Firewall stopping screen mirroring to Roku - can't define new Friends IP address

[DavidGB]

Was a time I was good and knowledgable about internet stuff - disability and brain-fogging medications mean I now can't remember most of what I used to know or think clearly, so while I think I have a specific question, I'm going to start with the problem and what I think I've slowly figured out in case I'm actually onto the wrong thing and somebody can see that ...

I have a windows 10 laptop (1903) and also a Roku Express connected to my TV: almost all the time I use the Roku separately from the laptop for NOW TV and Amazon Prime on the TV, but very rarely I want to use the Miracast screen mirroring to put my laptop display on the TV via the Roku (the TV itself does DLNA, so I can use it as a media renderer for media servers on the laptop, but not directly to mirror the screen).

Last time I used screen mirroring from the laptop to the Roku a few months ago (via the Connect button in the Action Centre) it worked fine; now it isn't working - the connection starts to connect, then stops before the laptop screen would appear on the TV, and I get a failure to connect message from the laptop.

Took me far too long and too much looking in the wrong places (thinking it might be the W10 1809-1903 update) before finally remembering last time, when it worked, I was using Comodo Internet Security, whereas now I'm using Avast Premier. And after stumbling blindly around I finally found the Firewall logs, switched the filter to just show block events, and indeed found blocks coinciding  with each failed attempt to Connect with the Roku for Miracast screen mirroring. (Note: I CAN stream media to the Roku, which is DLNA and uses a different standard, addresses, ports etc; and I can also Miracast screen mirror my Android phone to the Roku just fine; I just can't Miracast screen mirror the laptop to the Roku).

Every attempt to Connect to the Roku produces Firewall logged blocks of inbound connections from 172.29.243.225   to 172.29.243.226, TCP In by C:\Windows\System32\WUDFHost.exe blocked because of rule 'Public Tcp/Udp In Block'.

After further fumbling around trying to look up things I used to know but have forgotten, I have reminded myself that the address range 172.16.0.0 - 172.31.255.255 is reserved as private addresses in a network, like 192.168.0.0 - 192.168.255.255. The Miracast casting from the laptop to the Roku is using addresses in that range for the communications - this is on my private home network, and the Firewall profile is set to Private. However, digging through the Avast 'old settings' to find the 'Friends' settings page that describes what addresses are to be counted as Friends/private by the Avast Firewall, while the 192.168.0.0 - 192.168.255.255 addresses are defined as friends, the 172.16.0.0 - 172.31.255.255 range is not. So the Avast Firewall thinks they are from a public address outside the private netwrork and is blocking them according to the predefined rule that shows in the logs.

Unfortunately I have no idea how - or if it is even possible - to switch the Miracast connecting between Laptop and Roku to using the 192.168.0.0 - 192.168.255.255 range. The solution, clearly, is to add the range 172.16.0.0 - 172.31.255.255 as another 'Friend'. But, on the Avast Friends page, although it appears one can add new 'Friends' IP ranges, and when I click under the last one it highlights the empty boxes ready to enter a new definition, it refuses to accept any input - can't paste, can't type. (And that rule causing the blocking can't be switched off, either - not that I would want it generally turned off anyway.)

Does anyone know what is wrong, and how I can add the 172.16.0.0 - 172.31.255.255 range -  which is defined as reserved as a private network in the main internet specs, just like localhost and 192.168.0.0 - 192.168.255.255 which ARE in the Avast Firewall Friends list - as a Friend in Avast? Or can anyone see a flaw in my reasoning as to what the actual problem and solution is?

Oh, and I should mention that if - but only if - I turn the Avast Firewall (only) off, then the laptop immediately starts being able to connect to and screen mirror on the Roku; so it IS the Avast Firewall giving the trouble.

[Asyn]

Hi David, see: https://forum.avast.com/index.php?msg=1505540

[DavidGB]

Hi Asyn,

I had searched the forum for 'Roku', found that thread and tried that solution last night (along with other things) before posting here. Last night it didn't work. Tried it again today and it did.

BUT ..

Not happy with that as a solution - it grants sweeping permissions that should not be necessary, opening whole classes of attack vectors that should not be necessary.

