Windows 10 WSL Can Run ROS, With Firewall Caveat

To win developer acceptance, Microsoft added WSL (Windows Subsystem for Linux) to 64-bit editions of Windows 10. The original iteration was only advertised to support common command-line utilities like ‘git‘ that perform relatively simple operations. However, the product has been evolving since its initial release and has become increasingly more functional to run more complex Linux software.

Could Windows 10 WSL run ROS? According to this thread on ROS Answers, it didn’t start out that way. But blocking bugs were found and fixed over past months, and now it’s possible to run ROS inside WSL. I tried this and found this to mostly work, with a minor caveat on networking.

When bringing a ROS software stack online, there is the concept of a “ROS Master”. This process listens on TCP port 11311 and serves to orchestrate communication with other ROS Nodes. Every ROS Node needs to talk to ROS Master at least once on startup. Which meant port 11311 is the one probed by researchers looking for unsecured ROS robots that were inadvertently connected to public internet.

The default network firewall on a Windows 10 computer is Microsoft’s own Windows Defender Firewall. It has a good default of ignoring all incoming traffic, unless an application explicitly asks to open up ports. At the moment this integration does not exist, so software inside WSL opening ports wouldn’t open up those same ports on Windows firewall. When running ROS in WSL, this means incoming traffic on port 11311 are blocked which results in the following:

  • ROS Master running in WSL is accessible to ROS Nodes running on the same computer, because traffic on the same computer is unaffected by firewall.
  • ROS Master running on another computer is accessible to ROS Nodes running in WSL, because outbound traffic is not blocked by firewall.
  • ROS Master running in WSL is NOT accessible to ROS Nodes running on another computer, because inbound traffic is blocked by firewall.

ERROR: Unable to communicate with master!

If a developer wishes to run networking-aware software inside WSL, we’d have to go into Windows Defender Firewall and manually add a permission for network access. Ideally we can set up a rule to allow port 11311 only when we’re running a ROS Master within WSL. But such fine-grained control is not available. For now, the only option is to open a port with no limitation. It sounds like some improvements are on the way, but even then it will still require explicit developer action.

To open port 11311, we need to first get to Windows Defender section within control panel and select “Advanced Settings”

Windows Defender security center

Then we can create a new “Inbound Rule” to allow traffic on 11311.

Windows Defender Firewall control panel

Since this is not a fine-grained control over port 11311 access, it’s not a good idea to leave this rule active at all times. For best practice, enable this rule only when running a ROS Master in WSL and only when that master needs to work with ROS Nodes running on other computers.




5 thoughts on “Windows 10 WSL Can Run ROS, With Firewall Caveat

  1. Hello, really interesting article. I am starting my journey on WSL, and I am facing problems with ROS networking. I have the feeling there are two distinct problems.

    1. Windows firewall is blocking the ROS communication, I have opened the 11311 port but does not seem enough and whichever command that should access the remote master wait indefinitely;
    2. If I disable the firewall ROS commands provide an output, but it’s: “ERROR: Unable to communicate with the master”.

    Do you have any suggestion?


    1. I agree you are encountering additional network communication issues, but there isn’t enough information here for me to guess what that might be. My suggestion is to examine Windows firewall logs for activity on port 11311. If found, the log entry should help you figure out what the next step would be. If there is nothing in the logs for port 11311, something other than Windows firewall is blocking traffic.


      1. Thank you for the replay. Following your instructions, I have examined the firewall logs, and I have realised ROS was trying to communicate through random ports around 5000. Therefore I have created a rule to open all the ports, not smart but functional. Now I can connect to remote master, but I am encountering a new problem. I can see with “rostopic list” all the topics, and when I publish a new topic, I can echo it. However, I can not “echo” all the topics published from the pc hosting the master. This problem usually happens when the ROS_IP is not set but this is not my case.


      2. I’ve had similar problems (could contact master, but some topics/nodes work and others do not) when computers on the same local network are unable to locate each other by name due to problems with name resolution. I never figured it out if it was a computer configuration problem or a network router problem, but it was definitely not a firewall problem. I worked around it by eliminating names and used IP addresses for all references. Not just ROS_IP but also ROS_MASTER_URI plus any ROS node parameters.


      3. Yes, I have noticed the same problem, the computer is not able to resolve names. For this reason, I have substituted all the names with IPs, before doing this I was neither able to contact the remote rosmaster using rostopic list. Anyway, now I am trying to test the configuration publishing a message directly from the terminal, but even if I can see the topic, I can not access the messages. I am giving up in using WSL it seems promising but there are yet too many issues.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s