simplewall
simplewall copied to clipboard
henrypp
Firewall rules for Windows 10 hotspot
I am using the Windows 10 builtin Hotspot to share my internet via WiFi. However, the hotspot does not work when I have the Simplewall filter on. I tried to allow all traffics through 192.168.0.0/16 by adding a rule but it doesn't work. Does anyone know how to config Simplewall to make the hotspot work?
I think this system rules do enabled to allow this feature:
- netbios (both)
- smb (both)
- dns
- llnmr
- mdns
- ws-discovery
- ws-discovery [events]
Correct answer with blocked hotspot ports in log.
@dsoutw Are you able to figure out how to make hotspot work? @henrypp, I am not able to make my hotspot work by the method you suggested.
@PunnyBoi No, the suggest from @henrypp does not work. I also tried to allow the local ports "1900;50302;67;5355;62442" according to the log. But it still cannot make the hotspot work.
Same problem, I tried the suggest from @henrypp, also tried to allow 192.168.0.0/16 and local ports "1900;2869;53;67;68" for all apps and only for svchost.exe, but in the log I have next entries:
"04.09.19, Ср 16:34:41","NT AUTHORITY\NETWORK SERVICE","C:\windows\system32\svchost.exe",0.0.0.0 (Remote),0.0.0.0 (Local),UDP,"NatAlePortFilter",#249847,OUT,BLOCK "04.09.19, Ср 16:34:55","NT AUTHORITY\NETWORK SERVICE","C:\windows\system32\svchost.exe",0.0.0.0 (Remote),0.0.0.0 (Local),UDP,"NatAlePortFilter",#249847,OUT,BLOCK "04.09.19, Ср 16:34:55","NT AUTHORITY\NETWORK SERVICE","C:\windows\system32\svchost.exe",0.0.0.0 (Remote),0.0.0.0 (Local),UDP,"NatAlePortFilter",#249847,OUT,BLOCK
OS version is Windows 10 Enterprise LTSC 10.0.17763.720, Simplewall version is 2.4.6.0 I tried another application (Windows 10 Firewall Control) and it doesn't have same problem, except adding 67 and 68 local port to the white list
I'm here to tell you that the problem is for real and exists for Windows 10 1909 and Simplewall 3.0.9.
It tooke me several days to realize it's not a problem with intel wifi drivers and the new windows driver model (which disallows hosted networks / soft-ap from now on and you are forced to use microsoft windows mobile hotspot). instead it's simplewall which is unable to allow/unblock necessary traffic.
The mobile hotspot is up and running, but clients can only connect via lan/smb and they don't get internet access, that's the actual problem.
I tried all of the above, always checked blocks in the logs, made custom rules to allow them and even more, yet it is not possible to fix this by adding/removing any rules to the user filters, nor by checking/unchecking any of the available progam options.
The only way to make the windows mobile hotspot work is to completely disable simplewalls filtering and the mobile hotspots internet will work immediately.
will try to add more log information for this issue soon
we need to figure this out, because something is wrong with the general filtering.
@henrypp can you please take a look into this issue? there seems to be a problem which might be deeper than expected.
I did some additional tests and I'll provide you some logs and screenshots. for that, I reinstall simplewall to start with a fresh installation and default settings.
For testing, I will always enable the win10 mobile hotspot, connect with my android phone, let simplewall log all it is blocking, look at the blocks and adjust rules, disable the mobile hotspot, delete simplewall.log and repeat all over again until there is nothing left to do.
For the beginning, I'll provide you screenshots of the overall simplewall settings:
The system rules (I enabled everything):
Overall Rules:
Blocklist Settings:
User rules:
Notice: I created a rule which should allow everything in/out of my LAN subnet 192.168.0.0/16, including all protocols, IPv4/6 for "system" and "svchost.exe". This also includes the mobile hotspot IP which is fix at 192.168.137.1.
Also notice I enabled ICMPv4/6 rules here.
So let's start testing.