I am still concerned about two things with the Avast Firewall as it is supplied and in this version.

Avast's rather infantilising language about 'Friends' confused me at first, but I have eventually understood that in the context of the Avast Firewall and networks 'Friends' are Private Networks, and what IP address ranges will be identified as belonging to equipment on private networks by the firewall.

As per the RFCx, IANA (the Internet Assigned Numbers Authority) has reserved certain IP address ranges for private networks, one of which is 192.168.0.0 - 192.168.255.255, which is why most home networks mostly use addresses in that range for the router, laptop, wifi phone etc on that home network, and is why (when switched to private profile) the Avast Firewall knows to use the Private rules on any traffic between e.g. my laptop and my phone - and there's no problem streaming media to the Roku by the DLNA protocol, because that goes via the router in the private network established by the router, in which the Roku, like the laptop and phone, have 192.168 addresses. The Avast 'Friends' (really is a silly terminology) page in the old settings shows that all IP addresses in the 192.168.0.0 - 192.168.255.255 range are defined as Private to the Firewall. As is the Loopback address.

BUT, there are other address rages defined by IANA for Private use, one of which is 172.16.0.0 - 172.31.255.255. Miracast Screen mirroring does NOT use the router network: it is WiFi Direct where the PC and the Roku create a separate ad hoc network directly between themselves, and on THAT separate network they have separate, different IP addresses, not the 192.168.0 addresses they have on the router network, and they use IP addresses, just for the WiFi direct screen mirroring, in the 172.16.0.0 - 172.31.255.255 address range ... which SHOULD be considered Private too as per the RFCs. But that definition is not there on the Old Settings Friends page. So the Firewall, allowing the packets to go out from the laptop, was blocking the returning packets from the Roku because it thinks they are coming from somewhere public, causing the connection to fail.

So there are TWO actual issues with the Avast Firewall, requiring the workaround you posted, which while it does appear to work at least sometimes, involves an unnecessarily large granting of permissions.

1) The Firewall should be supplied with the 172.16.0.0 - 172.31.255.255 range defined as a 'Friend' just like the 192.168.0.0 - 192.168.255.255 range is. This is an omission in Avast as supplied.

And

2) While the Old Settings Friends page actually says at the top 'Here you can define your "friend" networks', actually you can't because the line to enter a new definition refuses to accept input - neither left nor right clicking produces a cursor, and typing or pasting does not work. This is a bug.

Plus, the WFi Direct network IS a network, and I can see two entries in the Avast 'List of network profiles' that I'm pretty sure are two past ad hoc WiFi Direct networks with the Roku, they both have red crosses on them and may well be from back when I was using Comodo like other old networks that show up with red crosses there, and Avast is in no way showing the newly created WiFi ad hoc network current attempts as a new network I could set as Private, when they ARE new networks because they are WiFi Direct networks, not my Home router network.

There's all kinds of wrong here in the way the avast Firewall is working (or not), and broad scattergun workarounds that open things that don't need to be and shouldn't be open are not teh proper answer. The Avast Frewall needs fixing.

OK, now I think I've actually got this fairly clear, I should probably raise this as a bug report ticket rather than a forum discussion. Thanks, you've actually helped nudge my brain into a clearer view of the issue.

[DavidGB]

I started this thread, so for the sake of completeness for anyone searching on these issues later I'm just going to add the last part of what I discovered while investigating the issue ... which is actually pretty bad for anyone wanting to use the Windows 10 Miracast ability, whether to screen mirror to a Roku or anything else. This Firewall REALLY needs sorting out by Avast in this area.

This is for information for anyone interested (which anyone who has followed the advice given to me up thread really should be, given what I've now found) - I have contacted Avast Technical Support about the issues.

