Firewall rules for Windows 10 hotspot

[dsoutw]

I am using the Windows 10 builtin Hotspot to share my internet via WiFi. However, the hotspot does not work when I have the Simplewall filter on. I tried to allow all traffics through 192.168.0.0/16 by adding a rule but it doesn't work.
Does anyone know how to config Simplewall to make the hotspot work?

[henrypp]

I think this system rules do enabled to allow this feature:

• netbios (both)
• smb (both)
• dns
• llnmr
• mdns
• ws-discovery
• ws-discovery [events]

Correct answer with blocked hotspot ports in log.

[PunnyBoi]

@dsoutw Are you able to figure out how to make hotspot work? @henrypp, I am not able to make my hotspot work by the method you suggested.

[dsoutw]

@PunnyBoi No, the suggest from @henrypp does not work. I also tried to allow the local ports "1900;50302;67;5355;62442" according to the log. But it still cannot make the hotspot work.

[itBAIT]

Same problem, I tried the suggest from @henrypp, also tried to allow 192.168.0.0/16 and local ports "1900;2869;53;67;68" for all apps and only for svchost.exe, but in the log I have next entries:
"‎04.‎09.‎19, ‎Ср ‏‎16:34:41","NT AUTHORITY\NETWORK SERVICE","C:\windows\system32\svchost.exe",0.0.0.0 (Remote),0.0.0.0 (Local),UDP,"NatAlePortFilter",#249847,OUT,BLOCK "‎04.‎09.‎19, ‎Ср ‏‎16:34:55","NT AUTHORITY\NETWORK SERVICE","C:\windows\system32\svchost.exe",0.0.0.0 (Remote),0.0.0.0 (Local),UDP,"NatAlePortFilter",#249847,OUT,BLOCK "‎04.‎09.‎19, ‎Ср ‏‎16:34:55","NT AUTHORITY\NETWORK SERVICE","C:\windows\system32\svchost.exe",0.0.0.0 (Remote),0.0.0.0 (Local),UDP,"NatAlePortFilter",#249847,OUT,BLOCK

OS version is Windows 10 Enterprise LTSC 10.0.17763.720, Simplewall version is 2.4.6.0
I tried another application (Windows 10 Firewall Control) and it doesn't have same problem, except adding 67 and 68 local port to the white list

[RIS2000]

Same here, can't make it to allow Windows 10.1903 Hotspot ((

[tokariu]

I'm here to tell you that the problem is for real and exists for Windows 10 1909 and Simplewall 3.0.9.

It tooke me several days to realize it's not a problem with intel wifi drivers and the new windows driver model (which disallows hosted networks / soft-ap from now on and you are forced to use microsoft windows mobile hotspot).
instead it's simplewall which is unable to allow/unblock necessary traffic.

The mobile hotspot is up and running, but clients can only connect via lan/smb and they don't get internet access, that's the actual problem.

I tried all of the above, always checked blocks in the logs, made custom rules to allow them and even more, yet it is not possible to fix this by adding/removing any rules to the user filters, nor by checking/unchecking any of the available progam options.

The only way to make the windows mobile hotspot work is to completely disable simplewalls filtering and the mobile hotspots internet will work immediately.

will try to add more log information for this issue soon

we need to figure this out, because something is wrong with the general filtering.

[tokariu]

@henrypp can you please take a look into this issue? there seems to be a problem which might be deeper than expected.

I did some additional tests and I'll provide you some logs and screenshots. for that, I reinstall simplewall to start with a fresh installation and default settings.

For testing, I will always enable the win10 mobile hotspot, connect with my android phone, let simplewall log all it is blocking, look at the blocks and adjust rules, disable the mobile hotspot, delete simplewall.log and repeat all over again until there is nothing left to do.

For the beginning, I'll provide you screenshots of the overall simplewall settings:

The system rules (I enabled everything):

Overall Rules:

Blocklist Settings:

User rules:
Notice: I created a rule which should allow everything in/out of my LAN subnet 192.168.0.0/16, including all protocols, IPv4/6 for "system" and "svchost.exe". This also includes the mobile hotspot IP which is fix at 192.168.137.1.
Also notice I enabled ICMPv4/6 rules here.

So let's start testing.

