Docker HyperV vEthernet (DockerNAT) is Un-identified Network (Public Network) in tray
Closed this issue ยท 27 comments
Expected behavior
Hide the tray icon of vEthernet (DockerNAT)
Actual behavior
The system tray always show vEthernet (DockerNAT) is Un-identified Network (Public Network)
Information
- System: Microsoft Windows 10 Professional 10.0.14393
- Docker: Docker 1.12.5
- A laptop with Wi-Fi
Steps to reproduce the behavior
Method 1
- Install Docker 1.12.5 (Hyper V version of Windows) or other version.
- Unplug all network interface, close Wi-Fi, etc.
- The tray icon of vEthernet (DockerNAT) will show, and is Un-identified Network.
Method 2
- Install Docker 1.12.5 (Hyper V version of Windows) or other version.
- Unplug all network interface, connect Wi-Fi.
- Uninstall Wi-Fi driver.
- Reboot and install Wi-Fi driver, connect Wi-Fi.
- The tray icon of vEthernet (DockerNAT) will always show, and is Un-identified Network. We can't see Wi-Fi status at all.
Thinking of how to fix
Add the key "*NdisDeviceType" with a DWORD value of 1 to vEthernet (DockerNAT)
adapter in registry.
-
Find Hyper-V Virtual Ethernet Adapter in
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\* -
Check NETSETUPPKEY_Interface_IfAliasBase in NetSetupProperties ,
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\????\NetSetupProperties, check ifNETSETUPPKEY_Interface_IfAliasBaseisvEthernet (DockerNAT). -
Add the key
"*NdisDeviceType"with aDWORDvalue of1to this Ethernet Adapter toHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\????
I've tested it and success, please consider improve it.
Hi, @vowstar, Thanks for the suggestion. Out of curiosity, why do you want this to be an identified network ?
Hi @vowstar, I'm going to close this issue as it's not something we consider changing. Please free top reopen with more information if you feel it's important for you.
Identified networks can be assigned a NetworkCategory of Public, Private or Domain. Firewall rules are often separated in Public, Private or Domain. By making the network identified, one can assign it a network category, to say private, so that private firewall rules apply to it. If you leave it as unidentified, then giving it a network category gives it to all unindentified networks (and not all unindentified networks should be considered private).
Here's how can you make Docker's network connection identified:
Add a new IP address to the interface (advanced settings) of 10.0.75.254. (used this because it's the end of the subnet, but not the broadcast address).
Add a new default gateway of 10.0.75.254.
Click ok, and finish. Windows will now identify the network using the gateway IP and assigns it an automatically generated name like Network or Network 2... etc.
Now you can assign this network connection a profile by doing:
Set-NetConnectionProfile -Name 'Network 2' -NetworkCategory Private
This only applies to IPv4 and not IPv6, because IPv6 on Windows doesn't seem to have any docs, and I don't know where to proceed here. Because the IPv6 is still enabled on the interface, there will still be an Unindentified network for the IPv6 connection. moby/moby#13481 (comment)
This is definitely a feature I would want added. I can't think of a reason why we wouldn't want the network identified
+1 from me,
Allows Docker-Windows with Hyper-V to work with shared drives properly on the local network, I lost 3 days trying to identify the root cause for shared drives not working even after applying a number of firewall rules the only way i could get this to work was to change my local security policy for unidentified networks without fully disabling my firewall.
Happy to hear how to correctly apply a firewall rule for AVG to allow Docker with Hyper-V to see shared drives without adjusting my local security policy.
So it's possible to change MobyLinux.ps1 script at C:\Program Files\Docker\Docker\resources to fix the network connection profile of the virtual interface to "private" by calling Set-NetConnectionProfile
See https://gist.github.com/biggyspender/8b5b2ed9ff63de31045d41304e3915b3
Another vote for this. We're operating under an incredibly frustrating lock down through Symantec cloud protection and unable to locally alter firewall rules.
Using the Set-NetConnectionProfile allows communication between host and guest and removes the firewall error for file mounts, but it seems to not persist between reboots. Making it a "private" network on creation would be vastly preferable to hacking around with UAC/PS to try to automate the network every time the docker service starts up.
Edit: As a short-term solution, @biggyspender's solution does work! Thanks!
+1 for this change.
I've also struggled setting the shared drives feature on Windows due to this issue.
@dgageot what's the reason for this not being considered to be changed?
+1 Every time I reboot I have to manually set connection profile to Private as it is reverting to Public on reboots and Docker upgrades.