To précis what has come so far up above:

Media streaming from e.g. WMP or VLC to a compatible TV or box like a Roku uses DLNA, and THAT uses the normal router network, and almost all of those use one particular one of the sets of IP addresses reserved for use in private networks. Provided you've set up your home router provided network properly, connected the PC and the TV or box to it, and told Avast Firewall it is a private network when you connected the PC to it, Avast's Firewall copes with that kind of streaming without issue. The Avast Firewall decides what IP packets are allowed into the PC based on the IP address they came from: if (profile set to Private) they come from a device with an IP address in one of the ranges defined as 'Friends' in the list you can see by going to Settings>General>Troubleshooting and clicking the 'Open old Settings' link at the bottom, then in the new screen that opens navigate through Components>Firewall Customize>Friends, then the IP packet is allowed in, otherwise (with the default settings) it is blocked. As the replies from TV or box to PC during DLNA streaming use the router supplied addresses, and almost all routers use addresses in the 192.168.1.x range that is defined in Avast as a 'Friend', there's no problem with DLNA media streaming from a media server on the PC to DLNA supporting TV or box as renderer.

Using the Connect in the Action Centre on a Windows 10 (or, I think 8 ... I went from Windows 7 to 10) to mirror the PC screen on a TV (directly, if the TV supports it, or via a box like the Roku) is completely different. It uses Miracast, not DLNA, and Miracast does not use the router based network. It will even work if you turn off the router - or don't have a router network at all. With Miracast an ad hoc WiFi Direct mini network is (or is supposed to be) set up directly between the PC and the Miracast supporting box like the Roku, or a TV directly if the TV supports Miracast itself (mine supports DLNA but not Miracast, so I have to screen mirror via the Roku) when, but only when, the Connect button is pushed and until you press disconnect - this ad hoc Wi-Fi Direct network is NOT on all the time like the router network. And in the ad hoc Wi-Fi Direct network just between PC and box or TV, they are give different IP addresses to the addresses they have in the router network; and CRUCIALLY in the Widows 10 Miracast those addresses are NOT in the 192.168.1.x range but instead in the 172.16.0.0 - 172.31.255.255 range, which is perfectly legitimate as that is another range reserved by the IETF and IANA for use in Private networks, just like the 192.168.x.x range. BUT as supplied by Avast, only the loopback (internal communications between applications within the PC but using the Internet Protocols) and the 192.168.1.x ranges are in the Friends list, NOT the 172.16.0.0 - 172.31.255.255 range or even the rest of the 192.168.x.x range other than the 192.168.1s.

So, with default settings, what happens is:

You press the Connect button in the Action Centre, and the PC tries to establish a Miracast Wi-Fi Direct network with the box or TV. But the Avast Firewall does NOT treat this as joining a network, so there is no popup to let you set it as a private network. The Firewall allows the IP packets out from the PC through the connection to the box and TV, but the replies, with an originating IP not in the Friend list, are treated as Public and blocked by one of the default packet rules (that you cannot turn off). So the connection, the Wi-Fi Direct ad hoc network and the screen mirroring fails.

So that is two strikes by the Avast firewall : it doesn't treat the Miracast ad hoc direct network AS a network, so the user is presented no option to tell Avast it is private (which would let it connect both ways and work); and the default Friends table installed with the Firewall does not contain all - or even most - of the IP ranges that are reserved for and may be used by private networks, including the addresses used by Windows 10 Miracast, whereas if it DID contain the other private ranges again the Miracast would work as the Firewall would apply the private rather than public rules and allow the return IP packets through.

Then one finds the 3rd strike, which is that although the Friends page in the old settings says you can add your own rules, so could add the range used by Miracast, in fact it does not accept any input so you can't.

And then it just gets worse. There IS a configuration option you can change that allows the Miracast to work ... while opening a hole in the firewall defence that presents a vulnerability to a known attack vector that has been used by real malware! The setting is daft in two ways, as well as dangerous. The setting is the 'Internet Connection Sharing mode'. Turn it on, and the Miracast screen mirroring suddenly works. But...

Daftness 1: This setting exists in two places. One is in the Settings>General>Troubleshooting>Open old settings (small print link at the bottom of the page)> Components> firewall customise>Policies page. Seriously? A new user wants to use the PC screen mirroring (or screen extending) Connect button in the W10 Action Centre that always worked before installing any Avast version that has the firewall, and he/she is supposed to find that there? And the second place for the same setting is Settings>Click Search, type ALL of 'geek:area' (the link doesn't appear until you've typed the final a, and it is case sensitive, so not Geek:Area)>click the 'Avast Geek>Secret tech cave of advanced...' link that appears under the search box, then scroll way, way down (maybe 3/4 the way down) to find the cluster of Firewall settings, and there it is. Now, I mean, how is the average user supposed to find that setting in either place to switch it on, just to get their screen mirroring to TV, Roku etc working again? This is NUTS.

