MacOS – How to open two ports (both TCP / UDP) using pf

firewallmacosvmwarewindows

I own a MacBook pro (Retina, 15-inch, Early 2013), running macOS Sierra 10.12.2 as host computer and VMware Fusion Pro Version 8.5.3 with Windows 10 and Linux as guests OS's. So my question is how do I open the two ports 1338 (TCP and UDP) and 1340 (TCP and UDP) in my case using my Windows guest OS. Both ports have to reachable from the internet. The whole network is attached to a Linksys X3000 router which connects to the internet.

I have Murus lite, but I must confess that I don't know how to efficiently use it, even I can also buy the pro version anyway.

Best Answer

You have two options here: a very simple one and second one which requires a lot of work because unlike Parallels VMware Fusion doesn't provide a NAT & port forwarding interface.

Neither requires Murus or pf.

Bridged Mode

Instead of connecting the Windows 10 VM in NAT-mode use the Bridge Mode and choose - depending on the connection of the OS X host - either the Wi-Fi or Ethernet interface. In Bridge Mode your VM acts as a separate host in your main network.

If your main network has the network address 192.168.0.0/24, the router 192.168.0.1 and your OS X host something in the range 192.168.0.2-192.168.0.254 then you have to configure the Windows VM with a static but unique IP (e.g. 192.168.0.10) in the same range. This is done in the System Preferences of the VM! All other settings (Netmask/Gateway/DNS) there are identical to the settings of the OS X host. I also recommend to set the Mac to a fixed IP (e.g. 192.168.0.2)

In the Windows 10 guest also configure the Firewall and open port 1338 and 1340 to the world.

Now connect to your Linksys X3000 router and configure port-forwarding:
- Navigate to the port forwarding section.
- Click the Applications & Gaming link.
- Click the Single Port Forwarding button to forward ports.
- Create two port forward entries. In the To IP Address box you have to enter the IP of the Windows 10 host!
```
Application Name    External Port   Internal Port   Protocol    To IP Address   Enabled
1338server                   1338            1338       both     192.168.0.10       yes
1340server                   1340            1340       both     192.168.0.10       yes
```
- Save the settings
I don't have access to Linkysys router so I can't provide screenshot and can only guess how it looks like.
NAT-Mode (which in fact is a double-NAT: first your router and then the VMware NAT)

Some basic knowledge of the CLI is required here.

To get port forwarding working in VMware you have to modify several files, set up port forwarding twice - on the router and in VMware - and add a route to the NAT'ed VMware network on the router.
- Modify .../vmnet8/dhcpd.conf in Terminal.app:
  
  Open in VMware the configuration of the Windows 10 host and make a note of the MAC address of the network interface (e.g. 00:0C:29:04:D7:33)
  
  cat the file /Library/Preferences/VMware\ Fusion/vmnet8/dhcpd.conf and check the range (that's the dhcp-range e.g. 172.16.106.129 172.16.106.254) and other used addresses (e.g. option routers 172.16.106.2).
  
  Edit dhcpd.conf
```
sudo nano /Library/Preferences/VMware\ Fusion/vmnet8/dhcpd.conf
```
  After the line “####### VMNET DHCP Configuration. End of "DO NOT MODIFY SECTION" #######” enter the following lines with the MAC-address found earlier and an unused IP-address:
```
host Windows10 {
hardware ethernet 00:0C:29:04:D7:33;
fixed-address 172.16.106.56;
}
```
- Modify .../vmnet8/nat.conf in Terminal.app to enable port-forwarding:
```
sudo nano /Library/Preferences/VMware\ Fusion/vmnet8/nat.conf
```
  in the part [incomingtcp] add
```
1338 = 172.16.106.56:1338
1340 = 172.16.106.56:1340
```
  in the part [incomingudp] add
```
1338 = 172.16.106.56:1338
1340 = 172.16.106.56:1340
```
- Relaunch VMware Fusion
- get the IP of your Mac connected to the router with ifconfig (e.g. 192.168.0.2)
- Access your router
- add port-forwarding like in Bridge Mode but to the IP entered in dhcpd.conf:
```
Application Name    External Port   Internal Port   Protocol    To IP Address   Enabled
1338server                   1338            1338       both     172.16.106.56      yes
1340server                   1340            1340       both     172.16.106.56      yes
```
- add a static route to the 172.16.106.0/24 vmnet8 network:
```
Route Name: vmnet8
Destination LAN IP: 172.16.106.0
Subnet Mask: 255.255.255.0
Gateway: 192.168.0.2 #the IP of your Mac's interface connected to the router (either Wi-Fi or Ethernet) you got by entering `ifconfig`.
```
- Save the settings
- Launch your Windows 10 VM and configure the firewall (see Bridge Mode)
- Launch your "services" on port 1338 and 1340.
- Done!
Make a backup of the files nat.conf and dhcpd.conf before updating VMware Fusion because they will probably be replaced.

In my answer I assume that pf isn't running or if it is enabled then with the default pf.conf. You can check whether the firewall is running or not by entering sudo pfctl -s all | grep Status. If it is enabled open Murus Lite and check the state of the firewall. If you see a yellow light in the upper right corner it's running with the default Apple rules (which don't block anything). If you get a green light you've enabled the packet filter with the default Murus pf settings and you either have to open the ports 1338 and 1340 for incoming traffic on your Mac's interface connected to the router (e.g. en0) or uninstall the (Murus) boot scripts (Firewall > Boot Scripts > Uninstall Boot Scripts ...) and stop pf (or reboot). Removing or uninstalling Murus (Light) is not required.

Without modifying the two config files of VMware you won't be able to "open" or "redirect" ports with Murus (Lite) to a guest VM because the VMware NAT behavior can't be controlled by pf.

Best Answer

Related Solutions

Settings for Firewall and AirPort Extreme Router to Open a Port

Windows – “System Builder” Windows on VMWare Fusion

Related Question