emusic
Enthusiast
Enthusiast

Windows 7 firewall blocks VMNAT service

Hello!

I use Workstation 8.0.4 under Windows 7 SP1 x64. Initially, all worked fine but later I decided to switch Windows Firewall to block all network access by default, to enable it individually for particular services/applications. Trying to access Internet from Windows guests (VMs are configured to use NAT), I  noticed that there is no access (even domain name resolution does not work).

Enabling firewall failure auditing, I see that VMNAT service is blocked from sending UDP packets to port 53 (domain name resolution):

The Windows Filtering Platform has blocked a connection.

Application Information:
Process ID:          1808
Application Name:     \device\harddiskvolume1\windows\syswow64\vmnat.exe

Network Information:
Direction:          Outbound
Source Address:          192.168.1.65
Source Port:          57648
Destination Address:     192.168.1.1
Destination Port:          53
Protocol:          17

Of course, source ports are different in each case.

I have added an outbound rule for "VMware NAT service", enabling UDP access to port 53 but the firewall continued to block it, generating the same failure events. I changed protocol and port to "any" but nothing changes. I have added two additional rules, mentioning VMNAT by its process name: one for c:\windows\syswow64\vmnat.exe and another for \device\harddiskvolume1\windows\syswow64\vmnat.exe. The firewall still blocks the access.

Access is allowed only if I enable it for all services. I tried to make similar rules (with all "any") for all VMware services but no success.

Trying to use other access ways from a guest (for example, telnel with an IP address), I see that the firewall blocks VMNAT's TCP connections to the appropriate ports. Only enabling these protocol/port (or "any) for all services, I can make these connections successfull.

All other network applications work fine after I added the appropriate rules.

Why this could happen? Is it a Windows firewall bug or a specific VMNAT behavior? How to enable network access for VMNAT only, not to all running services?

0 Kudos
10 Replies
continuum
Immortal
Immortal

add rules for the IP  that is used by theNAT-service - that is

Destination Address:     192.168.1.2

Do you need support with a recovery problem ? - send a message via skype "sanbarrow"
0 Kudos
emusic
Enthusiast
Enthusiast

Of course, I understand that I could add a rule for particular source/destination ports but I must add such rule for all programs/services, not only for VMNAT. But I want to have rules specifically for VMNAT, not for all running services. I want to keep all applications/services blocked from network access by default and enable only some of them, explicitly.

Since I have added several rules specifically for VMNAT (both as a service name and as a process path), covering all source/destination addresses and all protocols/ports (all restrictions have been set to "any") but Windows Firewall still blocks VMNAT, it is definitely a strange situation. So it may be a bug in the Windows Firewall or VMNAT uses some strange network access methods that prevent Windows Firewall to apply proper rules to VMNAT process.

0 Kudos
continuum
Immortal
Immortal

Not sure if you understood what I had in mind ...

If x.y.z.0 is the network you assign for vmnet8 then you need to set rules for x.y.z.1 AND x.y.z.2
The NAT service needs both IPs

Do you need support with a recovery problem ? - send a message via skype "sanbarrow"
0 Kudos
emusic
Enthusiast
Enthusiast

Really, I don't understand what you mean. As I wrote in my first message, outbound/inbound rules I have created for VMNAT have no restrictions at all. In other words, these rules should allow VMNAT to access any IP node, from any interface, with any protocol and any from/to ports. But Windows Firewall still blocks VMNAT and creates audit events about blocked UDP packets to port 53, TCP packets to port 80 etc.

You suggested to create more strict rules, specifying only particular IP addresses instead of any possible. How they could help in my situation, while less strict rules don't work? Or it is a known bug in Windows Firewall and rules with specific IP addresses will be applied normally while rules containing no address restrictions are not applied due to the bug?

0 Kudos
emusic
Enthusiast
Enthusiast

Excuse me but could you please explain your suggestion? How a more strict rule could work over a less strict one?

0 Kudos
continuum
Immortal
Immortal

I do not have any suggestions for firewall rules - I just wanted to tell you that the NAT-service needs two IP-addresses

Do you need support with a recovery problem ? - send a message via skype "sanbarrow"
0 Kudos
emusic
Enthusiast
Enthusiast

Definitely, I know that. When used Workstation on XP, I had TDI_FW firewall. Enabling all incoming TCP/UDP operations from/to any IP address for vmnat.exe process, I had no problems. But under Win7, the same rules don't work for VMNAT service for an unknown reason.

I tried to install FileZilla server that installs a service that implements an FTP server engine. When I created an inbound rule allowing the FileZilla service to accept TCP connections, Windows firewall still blocked it but when I changed rule's subject from the service to "C:\program files (x86)\filezilla server\filezilla server.exe" process, the firewall stops blocking it and FTP server becomes accessible. But when I created outbound rules for VMNAT (as a service, as "c:\windows\syswow64\vmnat.exe" process and as "\device\harddiskvolume1\windows\syswow64\vmnat.exe" process), they don't help.

Where can I get help for this problem? If it is a wrong place here, could you please point me to a right place to ask?

0 Kudos
WoodyZ
Immortal
Immortal

Where can I get help for this problem? If it is a wrong place here, could you please point me to a right place to ask?

I personally have no Firewall issues using VMware Workstation 8.0.4 under Windows 7 and have no problem with a Guest configured for NAT and accessing the Internet/Network through the Windows Firewall, so IMO if one is having an issue with the Windows Firewall then Microsoft is where one should be looking for answers to Windows Firewall issues.

0 Kudos
emusic
Enthusiast
Enthusiast

Is your firewall configured by default? If yes, it does not block outgoing connections at all (all outgoing connections are allowed by default and require no special rules) and only incoming connections require rules creation.

My firewall is configured to block all connections by default so explicit rules are needed to allow particular processes and services to access the network.

Definitely, If the problem was related to all (or many) processes/services, I should look on Microsoft sites. But the problem is related to VMNAT only. I have dozens of network applications, have created outbound/inbound rules for them, and they all are working fine. Windows Update service stopped working after I switched the firewall to the "block all by default mode". I have created an outbound rule for the "Windows Update" service and now it works fine. In the previous message, I mentioned that I tested FileZilla FTP service and it didn't work until I created a rule for it; after that, it worked fine.

Why could VMNAT behavior be different from other applications/services? It is a normal user-mode process that initiates network operations using Windows Sockets or DeviceIoControl requests to a transport driver? Maybe it uses a special technique that could confuse the firewall?

0 Kudos
emusic
Enthusiast
Enthusiast

Just solved the problem. Entering image path in the "This program" field, I  didn't check the "Services" dialog that still had the "Apply to this service"  mode. If I change the mode to "Apply to all programs and services" or "Apply to  services only" and specify image path in the "This program", Windows Firewall  stops to block VMNAT as expected.

Thought that the "Services" dialog selections are superfluous for the image  path specification in "This program" but recalled that the same image can be ran  as a plain process and as a service at the same time. For that, selection  features present are right and allow to specify all possible process startup  modes.

But it is definitely strange why Windows Firewall cannot identify VMNAT  service if it is selected in the service list (and by the short name too). BTW,  there is at least one more service like VMNAT - FileZilla FTP Server. I tried to  install it to check Windows Firewall and when I configured a rule, selecting the  "FileZilla FTP Server" from the service list, Windows Firewall still blocked it.  To unblock, switching to the image path was required.

Maybe it is related to 32/64-bit folder substitution? Both VMNAT and  FileZilla are 32-bit processes.

0 Kudos