Daftness 2: How is someone supposed to realise that 'Internet Connection Sharing mode' is what you need to turn on to get screen mirroring working? Miracast screen mirroring is not Internet Connection Sharing. Windows actually has its OWN setting for 'Internet Connection sharing' called exactly that, and it has nothing to do with the Action Centre Connect button Miracast screen mirroring. The Miracast screen mirroring works when the Windows "Internet Connection Sharing" is turned OFF. How is a user supposed to realise they need to turn an option on in Avast Firewall when the same option is OFF in Windows itself on the PC? But with it off in Windows, it was turning that on in one of those hidden places in Avast that finally let the Miracast screen mirroring to the Roku work.

And then there's the dangerous bit. There's the why it works. As well as using particular IP addresses for the PC and box or TV in the ad hoc Wi-Fi direct network it tries to create, the Windows Miracast specification specifies the use of a particular port - it sets aside port 7236 in the PC for all the incoming Miracast communication through WUDFHost.exe AKA the snappily titled 'Windows Driver Foundation - User-mode Driver Framework Host Process'. Setting 'Internet Connection Sharing mode' in Avast is actually to allow the PC to be used to connect other devices to the internet rather than connecting them to a router, so it is to use the PC as the router for other devices. And those other devices might need to receive and communicate with the PC about all sorts of stuff - music streams, video streams of various kinds, all sorts. So setting that option sets new rules in the Avast firewall to open all sorts of things needed for internet connection sharing with the PC acting as router to incoming traffic, including opening port 7236 for incoming traffic for the 'Windows Driver Foundation - User-mode Driver Framework Host Process', so the Miracast screen mirroring now works. BUT that port is not the only one it opens - it opens other ports to incoming packets relating to Apple streaming, rtsp streaming and other video streaming (amongst other things), and when I went through looking up all the ports it opens to incoming traffic, a bunch of them (not the Miracast or Apple streaming ones) have been used by numerous trojan type malware.

So, the one suggestion to get the Miracast screen sharing working with the Avast firewall is not only to turn on an option without any apparent connection to the Miracast screen Mirroring, and where the matching option in Windows itself may well be turned off; and not only is buried in two very obscure places in settings, so no average user is going to even find the setting, or from the name think it is anything to do with it if they do: but the option also quite unnecessarily (for getting the screen mirroring working) opens a whole bunch of ports to incoming traffic, just to get the one needed port open, many of which have historically been used by real malicious trojan type malware. That option is like using a sledgehammer to crack a walnut, and like the sledgehammer may cause actual ancillary damage.

The ACTUAL solution, with Avast Firewall as it is, is to find out the ip address and port the Miracast screen mirroring uses, then find 'Windows Driver Foundation - User-mode Driver Framework Host Process' in the Application Rules, then open the Packet Rule interface and for that application create a custom 'IN' packet rule for the one port number in actually needs open.

And the average user who may have been using Action Centre Connect button Miracast screen mirroring from their Windows PC to their TV or Roku with no trouble for years while using another Firewall, like me with the Comodo Firewall until a couple of weeks ago, is supposed to know enough to figure this out?

This is shocking. And if the Firewall was supplied with a Friends table that included all the Private IP address ranges - or just all the main ones - NONE of this would have been an issue. It would just have connected, as it would have considered the packets from the Roku as being 'private' and friendly and let them in. Or if it treated ad Hoc Wi-Fi Direct network creation appropriately and let the user just click a pop-up option to set it to 'Private' when one is created: again, no big issue, just one obvious click for the user.

And fix the Friends table input so users CAN enter new IP addresses and ranges if they have a need to (and can find it). The heading of the table SAYS the user can add their own rules, for pity's sake.

Oh well - this has given me a prod to stir my brain to sluggish activity for the first time in around 11 years, and got me to re-learn a little bit of all the internet techie stuff I used to know in the nineties and early noughties. I guess that's something.