I wanted an IPv4 service running on the Hyper-V host that only the VMs can access via a Virtual Switch.
Hyper-V Server 2016 (removed IPv6 public prefix)
Ethernet adapter vEthernet (Public Switch):
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Hyper-V Virtual Ethernet Adapter
Physical Address. . . . . . . . . : 00-25-90-2E-11-AC
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv6 Address. . . . . . . . . . . : <removed>:3826:3af6(Preferred)
Link-local IPv6 Address . . . . . : fe80::ad2c:f032:3826:3af6%3(Preferred)
Autoconfiguration IPv4 Address. . : 169.254.58.246(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.0.0
Default Gateway . . . . . . . . . : fe80::29c:2ff:fea9:fdd0%3
DHCPv6 IAID . . . . . . . . . . . : 352331152
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1F-C4-64-14-00-25-90-2E-11-AE
DNS Servers . . . . . . . . . . . : fec0:0:0:ffff::1%1
fec0:0:0:ffff::2%1
fec0:0:0:ffff::3%1
NetBIOS over Tcpip. . . . . . . . : Enabled
PS C:\users\Administrator> get-netfirewallrule FPS-ICMP4-ERQ-In | select *
Name : FPS-ICMP4-ERQ-In
ID : FPS-ICMP4-ERQ-In
DisplayName : File and Printer Sharing (Echo Request - ICMPv4-In)
Group : @FirewallAPI.dll,-28502
Enabled : True
Profile : Domain, Private, Public
Platform : {}
Direction : Inbound
Action : Allow
EdgeTraversalPolicy : Block
LSM : False
PrimaryStatus : OK
Status : The rule was parsed successfully from the store. (65536)
EnforcementStatus : NotApplicable
PolicyStoreSourceType : Local
Caption :
Description : Echo Request messages are sent as ping requests to other nodes.
ElementName : File and Printer Sharing (Echo Request - ICMPv4-In)
InstanceID : FPS-ICMP4-ERQ-In
CommonName :
PolicyKeywords :
PolicyDecisionStrategy : 2
PolicyRoles :
ConditionListType : 3
CreationClassName : MSFT|FW|FirewallRule|FPS-ICMP4-ERQ-In
ExecutionStrategy : 2
Mandatory :
PolicyRuleName :
Priority :
RuleUsage :
SequencedActions : 3
SystemCreationClassName :
SystemName :
DisplayGroup : File and Printer Sharing
LocalOnlyMapping : False
LooseSourceMapping : False
Owner :
Platforms : {}
PolicyStoreSource : PersistentStore
Profiles : 7
RuleGroup : @FirewallAPI.dll,-28502
StatusCode : 65536
PSComputerName :
CimClass : root/standardcimv2:MSFT_NetFirewallRule
CimInstanceProperties : {Caption, Description, ElementName, InstanceID...}
CimSystemProperties : Microsoft.Management.Infrastructure.CimSystemProperties
VM Centos 7
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:15:5d:00:e2:0a brd ff:ff:ff:ff:ff:ff
inet 172.16.0.249/22 brd 172.16.3.255 scope global noprefixroute dynamic eth0
valid_lft 13592sec preferred_lft 13592sec
inet6 <removed>:4120:3820/64 scope global noprefixroute dynamic
valid_lft 86314sec preferred_lft 14314sec
inet6 fe80::b73a:6e98:36ff:d902/64 scope link noprefixroute
valid_lft forever preferred_lft forever
# ping6 fe80::ad2c:f032:3826:3af6%eth0
PING fe80::ad2c:f032:3826:3af6%eth0(fe80::ad2c:f032:3826:3af6%eth0) 56 data bytes
64 bytes from fe80::ad2c:f032:3826:3af6%eth0: icmp_seq=1 ttl=64 time=0.725 ms
# ping6 <removed>:3826:3af6
PING <removed>:3826:3af6(<removed>:3826:3af6) 56 data bytes
64 bytes from <removed>:3826:3af6: icmp_seq=1 ttl=64 time=0.755 ms
# ping 169.254.58.246
PING 169.254.58.246 (169.254.58.246) 56(84) bytes of data.
^C
--- 169.254.58.246 ping statistics ---
2 packets transmitted, 0 received, 100% packet loss, time 999ms
# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 172.16.3.254 0.0.0.0 UG 100 0 0 eth0
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0
172.16.0.0 0.0.0.0 255.255.252.0 U 100 0 0 eth0
172.17.0.0 0.0.0.0 255.255.255.0 U 0 0 0 docker0
# arp -n
Address HWtype HWaddress Flags Mask Iface
172.16.1.118 ether 00:15:5d:00:e2:0e C eth0
172.16.3.254 ether 00:9c:02:a9:fd:d0 C eth0
172.16.0.226 ether 00:25:90:2e:11:ae C eth0
169.254.58.246 ether 00:25:90:2e:11:ac C eth0
# ping 172.16.0.226
PING 172.16.0.226 (172.16.0.226) 56(84) bytes of data.
64 bytes from 172.16.0.226: icmp_seq=1 ttl=128 time=1.23 ms
64 bytes from 172.16.0.226: icmp_seq=2 ttl=128 time=0.708 ms
172.16.0.226 is the Hyper-V host's LAN adapter
I did a packet capture on the Hyper-V host and see the ping request coming in. You can see above that the table table has the correct MAC. Hyper-V has a rule allowing ICMPv4 ping
So to summarize:
- Can ping Virtual Switch IPv6 public & link-local
- Can ping Hyper-V LAN adapter IPv4
- Can't ping Hyper-V IPv4 link-local
- Hyper-V host receives the ICMPv4 packet
- Hyper-V host firewall is set to allow pings (I think?--see above)
