[HELP] Setting up windows server 2025 firewall
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

[HELP] Setting up windows server 2025 firewall

itachikonohaitachikonoha Member
in Help

Aim:

  • allow only tailscale
  • block everything else.

This should have been simple procedure but every time I try to. no matter priorities or sequence, it block everything. When I failed and asked AI, it gave me the following:

netsh advfirewall reset

New-NetFirewallRule -DisplayName "Allow All From Tailscale" `
  -Direction Inbound -Action Allow `
  -RemoteAddress 100.64.0.0/10

New-NetFirewallRule -DisplayName "Block All Public Inbound" `
  -Direction Inbound -Action Block `
  -RemoteAddress Any

This should work but it does not. Blocks RDP also.

Anyone has any pointer to how to set it up? Even alternative firewall would do.

Debian/Ubuntu is so easy to setup but it seems impossible for me to setup two simple rules in windows server 2025

Comments

  • doghouchdoghouch Member
    edited 7:04AM

    Not too sure about Tailscale specifically, but are you sure that you need that second rule? IIRC, the default behaviour is for all traffic to be blocked unless there’s an “allow” rule.

  • sliixsliix Member

    I'm not sure if your use case is same as what I did couple of years ago but you can try this app: https://github.com/pylorak/TinyWall

  • rattlecattlerattlecattle Member

    In Windows Firewall, if a packet matches both block and allow rule, the block rule takes precedence. In your case, incoming RDP matches both, hence blocked.

  • CloudHopperCloudHopper Member

    I do it through the GUI rather Powershell, but on Windows Sever 2022 the steps are:

    1. Browse to Windows Defender Firewall with Advanced Security
    2. Click Inbound Rules
    3. Scroll to Remote Desktop > right click > properties
    4. Go to the Scope tab
    5. For both Local and Remote IP Addresses, select "These IP addresses" and add your CIDR
    6. Repeat steps 4 and 5 for each of the "Shadow", "TCP" and "UDP" Remote Desktop components

    Looking at the Powershell you've got, it doesn't appear to apply the rule to a specific component and that's probably why it isn't working.

  • zakkuunozakkuuno Member

    I did it in firewall settings by setting each zone(public private domain) to block all incoming traffic. There’s a simple check box for that. Tailscale traffic will magically come through

  • faizan190faizan190 Member

    Reset the firewall and allow RDP.

  • itachikonohaitachikonoha Member

    I greatly appreciate all the responses. I have learnt a lot during the process following the pointers in different posts.

    It was solved accidentally when I typed tailscale IP instead of tailscale DNS. It seems tailscale DNS does not go through the firewall (I think it sends my real IP to the server hence it does not allow me even though I have whitelisted the IP of the tailscale).

    But if I use tailscale IP of the server, the firewall gives access to all the ports.

    Don't know the reason behind that but since it is working, I left at that.

  • CloudHopperCloudHopper Member
    edited 1:14PM

    I'm pretty sure if you tell the Tailscale Windows Client to accept DNS then the client will fix that for you in the firewall. I just had to setup RDP to only be available over Tailscale, tell the client to use the DNS configured on my Headscale instance and it all just worked.

    You might also want to look into Tailscale ACLs so that only devices you want to allow inbound access to RDP, just in case someone manages to use one of your other servers to pivot and attack your RDP connection. It's very unlikely that'd happen, but it's also easy to configure and better to be safe than sorry.

Sign In or Register to comment.