The first thing that looks strange is that despite my LAN subnet rule which sould cover and allow everything in the 192.168.0.0/16 subnet, Simplewall blocks IGMP traffic. the igmp local address is 224.0.0.x but the remote address is in the allowed subnet, so the Rule should actually allow this connection but it doesn't:

The next strange thing is: simplewall blocks DHCP traffic despite the DHCP system rule which should allow exactly this DHCP traffic:

For testing I created custom rules to handle each multicast DHCP traffic, so that simplewall no longer brings the block pop-up windows.
For intance:

0.0.0.0 to 255.255.255.255 outbound, UDP, allow (without ports). and
192.168.137.1 (hotspot ip) to 255.255.255.255 outbound, UDP, allow (also no ports)

Now, when I disable and enable the Win10 Hotspot, Simplewall shows no blocking pop-ups anymore. I would assume that simplewall doesn't block anything that could prevent the mobile hotspot from working. But it still does. Connecting from my phone to the hotspot still show "no internet available".

Let's take a look at the simplewall.log what still gets blocked:

First of all we see here the 239.255.255.250 port 1900 192.168.1.x blocks. This is Simple Service Discovery Protocol (SSDP) Traffic that gets blocked. But it shouldn't get blocked. I enabled system rules to allow SSDP inbound and outbound (see screenshot above!). Also notice, there is no User and Path entry in the logs with these lines. it's just <empty>.

Then we see again a lot of DHCP traffic that gets blocked. Why does it get blocked?
see the lines with
255.255.255.255, port 67, 0.0.0.0, port 68, etc.
It's a loopback DHCP traffic, but notice the user and path, simplewall detects some as svchost.exe and some as <empty>.

This traffic is already allowed twice: For one time in the system rules with the DHCP rule (see screenshot above again) and for the second time with my user created rule I mentioned above.
Despite that, simplewall still block this traffic.

I think this is the reason why it is possible to have a connection with the mobile hotspot on the one hand but we don't get any internet on the other hand - because the DHCP and SSDP traffic still gets blocked.

When I disable simplewall filtering, the android phone connected to the w10 mobile hotspot instantly gets internet access.

I can't fix this issue by adding user rules to simplewall, because it blocks traffic despite having allow-rules. There must be something wrong on simplewalls side, with detecting loopback traffic with the virtual wifi/hotspot adapter.

@henrypp I strongly recommend testing this for yourself as the problem seems to be anywhere where you have to dig deeper into the code.

[tokariu]

@henrypp a few things to add:

have you tested simplewall against windows 10 1909?
Also, I saw that windows defender firewall service is still running while simplewall filters are active. Does simplewall just disable windows firewall for private/public/domain or should it disable the whole windows firewall service? Because it seems the windows firewall service still does something to filtering just by running in the background (in the logs then still appear block filters not by \simplewall\bla but by \microsoft\bla)

update about my quote from above:

First of all we see here the 239.255.255.250 port 1900 192.168.1.x blocks. This is Simple Service Discovery Protocol (SSDP) Traffic that gets blocked. But it shouldn't get blocked. I enabled system rules to allow SSDP inbound and outbound (see screenshot above!). Also notice, there is no User and Path entry in the logs with these lines. it's just .

I just realized that the reason for this is not a mistake by simplewall, it was the setting "Stealth mode" in the simplewall settings. So this is not a problem it was on purpose by this setting, sorry for that.

anyway.. I disabled the windows defender firewall service for testing, also unchecked stealth mode for testing and yet simplewall seems to block the mobile hotspot from having an internet connection for the clients.

[tokariu]

even more information:
I had simplewall configured so far that nothing is blocked anymore when the hotspot is activated and a mobile phone tries to connect... so actually everthing should work but it doesnt.

Now I did the following: I reset the original windows defender firewall rules back to standard setting it to its original state. Then activate the windows defender firewall while simplewall filters are ALSO active. And suddenly the mobile hotspot works with internet connection for the mobile phone.

Windows Firewall (defaults) [ON] + simplewall filters [ON] = mobile hotspot works
EDIT: NOT TRUE. I saw in the logs that when both firewalls are enabled, there is a filtering conflict between both firewalls (simplewall.log shows it). I guess it just worked by accident then due to the conflict.

not exactly the solution we would prefer, though....

Update:

1. For the mobile hotspot to work it is necessary that the dnscache/dns-client service is enabled (the service caches dns requests in windows, you don't really need it for internet to work. however, this service is needed for other services and mobile hotspot is not working if this service gets disabled.

2. if dns-client service is enabled (default in win10), windows defender firewall rules are reset to it's original state and then if you disable simplewall filtering and at the same time enable windows defender firewall, the mobile hotspot is working and clients get internet. this is reproducable.

