WSL2 Networking: NAT vs Mirrored Mode¶
NAT Mode (Default)¶
WSL2 runs behind a virtual NAT switch with its own IP address (typically
172.x.x.x). This IP changes on every WSL restart.
Windows host (100.64.x.x via Tailscale, 192.168.x.x via LAN)
|
+-- Virtual NAT switch
|
+-- WSL2 (172.28.x.x, changes on restart)
Implications:
- External machines (including Tailscale peers) cannot directly reach WSL2.
- You need netsh interface portproxy to forward ports from Windows to WSL2.
- The portproxy rule must be updated after every reboot (WSL2 IP changes).
- See port-forwarding.md.
Mirrored Mode (Recommended, Win11 22H2+ / WSL 2.0.4+)¶
WSL2 shares the host's network interfaces. Ports bound in WSL2 are directly accessible on the host's IPs, including the Tailscale IP.
Windows host (100.64.x.x via Tailscale, 192.168.x.x via LAN)
|
+-- WSL2 sees same interfaces, same IPs
Enable¶
In %UserProfile%\.wslconfig:
Then: wsl --shutdown from PowerShell, restart WSL.
Hyper-V Firewall Requirement¶
With mirrored mode, the regular Windows Firewall is not sufficient for inbound traffic to WSL2. You must also configure the Hyper-V firewall:
# Allow SSH from Tailscale subnet only
New-NetFirewallHyperVRule -Name "WSL-SSH" -Direction Inbound `
-VMCreatorId '{40E0AC32-46A5-438A-A0B2-2B479E8F2E90}' `
-Protocol TCP -LocalPorts 22 -Action Allow
The GUID {40E0AC32-46A5-438A-A0B2-2B479E8F2E90} is the WSL VMCreatorId.
See firewall.md for full firewall setup.
Known Issues with Mirrored Mode¶
- Some users report SSH connectivity dropping intermittently.
- Interface disappearance / fallback to NAT has been reported.
- Reference: microsoft/WSL#10597
Fallback plan: If mirrored mode proves unstable, switch back to NAT mode
and use netsh portproxy (see port-forwarding.md).
Comparison¶
| Aspect | NAT (default) | Mirrored |
|---|---|---|
| WSL2 IP | Private, changes | Same as host |
| Port forwarding needed | Yes (netsh portproxy) |
No |
| Tailscale IP reachable | Via portproxy only | Directly |
| Extra firewall config | Windows Firewall only | + Hyper-V firewall |
| Stability | Mature, reliable | Newer, some edge cases |
| Windows version required | Any Win10/11 | Win11 22H2+, WSL 2.0.4+ |