d18c42e5d55103cb1ec083b04b122319e96c5b57bf",
    "Created": "2019-04-15T12:42:16.5206701+02:00",
    "Scope": "local",
    "Driver": "nat",
    "EnableIPv6": false,
    "IPAM": {
        "Driver": "windows",
        "Options": null,
        "Config": [
            {
                "Subnet": "172.20.192.0/20",
                "Gateway": "172.20.192.1"
            }
        ]
    },
    "Internal": false,
    "Attachable": false,
    "Ingress": false,
    "ConfigFrom": {
        "Network": ""
    },
    ....

IPv4 Address. . . . . . . . . . . : 172.20.193.87
Subnet Mask . . . . . . . . . . . : 255.255.240.0
Default Gateway . . . . . . . . . : 172.20.192.1

[OnamChilwan]

@andrewhsu I am also experiencing this same issue has anybody managed to find a fix? I have a windows container and attempting to do a ping www.google.com but this fails (same as above, could not resolve address). Here is a closer look at my NAT:

[
    {
        "Name": "nat",
        "Id": "2113cd41fe0351c6ac3abbcfa6268fa61f6766287fb9e2cbb51a52e04fb307e4",
        "Created": "2019-04-18T17:19:39.7002274+01:00",
        "Scope": "local",
        "Driver": "nat",
        "EnableIPv6": false,
        "IPAM": {
            "Driver": "windows",
            "Options": null,
            "Config": [
                {
                    "Subnet": "172.29.16.0/20",
                    "Gateway": "172.29.16.1"
                }
            ]
        },
        "Internal": false,
        "Attachable": false,
        "Ingress": false,
        "ConfigFrom": {
            "Network": ""
        },
        "ConfigOnly": false,
        "Containers": {},
        "Options": {
            "com.docker.network.windowsshim.hnsid": "c572f515-d38f-4cfa-9795-43e2a5ba3128",
            "com.docker.network.windowsshim.networkname": "nat"
        },
        "Labels": {}
    }
]

[andreujuanc]

Update:
In my coworker's laptop we encounter the same problem now.
Changing interface metric did not do the trick. Setting manual dns did.
Maybe it's a combination of those two things?
I will try to set the metric to a higher value like it was before and see how it behaves.

Actually, the fix is by changing the metric to a value lower than ethernet, in my case to the lowest in the system. That fixed it for me and my co-worker.

Cheers

[OnamChilwan]

Actually, the fix is by changing the metric to a value lower than ethernet, in my case to the lowest in the system. That fixed it for me and my co-worker.

@andreujuanc what did you change? I have multiple connections but unsure which one docker uses..

Thanks.

[andreujuanc]

I'm not expert on this, but I believe it's trying to go out through one by one by metric ascending, which in my case was (after fix) Wifi, Ethernet, Some local area connections, vEthernets, etc.

By seeing your screenshot, try to give Wifi a lower number than Ethernet. All the virtual adapter must have higher number.
Note, I don't know if this will break local routing.

[crossan007]

I'll share something here that tripped me up, but which is perfectly logical given the container isolation.

For cases when the Docker host machine is a DNS server, 127.0.0.1 (the DNS server's IP address derived from the Docker host's lowest metric network interface) does not work within the Windows container.

I'm running "Acrilyc DNS Proxy" on my Docker host so that I can manipulate my host file to include wildcard A records (wildcard records are not supported by editing C:\windows\system32\drivers\etc\hosts directly).

I'm guessing that because loopback within the container context is not the same as loopback on the docker host, my DNS resolutions are failing to reach the Acrilyc DNS instance running on my docker host.

[draggeta]

I've the same issue here and it turns out that it is caused by a VPN client on my side (Palo Alto GlobalProtect). Turns out that the interface has no metric. When I'm connected via VPN, everything works fine. When I disconnect the VPN, no DNS resolution is possible in any way, shape or form.