As soon as simplewall filtering is enabled and windows firewall dissabled, the hotspot internet access stops working. Despite it is not working and it is obviously blocking something, simplewall.log does not show up anything that gets blocked, it is empty after re-enabling the hotspot and letting a client connect. There is nothing to unblock and therefor nothing we could do. out of ideas at the moment, it's your turn @henrypp

3. The windows Firewall doesn't even need to be activated which isn't really surprising. you can disable windows defender firewall service completely and as soon as you disable simplewall filters, the hotsport will work. so it doesn't matter what status or rules the windows firewall filters have, it's all up the the simplewall filters.

[Illegal-Services]

Hi, I have the same problem as the Windows 10 hotspot not working with SimpleWall activated.
I use the Windows 10 hotspot every day so I can't use SimpleWall which is a shame because I really like this application ...
I would really like @henrypp to fix this problem soon because this topic was created on May 9, 2019 and is still not fixed yet, thanks for any response :)

[Djinhx]

Some resources:

What is Hosted Network (hotspot uses this)
https://docs.microsoft.com/en-us/windows/win32/nativewifi/about-the-wireless-hosted-network

Using Hosted network
https://docs.microsoft.com/en-us/windows/win32/nativewifi/using-hosted-network-and-internet-connection-sharing

[Illegal-Services]

Anyway.
Now I found how to fix that Wi-Fi hotspot problem.
If I understood correctly : "Malwarebytes compagnie bought Microsoft Windows Firewall".
So they made their own application : Malwarebytes Windows Firewall Control.
I'm using it right now and it's working very good. At least, there is 0 problems with the Microsoft Wi-Fi sharing... :)

[danieltuzes]

Any progress? I have the same issue.

[aminya]

Is this related to "Your Phone" app? I have a hard time allowing this app to connect to my phone.

[Onair-santa]

Mobile Hot-spot not work. 2019-...20...21

[Onair-santa]

Mobile Hotspot with Simplewall work fine, if

1. Windows Firewall (defaults) [ON] + simplewall SYSTEM filters [OFF all]

[henrypp]

Some services need to enable internet access.

Try allow this services in tab:

• Dhcp
• icssvc
• SharedAccess
• WlanSvc

Some of them, i do not know what exactly, was required to correct working of Hotspot.

[J0n1k4]

Hi, I have the same problem.
I have allowed all the mentioned services, I can connect to my hotspot with my Android phone, but I get the message "This Wi-Fi network has no access to the internet"...

Cheers

[Onair-santa]

Simplewall not work with Hotspot. SW - Off and HS work

[Whiax]

I can confirm that even if I enable every rules, it still doesn't work and the firewall doesn't seem to detect the packets.

[Onair-santa]

This is a problem for those who use hotspot. I deleted the Simple for this.

[milkysch]

Recently my setup requires me to route all my Internet traffic through my Windows machine that was running simplewall for years. I love this piece of software, yet I had to let it go for Internet Sharing service to work properly. I would really love to see this issue resolved and continue using simplewall.

[Onair-santa]

+++

[TontyTon]

@henrypp I think there is some issue in allowing internet access to services, which is preventing hotspot from working.
As even after allowing 'wuauserv', connections made by that service get blocked (I check using LiveTCPUDPWatch tool from nirsoft, it show Process ID for applications making the connection).
So, maybe some of the system rules aren't working which is preventing the hotspot from working even after enabling all system rules.

[popdisk]

The hotspot network seems to be blocked even I turned off the filter until I rebooted the system and it worked again. The phone could access the host but could not reach beyond it.

[anwar-alsilwy]

When I entirely disable the filters the hotspot internet access still blocked until I reboot the system, I think it's deep hidden code inside SW who prevent unexpected things or in (WFP) feature. I hope SW resolve this issue, because Mobile hotspot is very useful.

[devdzt]

i can get internet access through hotspot if i use the "disable filters" button without reboot but even if i allow every app, every service, every uwp app, every system rule, every user rule and allow blocklists for microsoft spying and telemetry/update/applications i cannot get internet through hotspot.
really sucks because this is the best firewall ive found, one of the first applications i install on any new computer or fresh install of windows.

[TontyTon]

@devdzt This is exactly what I observed too.
I also install SW as soon as I start my computer after fresh install.

@popdisk and @anwar-alsilwy Did you disable filters from SW, closing SW without disabling filters don't remove rules from WFP.

[anwar-alsilwy]

@TontyTon , I disabled the filters and exit from SW completely, but the hotspot internet access never return until I reboot the whole system.

