Access running WSL services from LAN devices without having to create Firewall rules with `networkingMode=mirrored`

[tusharsnx]

Is your feature request related to a problem? Please describe.

This video demo of the new networkingMode = mirrored (at around 8:19 minutes) seems to suggest that services running inside WSL can be accessed from other devices on the same LAN without needing any extra setup. But in my experience LAN devices cannot access WSL services until you explicitly allow that port in the firewall rule.

I tried toggling the new experimental.firewall/wsl2.firewall, but it doesn't seem to make any difference.

Describe the solution you'd like

I think one of these solution should work:

1. Let the user disable Firewall for WSL. (I expected experimental.firewall = false to do this)
2. If firewall rules cannot be turned off completely for WSL, auto manage firewall rules for each service running within WSL, and prompt the user for consent if necessary.

Additional Details:

WSL version: 2.0.9.0
Kernel version: 5.15.133.1-1
WSLg version: 1.0.59
MSRDC version: 1.2.4677
Direct3D version: 1.611.1-81528511
DXCore version: 10.0.25131.1002-220531-1700.rs-onecore-base2-hyp
Windows version: 10.0.22631.2506

$ wslinfo --networking-mode
mirrored

[github-actions[bot]]

Hi I'm an AI powered bot that finds similar issues based off the issue title.

Please view the issues below to see if they solve your problem, and if the issue describes your problem please consider closing this one and thumbs upping the other issue to help us prioritize it. Thank you!

Open similar issues:

• Accessing network ip inner wsl from windows (#9733), similarity score: 0.75

Closed similar issues:

• Allow WSL programs through firewall (#3033), similarity score: 0.81
• Devices within the LAN cannot access the network service running in WSL. (#10714), similarity score: 0.81
• Connect to WSL Services with Other Devices (#2172), similarity score: 0.79
• Windows Firewall block WSL2 accessing to Windows service (#5237), similarity score: 0.78
• WSL2: allow direct access to block devices (#5135), similarity score: 0.78
• Add "allow" rule to Windows firewall for WSL2 network (#4585), similarity score: 0.78
• WSL2 - Access running server from other computer within same network (#4523), similarity score: 0.77
• Access webserver hosted on WSL2 from other devices in same network. (#9212), similarity score: 0.77
• Unable to access WSL2 Ubuntu ports from other LAN connected PCs (#5798), similarity score: 0.76

You can give me feedback by thumbs upping or thumbs downing this comment.

[tusharsnx]

https://github.com/microsoft/WSL/issues/10714 The issue is closely related, but I'm sure the issuer was confused about whether creating a firewall rule is necessary or not. So I created this issue as a feature request rather than a bug.

[tusharsnx]

Turns out that this article describes how you can disable WSL VM's Hyper-V Firewall in two steps:

[!Warning] Disabling Firewall can have unintended consequences. Any malicious app running within wsl gets unrestricted access to internet.

1. Get WSL VM Id:

$ Get-NetFirewallHyperVVMCreator

VMCreatorId  : {40E0AC32-46A5-438A-A0B2-2B479E8F2E90}
FriendlyName : WSL

2. Disable Firewall (from an elevated/admin Terminal):

$ Set-NetFirewallHyperVVMSetting -Name '{40E0AC32-46A5-438A-A0B2-2B479E8F2E90}' -Enabled False

At this point, you should be able to access wsl services from other devices on LAN (or from the internet who knows 🙃).

[tusharsnx]

A safer alternative is to Only allow connection to wsl in a Trusted (Private) network:

New-NetFirewallHyperVRule `
-DisplayName 'Allow All Inbound Traffic to WSL in Private Network' `
-Name 'WSL Rule' `
-Profiles Private `
-Direction Inbound `
-Action Allow `
-VMCreatorId '{40E0AC32-46A5-438A-A0B2-2B479E8F2E90}' `
-Enabled True

This would block connection to wsl in a public (or untrusted) network, which is good.

In case you want to delete the rule, run:

Remove-NetFirewallHyperVRule -Name 'WSL Rule'

[illgitthat]

I experienced the same issue (saw the demo video, tried a bunch of things but couldn't get it to work). This firewall rule accomplished just what I was looking for. Thank you @tusharsnx !

I agree that this needs to be incorporated by default or at least mentioned in the documentation.