The first thing that looks strange is that despite my LAN subnet rule which sould cover and allow everything in the 192.168.0.0/16 subnet, Simplewall blocks IGMP traffic. the igmp local address is 224.0.0.x but the remote address is in the allowed subnet, so the Rule should actually allow this connection but it doesn't:
The next strange thing is: simplewall blocks DHCP traffic despite the DHCP system rule which should allow exactly this DHCP traffic:
For testing I created custom rules to handle each multicast DHCP traffic, so that simplewall no longer brings the block pop-up windows. For intance:
0.0.0.0 to 255.255.255.255 outbound, UDP, allow (without ports). and
192.168.137.1 (hotspot ip) to 255.255.255.255 outbound, UDP, allow (also no ports)
Now, when I disable and enable the Win10 Hotspot, Simplewall shows no blocking pop-ups anymore. I would assume that simplewall doesn't block anything that could prevent the mobile hotspot from working. But it still does. Connecting from my phone to the hotspot still show "no internet available".
Let's take a look at the simplewall.log what still gets blocked:
First of all we see here the 239.255.255.250 port 1900 192.168.1.x blocks. This is Simple Service Discovery Protocol (SSDP) Traffic that gets blocked. But it shouldn't get blocked. I enabled system rules to allow SSDP inbound and outbound (see screenshot above!). Also notice, there is no User and Path entry in the logs with these lines. it's just <empty>.
Then we see again a lot of DHCP traffic that gets blocked. Why does it get blocked?
see the lines with
255.255.255.255, port 67, 0.0.0.0, port 68, etc.
It's a loopback DHCP traffic, but notice the user and path, simplewall detects some as svchost.exe and some as <empty>.
This traffic is already allowed twice: For one time in the system rules with the DHCP rule (see screenshot above again) and for the second time with my user created rule I mentioned above. Despite that, simplewall still block this traffic.
I think this is the reason why it is possible to have a connection with the mobile hotspot on the one hand but we don't get any internet on the other hand - because the DHCP and SSDP traffic still gets blocked.
When I disable simplewall filtering, the android phone connected to the w10 mobile hotspot instantly gets internet access.
I can't fix this issue by adding user rules to simplewall, because it blocks traffic despite having allow-rules. There must be something wrong on simplewalls side, with detecting loopback traffic with the virtual wifi/hotspot adapter.
@henrypp I strongly recommend testing this for yourself as the problem seems to be anywhere where you have to dig deeper into the code.
@henrypp a few things to add:
have you tested simplewall against windows 10 1909? Also, I saw that windows defender firewall service is still running while simplewall filters are active. Does simplewall just disable windows firewall for private/public/domain or should it disable the whole windows firewall service? Because it seems the windows firewall service still does something to filtering just by running in the background (in the logs then still appear block filters not by \simplewall\bla but by \microsoft\bla)
update about my quote from above:
First of all we see here the 239.255.255.250 port 1900 192.168.1.x blocks. This is Simple Service Discovery Protocol (SSDP) Traffic that gets blocked. But it shouldn't get blocked. I enabled system rules to allow SSDP inbound and outbound (see screenshot above!). Also notice, there is no User and Path entry in the logs with these lines. it's just
.
I just realized that the reason for this is not a mistake by simplewall, it was the setting "Stealth mode" in the simplewall settings. So this is not a problem it was on purpose by this setting, sorry for that.
anyway.. I disabled the windows defender firewall service for testing, also unchecked stealth mode for testing and yet simplewall seems to block the mobile hotspot from having an internet connection for the clients.
even more information: I had simplewall configured so far that nothing is blocked anymore when the hotspot is activated and a mobile phone tries to connect... so actually everthing should work but it doesnt.
Now I did the following: I reset the original windows defender firewall rules back to standard setting it to its original state. Then activate the windows defender firewall while simplewall filters are ALSO active. And suddenly the mobile hotspot works with internet connection for the mobile phone.
~~Windows Firewall (defaults) [ON] + simplewall filters [ON] = mobile hotspot works~~ EDIT: NOT TRUE. I saw in the logs that when both firewalls are enabled, there is a filtering conflict between both firewalls (simplewall.log shows it). I guess it just worked by accident then due to the conflict.
not exactly the solution we would prefer, though....
Update:
-
For the mobile hotspot to work it is necessary that the dnscache/dns-client service is enabled (the service caches dns requests in windows, you don't really need it for internet to work. however, this service is needed for other services and mobile hotspot is not working if this service gets disabled.
