Devices within the LAN cannot access the network service running in WSL.

[Kutius]

Windows Version

Microsoft Windows [Version 10.0.22631.2506]

WSL Version

2.0.7.0

Are you using WSL 1 or WSL 2?

• WSL 2
• WSL 1

Kernel Version

5.15.133.1

Distro Version

Ubuntu 22.04

Other Software

node v20.9.0

Repro Steps

1. node run the script:

Details

const http = require('http');

const server = http.createServer((req, res) => {
  res.statusCode = 200;
  res.setHeader('Content-Type', 'text/plain');
  res.end('Hello, World!\n');
});
const port = 3001;
server.listen(port, () => {
  console.log(`Server is running on port ${port}`);
});

2. At this point, I'm trying to access the service from a device on the same LAN (my phone) by visiting 192.168.6.288:3001. The ip is Windows lan ip. And get no response

By the way, Accessing localhost:3001 in the computer's browser yields a response.
If I run the script in windows, the LAN device can access.

Expected Behavior

Device in LAN can access

Actual Behavior

No response

Diagnostic Logs

.wslconfig:

[experimental]
autoMemoryReclaim=gradual
networkingMode=mirrored
dnsTunneling=true
firewall=true
autoProxy=true
sparseVhd=true

[Kutius]

@CatalinFetoiu Here is a detailed issue.

[Canowyrms]

AFAIK, networkingMode=mirrored, dnsTunneling=true, and firewall=true, aren't available on Win10 (maybe autoProxy=true as well, not sure).

by visiting 192.168.6.288:3001 [...] no response. [...] Accessing localhost:3001 in the computer's browser yields a response.

I think WSL resolves localhost to its IPv6 address ([::1]) by default, and that the web server is binding to it, hence why http://localhost/ works but http://127.0.0.1/ (and http://192.168.6.288/) does not. I'm experiencing similar behaviour. You can use PowerShell in Windows to see which IP address the web server binds to:

PS> netstat -ano | findstr ":80"
  TCP    [::1]:80               [::]:0                 LISTENING       17668

If you want your web server on IPv4 (i.e. 127.0.0.1 locally; 192.168.6.288 on the LAN), pass it 127.0.0.1 instead of localhost. Or, if you don't mind typing out an IPv6 address, find your computer's IPv6 address (you can find it by running ipconfig in Windows) and have your LAN devices use that to connect (ex: http://[2604:3d09:8676:f900::52c7]/; keep the brackets).

[ghost]

If your objection pertains to dual-mode sockets? That is a separate issue. Here I think you're referring to the fact that the relay is only binding to localhost on the host. That is by design.

Edit: Let me double check.

[aki-k]

@pmartincic Is there some issue with 'networkingMode=mirrored' and using

netsh interface portproxy add v4tov4 listenaddress=windows_host_ip listenport=3001 connectaddress=localhost connectport=3001

to create a port forward from the Windows host into the WSL 2 instance?

[ghost]

@aki-k, it should, except given limitations of the way mirrored works you might have to use two different port numbers.

[Kutius]

@pmartincic I'm sorry for my poor expression. Here is the context of this issue #10597 (comment)

I just wonder if the devices can access the service whihc hosted in WSL

[CatalinFetoiu]

@Kutius did you set up Hyper-V firewall to allow inbound traffic to port 3001? If not, can you please try running the following command in an admin powershell windows, then try the scenario again?

New-NetFirewallHyperVRule -DisplayName "allow port 3001 inbound" -Direction Inbound -LocalPorts 3001 -Action Allow

[Kutius]

@CatalinFetoiu Yes, as the same of previous issue. Once I typed the command, the LAN device can access 192.168.6.228:3001 immediately.
But in windows no matter which port I use, LAN can always has access to.
And I have tried if I remove the rule, LAN device lose the access shortly.

ps: The service in WSL is keep running throughout

[aki-k]

@pmartincic Why did you close this issue with no solution?

[aki-k]

@Kutius I couldn't understand your previous message. Do you mean that this command

New-NetFirewallHyperVRule -DisplayName "allow port 3001 inbound" -Direction Inbound -LocalPorts 3001 -Action Allow

fixed your problem accessing the WSL 2 instance's service running on port 3001 from your other LAN devices?

[Kutius]

@aki-k Yes. If I create a hyperRule explicitly, LAN can access now.
But I am doubt about 'Should hyper firawall be synced to windows firewall?'
You can see this #10597 (comment)
I think if windows firewall allow 3001 to inbound, WSL2 maybe should allow too.

[Kutius]

@Canowyrms By netstat -ano | findstr ":80", I cant get 80port result. Actually, I'm not sure is this a really bug Or it is by designed

[aki-k]

@Kutius

But I am doubt about 'Should hyper firawall be synced to windows firewall?'

I didn't even know that WSL 2 was using some other firewall than the Windows Defender Firewall.

I don't use the setting 'networkingMode=mirrored', but I allow access from the WSL 2 instance (from the private IPv4 networks) to the Windows host in Windows Defender Firewall.

[Kutius]

@aki-k I'm not learn about to WSL2 networking previously. I use WSL2 just because this version has the feature about mirrored network.

Prior to this version, did WSL2 use a different network segment internally than windows? So development in WSL2 used to require port forwarding

[aki-k]

@Kutius

Prior to this version, did WSL2 use a different network segment internally than windows?

It chose a randomly allocated IPv4 private network address for the WSL 2 instance.

There's a huge GitHub issue about it, how to set the WSL 2 instance IPv4 address statically:

#4210

[CatalinFetoiu]

@Kutius I was not too clear about the relation between Windows firewall rules and Hyper-V firewall rules
Only Windows firewall rules that reference IP addresses, ports and protocols will be automatically converted to Hyper-V firewall rules. But if the rule references things like application names - for example allow application X to receive inbound traffic on port Y, those rules won't be converted to Hyper-V firewall rules.

You can try the following scenario:
Add a windows firewall rule that allows inbound TCP traffic to port 6000:
New-NetFirewallRule -DisplayName "allow port 6000 inbound" -Direction Inbound -LocalPort 6000 -Action Allow -Protocol TCP
Start your process in WSL on TCP port 6000
Access your WSL process from the LAN, on port 6000