[TontyTon]

@anwar-alsilwy Which version of windows you are on?

[popdisk]

@TontyTon I'm sure the SW filter as well as windows firewall disabled and all rules don't take effect, but the hotspot still not work. I'm using windows 10 21H2.

[anwar-alsilwy]

@TontyTon, I'm using both builds W10 1909 & W10 21H2

[leuldereje]

I am having the same issue with the latest simplewall v3.6.1

Allowed this services:

•  Dhcp
  

•  icssvc
  

•  SharedAccess
  

•  WlanSvc
  

Allowed this system rules:

• netbios (both)
  

• smb (both)
  

• dns
  

• llnmr
  

• mdns
  

• ws-discovery
  

• ws-discovery [events]
  

but still hotspot has no internet access. Please help @henrypp

[ThyHodler]

hi everyone. Any solution on this subject yet? not able to share my internet with simplewall on.

[Onair-santa]

hi everyone. Any solution on this subject yet? not able to share my internet with simplewall on.

Not work Hotspot w Simplewall...and with Symantec Firewall, Hotspot not work too

[doomrunningonyomamma]

Quite sad this didn't receive much work oh well :/

[mesvam]

I found a workaround.

Disabling Windows Firewall fixed it for me, though you can immediately re-enable it if you want. However, if you subsequently toggle simplewall, the problem appears again. I suspect resetting the Windows Firewall refreshes some config. Maybe it's overwriting something that simplewall changed, or maybe just a bug in Windows, idk.

When this issue was happening, I found a lot of lines in the simplewall.log file that look like this
"‎2022-‎11-‎03 ‏‎15:32:46","NT AUTHORITY\SYSTEM","System","192.168.137.255","137 (netbios-ns)","192.168.137.194","137 (netbios-ns)","udp","FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V4","Prompt the User for a decision corresponding to Inbound Traffic. This filter blocks any inbound packets for which there is no explicit rule to allow the packet, unless the user has allowed through the Query User pop up.","#2302991","Inbound","Blocked"

Pay attention to the filter description. If you look up the filter ID in netsh wfp show filters and look in filters.xml, that's not a simplewall rule, the name is Query User. For some reason, Windows decided to ignore the simplewall rules, found no other rules matching the packet, so it ended up being caught by this built-in catch-all rule, though for some Windows reason doesn't notify the user as the description indicates it should. This post provides some more details: https://serverfault.com/a/1046686/87153 You can try the solution there as well, but again, you don't actually have to set it permanently, just toggling will do the trick.

Hopefully this helps somebody until there's a better fix. Maybe even help @henrypp debug the issue.

[uscq]

After I tried the same thing with the Windows Defender Firewall, the Mobile hotspot still stucks in obtaining ip address. It seems be some problems in depth that does not relate with Simplewall.

Add %SystemRoot%\System32\alg.exe to your whitelist may help.

[symonxdd]

It's interesting to not see this feature implemented by default into Windows... The mobile hotspot is a great feature already, why not add some simple Allowlist-feature hmm

[tokariu]

It's interesting to not see this feature implemented by default into Windows... The mobile hotspot is a great feature already, why not add some simple Allowlist-feature hmm

indeed, but i disagree the second, the old ad-hoc wifi mode that was available in every windows version prior to windows10 was far superior than hotspot mode. And simplewall worked fine with it.

since hotspot mode everything seems to be f* up with simplewall.

[EndroEndro]

Solution for hotspot to work you need to add (for win 10 at least):

Network Connectivity Assistant: This service helps with the setup and management of network connections on your device, including connections to mobile hotspots. The main library file for this service is ncasvc.dll.

Remote Access Connection Manager: This service manages remote access connections, including connections to mobile hotspots. The main library file for this service is rasman.dll.

Remote Access Auto Connection Manager: This service automatically connects to a remote access server (such as a mobile hotspot) when it becomes available. The main library file for this service is rasautou.dll.

Internet Connection Sharing (ICS): This service enables internet sharing for network connections, including connections to mobile hotspots. The main library file for this service is sharedaccess.dll.

Network Location Awareness (NLA): This service detects and reports changes in the network environment, including changes to mobile hotspot connections. The main library file for this service is netprofm.dll.

Network List Service: This service provides information about the networks that are available on your device, including mobile hotspots. The main library file for this service is nlasvc.dll.