-
if dns-client service is enabled (default in win10), windows defender firewall rules are reset to it's original state and then if you disable simplewall filtering and at the same time enable windows defender firewall, the mobile hotspot is working and clients get internet. this is reproducable.
As soon as simplewall filtering is enabled and windows firewall dissabled, the hotspot internet access stops working. Despite it is not working and it is obviously blocking something, simplewall.log does not show up anything that gets blocked, it is empty after re-enabling the hotspot and letting a client connect. There is nothing to unblock and therefor nothing we could do. out of ideas at the moment, it's your turn @henrypp
- The windows Firewall doesn't even need to be activated which isn't really surprising. you can disable windows defender firewall service completely and as soon as you disable simplewall filters, the hotsport will work. so it doesn't matter what status or rules the windows firewall filters have, it's all up the the simplewall filters.
Hi, I have the same problem as the Windows 10 hotspot not working with SimpleWall activated. I use the Windows 10 hotspot every day so I can't use SimpleWall which is a shame because I really like this application ... I would really like @henrypp to fix this problem soon because this topic was created on May 9, 2019 and is still not fixed yet, thanks for any response :)
Some resources:
What is Hosted Network (hotspot uses this) https://docs.microsoft.com/en-us/windows/win32/nativewifi/about-the-wireless-hosted-network
Using Hosted network https://docs.microsoft.com/en-us/windows/win32/nativewifi/using-hosted-network-and-internet-connection-sharing
Anyway. Now I found how to fix that Wi-Fi hotspot problem. If I understood correctly : "Malwarebytes compagnie bought Microsoft Windows Firewall". So they made their own application : Malwarebytes Windows Firewall Control. I'm using it right now and it's working very good. At least, there is 0 problems with the Microsoft Wi-Fi sharing... :)
Is this related to "Your Phone" app? I have a hard time allowing this app to connect to my phone.
Mobile Hotspot with Simplewall work fine, if
- Windows Firewall (defaults) [ON] + simplewall SYSTEM filters [OFF all]
Some services need to enable internet access.
Try allow this services in tab:
- Dhcp
- icssvc
- SharedAccess
- WlanSvc
Some of them, i do not know what exactly, was required to correct working of Hotspot.
Hi, I have the same problem. I have allowed all the mentioned services, I can connect to my hotspot with my Android phone, but I get the message "This Wi-Fi network has no access to the internet"...
Cheers
I can confirm that even if I enable every rules, it still doesn't work and the firewall doesn't seem to detect the packets.
This is a problem for those who use hotspot. I deleted the Simple for this.
Recently my setup requires me to route all my Internet traffic through my Windows machine that was running simplewall for years. I love this piece of software, yet I had to let it go for Internet Sharing service to work properly. I would really love to see this issue resolved and continue using simplewall.
@henrypp I think there is some issue in allowing internet access to services, which is preventing hotspot from working. As even after allowing 'wuauserv', connections made by that service get blocked (I check using LiveTCPUDPWatch tool from nirsoft, it show Process ID for applications making the connection). So, maybe some of the system rules aren't working which is preventing the hotspot from working even after enabling all system rules.
The hotspot network seems to be blocked even I turned off the filter until I rebooted the system and it worked again. The phone could access the host but could not reach beyond it.
When I entirely disable the filters the hotspot internet access still blocked until I reboot the system, I think it's deep hidden code inside SW who prevent unexpected things or in (WFP) feature. I hope SW resolve this issue, because Mobile hotspot is very useful.
i can get internet access through hotspot if i use the "disable filters" button without reboot but even if i allow every app, every service, every uwp app, every system rule, every user rule and allow blocklists for microsoft spying and telemetry/update/applications i cannot get internet through hotspot. really sucks because this is the best firewall ive found, one of the first applications i install on any new computer or fresh install of windows.
@devdzt This is exactly what I observed too. I also install SW as soon as I start my computer after fresh install.
@popdisk and @anwar-alsilwy Did you disable filters from SW, closing SW without disabling filters don't remove rules from WFP.
@TontyTon , I disabled the filters and exit from SW completely, but the hotspot internet access never return until I reboot the whole system.