+1
Please
This is what helped me, inspired by #367 (comment)
I could not run the original solution posted because it did not work for DockerNAT with below error -
Set-NetConnectionProfile : No MSFT_NetConnectionProfile objects found with property 'Name' equal to 'DockerNAT'.
When run just NetConnectionProfile, found that multiple network connections have name Unidentified network and that was not helping.
From the list, I figured out InterfaceIndex for that network and made it private with the below command.
Set-NetConnectionProfile -InterfaceIndex xx -NetworkCategory Private
Note: These commands work only with PowerShell and not just command prompt.
Please consider reopening this.
@simonferquel @dgageot To your original question of why:
After installing Docker I get the message about "a firewall blocking file sharing". This is because the Docker vNAT network is set to be a Public network by default, and my firewall rules block SMB over public networks. Those rules are configured by our domain administrator - I can't change them. Many other people using Docker in a business environment will be in a similar situation.
I can make the error go away by running the Set-NetConnectionProfile command as pointed out by others in this thread. But because the network is unidentified, that fix doesn't stick through a reboot, or through installation of a new Docker version.
I can do the workaround suggested by @biggyspender or @CMCDragonkai. But the fact that most folks in a corporate Windows environment will have to do the same workaround suggests that this issue should be kept open, even if it's low priority.
Why is this still an issue today?
I can't evangelize Docker if it doesn't work on my corporate windows 10 machine, and if this is the stance for the entry level component, why would I trust you if we went to Enterprise.
This issue seems to be more severe now, at least for me. It looks like the latest version Docker for Windows now sets the Hyper-V DockerNAT switch connection type to "Private network" instead of "Internal network". That means it no longer appears to the host OS as an adapter, so you can't do the PowerShell workarounds described above.
After fiddling with it a little, the only way I found to make it work was to manually edit my MobyLinux.ps1, which obviously isn't desirable and isn't going to scale across my organization.
I still use my script on v2 after each update of Docker. (Docker restart required)
[IO.Directory]::SetCurrentDirectory("C:\Program Files\Docker\Docker\resources")
$script = [IO.File]::ReadAllText("MobyLinux.ps1")
$script = ($script -replace '(?ms)^function Start-MobyLinuxVM {\r?\n Write-Output "[^"]+"', @'
function Set-Switch-Private {
Import-Module NetConnection
Invoke-Expression -Command 'Set-NetConnectionProfile -interfacealias "vEthernet ($($SwitchName))" -NetworkCategory Private'
Write-Output "Set interface 'vEthernet ($SwitchName)' profile to Private"
}
function Start-MobyLinuxVM {
Set-Switch-Private
Write-Output "Starting VM $VmName..."
'@)
[IO.File]::WriteAllText("MobyLinux.ps1", $script)
Identified networks can be assigned a
NetworkCategoryof Public, Private or Domain. Firewall rules are often separated in Public, Private or Domain. By making the network identified, one can assign it a network category, to say private, so that private firewall rules apply to it. If you leave it as unidentified, then giving it a network category gives it to all unindentified networks (and not all unindentified networks should be considered private).Here's how can you make Docker's network connection identified:
Add a new IP address to the interface (advanced settings) of 10.0.75.254. (used this because it's the end of the subnet, but not the broadcast address).
Add a new default gateway of 10.0.75.254.
Click ok, and finish. Windows will now identify the network using the gateway IP and assigns it an automatically generated name like
NetworkorNetwork 2... etc.Now you can assign this network connection a profile by doing:
Set-NetConnectionProfile -Name 'Network 2' -NetworkCategory PrivateThis only applies to IPv4 and not IPv6, because IPv6 on Windows doesn't seem to have any docs, and I don't know where to proceed here. Because the IPv6 is still enabled on the interface, there will still be an Unindentified network for the IPv6 connection. moby/moby#13481 (comment)
You are a life saver!
I had a connectivity issue, where the edgeAgent couldn't connect to the IoT Hub.
Setting the Default Gateway didn't identify the network, but fixed the connectivity issue.
Thanks! ๐
This continues to be an issue for those of us who:
- Are working on corporate machines which have disabled all inbound traffic from public networks.
- Are attempting to share drives with docker containers.
On Windows 10:
The proposed fix to add a gateway to the IPv4 protocol on the DockerNAT adapter didn't work for me. The Network and Sharing Center showed two networks for DockerNAT. One identified and one not. Running the Powershell command to change the network category did not work. When I ran Get-NetConnectionProfile in Administrative mode it only listed the Unidentified Network. I suspect that these commands do not support multiple networks for the same Adapter. (I didn't even know that was possible.) I was able to change it by loading up gpedit.msc in Administrative mode. Local Computer Policy/Computer Configuration/Windows Settings/Security Settings/Network List Manager Policies showed the Network. Right clicking and selecting properties gave some control to change it to a Private network. Setting only the identified network for DockerNAT to private doesn't solve the problem and setting the unidentified network doesn't survive reboots.