WLAN AutoConfig: This service configures and manages wireless network connections, including connections to mobile hotspots. The main library file for this service is wlansvc.dll. 

and those are my rules:

make sure to restart if there is connection to the device but no internet access more screnes:

nothing more needed

[symonxdd]

Solution for hotspot to work you need to add (for win 10 at least):

Network Connectivity Assistant: This service helps with the setup and management of network connections on your device, including connections to mobile hotspots. The main library file for this service is ncasvc.dll.

Remote Access Connection Manager: This service manages remote access connections, including connections to mobile hotspots. The main library file for this service is rasman.dll.

Remote Access Auto Connection Manager: This service automatically connects to a remote access server (such as a mobile hotspot) when it becomes available. The main library file for this service is rasautou.dll.

Internet Connection Sharing (ICS): This service enables internet sharing for network connections, including connections to mobile hotspots. The main library file for this service is sharedaccess.dll.

Network Location Awareness (NLA): This service detects and reports changes in the network environment, including changes to mobile hotspot connections. The main library file for this service is netprofm.dll.

Network List Service: This service provides information about the networks that are available on your device, including mobile hotspots. The main library file for this service is nlasvc.dll.

WLAN AutoConfig: This service configures and manages wireless network connections, including connections to mobile hotspots. The main library file for this service is wlansvc.dll. 

and those are my rules:

make sure to restart if there is connection to the device but no internet access more screnes:

nothing more needed

Are you able to block certain sites (blocklist) on the connected device?

[taqiudind]

Solution for hotspot to work you need to add (for win 10 at least):

Network Connectivity Assistant: This service helps with the setup and management of network connections on your device, including connections to mobile hotspots. The main library file for this service is ncasvc.dll.

Remote Access Connection Manager: This service manages remote access connections, including connections to mobile hotspots. The main library file for this service is rasman.dll.

Remote Access Auto Connection Manager: This service automatically connects to a remote access server (such as a mobile hotspot) when it becomes available. The main library file for this service is rasautou.dll.

Internet Connection Sharing (ICS): This service enables internet sharing for network connections, including connections to mobile hotspots. The main library file for this service is sharedaccess.dll.

Network Location Awareness (NLA): This service detects and reports changes in the network environment, including changes to mobile hotspot connections. The main library file for this service is netprofm.dll.

Network List Service: This service provides information about the networks that are available on your device, including mobile hotspots. The main library file for this service is nlasvc.dll.

WLAN AutoConfig: This service configures and manages wireless network connections, including connections to mobile hotspots. The main library file for this service is wlansvc.dll. 

and those are my rules:

make sure to restart if there is connection to the device but no internet access more screnes:

nothing more needed

i tried this method yesterday, it was worked. But after im restarting my computer my wifi hotspot come back to "no internet access". i tried this method again several times, it's still not work. i wonder why also.....

[EndroEndro]

Yes i noticed that after some restart it will do not work while i was trying to check "block certain sites". The issue is in auto config and i did not found a solution. The best that i can recommend is to Hibernate pc and not shut it down for now. As to Hibernate im sure works fine.

[taqiudind]

Yes i noticed that after some restart it will do not work while i was trying to check "block certain sites". The issue is in auto config and i did not found a solution. The best that i can recommend is to Hibernate pc and not shut it down for now. As to Hibernate im sure works fine.

how can i make it work again? its okay if i need to do that per shutdown anw :"

[Evertonlps]

> Custom Rules ICS ingoing and outgoing for all or ip range. Custom Rules ICS ingoing and outgoing for all or ip range and add wpn, wlan and upnphost in rule.

[ghost]

has anyone been able to fix this? It's a pity that in order to use this software, I have to completely give up the mobile hotspot function of windows.

[tokariu]

I heavily suggest to re-open this issue again, because it is actually NOT fixed.

The mentioned "solutions" or "workarounds" here and there are all not suffiently working for different reasons.

Some solutions seem to work only one-time and never work again if trying to reproduce.
other workarounds mentioned, didn't work at all for many reporting users.

and the most basic point is, you can't seriously say any of these tinkersome, most-of-the-time-not-working workarounds are a solution to the problem.

I'd assume the issue gets only closed, if the hotspot functionality works out of the box with simplewall or at least with a single checkbox to allow/disallow hotspot traffic, everything else is just a cheap and dirty, out of sight out of mind -solution.

[I3ordo]

so thats it? mmkay..

[OmarKSH]

So i found a workaround that works but has to be done everytime the PC is restarted, simply disable or enable windows firewall (If your firewall is disabled just re-enable it then disable it again), this should make the internet connection work