Configure Static Packet Filters
Applies To: Windows 7, Windows Server 2008 R2
RRAS supports IP packet filtering, which specifies which type of traffic is allowed into and out of the RRAS server. The packet filtering feature is based on exceptions.
Important
We recommend that you enable either static packet filtering or Windows Firewall, but not both. Conflicts between two sets of filter rules can result in desired traffic being unexpectedly blocked.
You can set packet filters per interface and configure them to do one of the following:
Pass through all traffic except packets prohibited by filters.
Discard all traffic except packets allowed by filters.
Membership in the local Administrators group, or equivalent, is the minimum required to complete this procedure.
To add a packet filter
Open the Routing and Remote Access MMC snap-in.
In the navigation pane, expand your RRAS server, expand either IPv4 or IPv6, and then click General.
In the details pane, right-click the interface to which you want to add a filter, and then click Properties.
On the General tab, click either Inbound Filters or Outbound Filters.
In the Inbound Filters or Outbound Filters dialog box, click New.
In the Add IP Filter dialog box, type the settings for the filter, and then click OK.
In Filter action, select the appropriate filter action, and then click OK.
Protocols and ports for packet filtering
The following table lists some of the common ports and protocols that you might want to allow, depending on your remote access configuration. Not all ports listed here are required for your remote access server. For example, if you are allowing only Layer Two Tunneling Protocol (L2TP), you would not configure a filter for Point-to-Point Tunneling Protocol (PPTP). Similarly, this table might not contain all of the ports that your network needs.
Ports used for protocols
| Protocol | Port | Used For |
|---|---|---|
TCP |
25 |
Simple Mail Transfer Protocol (SMTP) |
TCP |
67 |
Dynamic Host Control Protocol (DHCP) (if the remote access server uses an external DHCP server) |
TCP |
80 |
World Wide Web (HTTP) |
TCP |
110 |
Post Office Protocol, version 3 (POP3) |
TCP |
443 |
SSTP (HTTP over SSL) |
TCP |
1701 |
L2TP |
TCP |
1723 |
PPTP |
TCP |
7250 |
Network Access Quarantine Control (Remote Access Quarantine Client (RQC) messages from client computers) |
UDP |
53 |
Domain Name Service (DNS) (for name resolution of external Web sites) |
UDP |
67 |
DHCP (if the remote access server uses an external DHCP server) |
UDP |
500 |
Internet Protocol security (IPsec) |
UDP |
1701 |
L2TP |
UDP |
1723 |
PPTP |
UDP |
4500 |
IPsec with network address translation (NAT) |
47 |
Generic Routing Encapsulation (GRE) |
|
50 |
Encapsulating Security Payload (ESP) (for firewalls that use NAT traversal [NAT-T]) |
Note
To support Windows Update, you must allow traffic to travel inbound and outbound on TCP port 80 and UDP port 53. Depending on your network configuration, you might have to configure these filters on your remote access server, on your firewall, or both.