simplewall icon indicating copy to clipboard operation
simplewall copied to clipboard
verified publisher icon henrypp

Windows Server with Hyper-V

Open in-exp opened this issue 8 months ago • 8 comments

Virtual Machines running under Hyper-V in Windows Server unable to communicate with internet (using Internal Virtual Switch in RRAS with NAT) when SimpleWall is running.

Is this a feature, bug or untested issue?

in-exp avatar May 23 '25 08:05 in-exp

I haven't tested this personally, but I assume this is expected - Simplewall is blocking traffic. It sounds like you need to allow the service that provides NAT or allow IP traffic as required. Turn on the packet log and see what shows up.

secured2k avatar May 31 '25 02:05 secured2k

(Un)fortunately, there is no "RRAS" or other similar service appearing in the "Packets Log" panel.

Probably, due to the fact that RRAS seems to function completely outside the normal windows networking kernel, SimpleWall "ignores" it by completely disabling it.

in-exp avatar May 31 '25 13:05 in-exp

It doesn't make sense. For simplewall/WFP to break the connection, it must be filtering something. If the problem is a kernel driver, then the process would be the "SYSTEM" process. Dumping the WFP rules or changing the logging to show everything (or enabling learning mode) would be the diagnostic step for this.

If you can provide more details about the affected environment, someone might be able to reproduce or debug the issue further.

secured2k avatar May 31 '25 20:05 secured2k

Host: Windows Server 2025 Hyper-V, RRAS installed and used for Routing and NAT only. All Guests in Hyper-V use a single network interface "Internal". Windows Firewall always stays on. All IP's static.

Guest: Any OS (Windows, Linux).

The configuration works flawlessly when SimpleWall is off.

When turned on, the Guests can access only the Host.

In both cases the Host behaves as expected. The issue is that no Guest is able to propagate traffic beyond the Host NAT. All Guests are able to communicate, however, with each other. They are not even able to ping the external interface of the Host.

Tried enabling all "Services" and "UWP apps" Rules. No resolution. "Packets log" is always on and no dropped or blocked packets are ever recorded.

in-exp avatar Jun 01 '25 16:06 in-exp

I attempted to test this and could not reproduce the environment.

Windows 2025 Server. Hyper-V Role installed. RAS Role installed. VM-Internal Switch created. Static IP assigned. Enabled RRAS as NAT only. 1 Guest VM created, Installed Windows 11 24H2.

Problem - I could never get RRAS to perform NAT over Hyper-V vSwitches.

I can use the new-netnat to get working connectivity, but this was not your environment. With NetNat, SimpleWall was installed and enabled with some defaults - no issues with NAT in this configuration. Enabling or Disabling the WFP extension on the switches didn't seem to make any difference.

I thought this would just take 30 minutes, but ended up taking about 2 hours. If you can provide more steps to reproduce the problem, maybe it can be investigated, but some quick Google searches seem to indicate no one is using RRAS for NAT for Hyper-V unless it is a dedicated Guest VM acting as a router and you expose the internal and external connections on that VM.

secured2k avatar Jun 04 '25 07:06 secured2k

HOST

  1. Windows 2025 Server.
  2. Hyper-V Role installed.
  3. "Remote Access" Role installed (2 of 3 installed). During this role setup choose custom configuration: "DirectAccess and VPN (RAS)" and "Routing". (Routing is required.)
  4. After starting the RRAS service of Host in the RRAS mmc, under properties of this server disable the options "IPv6 router" and "IPv4 and IPv6 remote access server".
  5. In the IPv6 tab disable "IPv6 forwarding" and "Default Route Advertisement".
  6. VM-Internal Switch created. Static IP assigned. Only IPV4 protocol enabled. (All others disabled). The same applied on the external interface of this Host. (Static address used and all other except IPv4 protocols removed.)
  7. On the RRAS mmc, on the "General" node of IPv4 add NAT as "routing protocol".
  8. On the this NAT node add the "Internal Virtual Switch" as "Private". Add the external host interface as "Public" with NAT enabled.

GUEST

  1. Guest VM created, Installed Windows 11 24H2.
  2. Use "Internal Virtual Switch" as the external network interface of this guest.
  3. Static IP assigned from within the IP address space of the switch, as defined previously on the Host. Default Gateway set to the internal IP address of the server. Only IPV4 protocol enabled. (All others disabled).

The issue for SW seems to be related with both RRAS and ICS services, as discovered by another user already (issue #691). When SW is enabled, it blocks routing from the internal to the external interfaces.

The same exact issue also concerns Virtual Box, under the same conditions.

Might it be the case that both these services (RRAS and ICS) seem to use older api's ?

in-exp avatar Jun 04 '25 11:06 in-exp

You can use System Informer's Firewall tab (Rule and Description columns) to troubleshoot why connections are blocking.

tnodir avatar Jun 04 '25 14:06 tnodir

I re-installed and reproduced the issue using the same configuration I started with; something must have been off with my initial install.

When simplewall is enabled, rules for NAT routing are broken. This is a bug. If you go to the Windows firewall and restore the defaults, it will restore the NAT (callout?") rules. The original NAT rules would redirect traffic and simplewall's modification of some rules is what breaks it.

When the rule is modified/broken/intercepted, packet captures can show how when the default NAT rules are enabled, the source address on the Virtual Switches is that of the local HOST/External network; when simplewall is enabled, the source address becomes that of the Guest/Internal network. This technically could still work if IP routing and route tables were added, but this is not NAT per the original issue.

secured2k avatar Jun 04 '25 16:06 secured2k