To me this seems like a Windows issue. Since the Firewall rules are based on these "Public" and "Private" designations they need to be better documented so that developers can configure virtual adapters to be recognized as private. Since I can't figure out how to do that as a user of my machine I think it's an unreasonable expectation that the appropriate APIs exist to do this. If anybody from Microsoft is reading this we could really use an answer here.
We have the same issue in our corporate network when using GlobalProtect and Cisco VPN. Only setting the Virtual Switch to Private solves the issue with Shared Drives.
Suggestion:
The following settings should be added to Docker for Windows > Settings > Advanced alongside the other VM settings.
- Virtual Switch allows the user to specify a custom Virtual Switch
- Connection Type under Hyper-V Manager > Virtual Switch Manager > DockerNAT
Options: External | Internal | Private
Please reopen as this has really eaten our time and has lost our trust to adopt docker for windows. It's not a sustainable solution to hack around in the MobyLinux.ps1 file just to get Docker Shared Drives working correctly.
Identified networks can be assigned a
NetworkCategoryof Public, Private or Domain. Firewall rules are often separated in Public, Private or Domain. By making the network identified, one can assign it a network category, to say private, so that private firewall rules apply to it. If you leave it as unidentified, then giving it a network category gives it to all unindentified networks (and not all unindentified networks should be considered private).Here's how can you make Docker's network connection identified:
Add a new IP address to the interface (advanced settings) of 10.0.75.254. (used this because it's the end of the subnet, but not the broadcast address).
Add a new default gateway of 10.0.75.254.
Click ok, and finish. Windows will now identify the network using the gateway IP and assigns it an automatically generated name like
NetworkorNetwork 2... etc.Now you can assign this network connection a profile by doing:
Set-NetConnectionProfile -Name 'Network 2' -NetworkCategory PrivateThis only applies to IPv4 and not IPv6, because IPv6 on Windows doesn't seem to have any docs, and I don't know where to proceed here. Because the IPv6 is still enabled on the interface, there will still be an Unindentified network for the IPv6 connection. moby/moby#13481 (comment)
Hi,
Apologies if I got you wrong but where are you suggesting to add the IP address and the default interface? I could not find a place to add in the Docker for windows
Do you mean change it here?
Why is this still an issue today?
I can't evangelize Docker if it doesn't work on my corporate windows 10 machine...
Same goes for me. I would love to teach my team to use docker, but this is really not an encouraging start.
I will try the biggyspender solution, but would prefer an official solution
FYI, I've just found out that instead of requiring to set gateway for windows identify the network, we can also use -interfacealias option.
I only use this 2 commands and it can set the network to private:
> Set-NetConnectionProfile -interfacealias "vEthernet (DockerNAT)" -NetworkCategory Private
> Set-NetConnectionProfile -interfacealias "vEthernet (Default Switch)" -NetworkCategory Private
it is a shame that this simple thing is not getting addressed or fixed! nearly 3 years now! Now update, no response, no information how to contribute - Pfui!
Same issue. The two virtual switches "Default Switch" and "DockerNAT" which docker create by default, the connection type of both is set to Internal. Besides, the Linux container "DockerDesktopVM", there is no ip address listed and command docker-machine ls displays nothing.
FYI, I've just found out that instead of requiring to set gateway for windows identify the network, we can also use -interfacealias option.
I only use this 2 commands and it can set the network to private:> Set-NetConnectionProfile -interfacealias "vEthernet (DockerNAT)" -NetworkCategory Private > Set-NetConnectionProfile -interfacealias "vEthernet (Default Switch)" -NetworkCategory Private
I've tried, but it seems not work here. The tray icon still shows "Un-identified Network".
Same issue here. It really makes it hard to preach about Docker to other people when stuff like this makes docker hard to setup behind a corporate proxy.
To make things worse, the newer releases (2.0.0.3+) fully removed DockerNAT and don't provide any alternative (#5538) which makes docker completely unusable.
Closed issues are locked after 30 days of inactivity.
This helps our team focus on active issues.
If you have found a problem that seems similar to this, please open a new issue.
Send feedback to Docker Community Slack channels #docker-for-mac or #docker-for-windows.
/lifecycle locked