The weird thing is that it has two DNS servers in /etc/resolv.conf. One is the default gateway and one the DNS server of the PANGP interface. Both of them don't resolve.

However, disabling the PANGP interface, makes it select DNS servers from other interfaces and resolution works again. Even on the nat ip.

[docker-robott]

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale comment.
Stale issues will be closed after an additional 30d of inactivity.

Prevent issues from auto-closing with an /lifecycle frozen comment.

If this issue is safe to close now please do so.

Send feedback to Docker Community Slack channels #docker-for-mac or #docker-for-windows.
/lifecycle stale

[panostzemis]

/remove-lifecycle stale

[panostzemis]

I have exactly the same problem and i cant find any solution on that.
I am using Windows 10 with Docker Desktop with Windows Containers.
I tried with linux containers and it was ok.. I dont know what's going on.
I did the

"Set-NetIPInterface -InterfaceAlias 'Wi-Fi' -InterfaceMetric 3"

and disabled all not used networks ( not the HyperV )
but still having no connection!
Any comments or news about this problem?

[RaceFPV]

I hit this issue as well and what solved it for me was first switching to linux containers and then back to windows containers (windows containers by default does not create a proper NAT interface). After that I went into hyper-v manager and bound the 'nat' virtual network interface to an actual interface on my machine, and then I was able to properly connect to servers. It seems that the way docker is creating the nat interface by default does not allow it to pass through to the correct interface (and the fact that windows container option doesnt create it at all).

[watfordgnf]

This is definitely not closed nor is it resolved (in all cases) by the Interface Metric update.

[bobby-richard]

For those still struggling with this, Symantec Endpoint Protection was the source of the problem for me. With it installed, none of my Windows containers could access the internet, but Linux containers could.

[panostzemis]

@bobby-richard
Thank you for your reply. I also have Symantec Protection which is mandatory from my organization.
I cannot uninstall it but after research I believe that;s the reason of no internet connection.

[oleh-zheleznyak]

I have the same issue.
No anti-malware software is installed.
Setting DNS server with --dns parameter when running docker container did not help.
Lowering the InterfaceMetric did not help either Set-NetIPInterface -InterfaceAlias 'Wi-Fi' -InterfaceMetric 3.
Does anyone else have some other workaround?
Thanks!

[awakecoding]

@bobby-richard @panostzemis for the record, removing the Symantec Endpoint Protection (SEP) 'Application and Device Control' (ADC) makes it work + adding %ProgramData%/docker to the scan exclusion list. https://mdaslam.wordpress.com/2017/05/23/docker-container-windows-2016-server-with-sep-symantec-endpoint-protection/

[bstordrup]

I hade the same issue with a local docker build running on Docker using Windows Containers. The problem occured every time I was connected to Cisco AnyConnect because it ads a lot of corporate routings.

When disconnected from the AnyConnect, there were no internet access issues.

I think the problem is the IP assigned to the Default switch in Hyper-V when Windows reboots - it is dynamically assigned, so it may end up in a situation where it collides with the routes from AnyConnect.

Microsoft seems not see this as a problem though. I think they should stick to an IP for the Default switch and only update it if you request an update for it somewhere in a setting.

[badrulhussain]

Hi has anyone came across this error on .net core 3.1 building dockerfile.

C:\Program Files\dotnet\sdk\3.1.300\NuGet.targets(128,5): error : Unable to load the service index for source https://api.nuget.org/v3/index.json. [C:\app\MvcApp.csproj]

But I can access the URL https://api.nuget.org/v3/index.json on my browser.
And I took off my proxy server on IE LAN settings and reset docker on services.msc?

[docker-robott]

Closed issues are locked after 30 days of inactivity.
This helps our team focus on active issues.

If you have found a problem that seems similar to this, please open a new issue.

Send feedback to Docker Community Slack channels #docker-for-mac or #docker-for-windows.
/lifecycle locked