Windows firewall blocking SSH to secondary subnet
You can create a custom rule that allows all inbound traffic from a certain subnet. Open Windows Firewall with Advanced Security (wf.msc). Right-click Inbound Rules, then choose Add Rule.
- On the Rule Type screen, choose Custom.
- On the Program screen, choose All programs.
- On the Protocol and Ports screen, leave the default values (any protocol).
- On the Scope screen, leave the local IP set to Any IP address. Set the remote IP to These IP addresses. Click the Add button. In the This IP address or subnet field, type
192.168.0.0/24to allow in all traffic from the two subnets. Click OK. Caution: This may expose the machine to attacks from other computers on the network. If possible, set more specific port/program rules. - On the Action screen, choose Allow the connection.
- On the Profile screen, check the boxes corresponding to the profiles on which the rule should be active.
- On the Name screen, enter an appropriate name and description (if you like), then click Finish to apply the rule.
Alternatively, you can use netstat or TCPView to figure out what specific connections are made, then create more specific firewall rules for those.
Related videos on Youtube
02 : 55
03 : 55
03 : 34
02 : 33
02 : 39
01 : 24
02 : 02
17 : 43
Misaz
Updated on September 18, 2022Comments
-
Misaz over 1 year
My network has 2 subnets /25 and Linux server in each subnet. One of the subnets contains a Windows computer which is used for managing Linux servers via SSH; but there is problem with firewall on this computer.The firewall allows communication within the same subnet but blocks communication into (or response coming back?) the second subnet.
I have tried to set inbound and outgoing rule, allowing PuTTY by wizard in main firewall control panel and nothing has worked me. Please tell me what I have done wrong or how to set up it correctly.
I have tested that when firewall is completely disabled, communication works.
I have tested that Windows blocks all ports. I can't use FTP or Remote Desktop Protocol either.
Wireshark shows black lines with
TCP Retransmissions,TCP Surious RetransmissionandTCP Dup ACK. Between these lines are black ICMP redirects.-
Misaz almost 8 yearsI enabled logging DROPed packets in Widows firewall and no entry is written when firewall block the communication.
-
Ben N almost 8 yearsAre you sure you applied the rules to the correct profile (i.e. private/public/domain)? What happens if you temporarily set inbound connections to be allowed by default? -
Misaz almost 8 yearsRelus are set to all profiles. If I set allowing inboud connection by default it works.
-
-
Misaz almost 8 yearsI set up rule as you described and nothing changed. On imgur.com/4dyc5FD you can see this rule. (my Windows is in Czech; Jakýkoliv and Vše means all, Povolit means allow, Ano means yes). Putty says
Network error: Software caused connection abort. After every change I am restarting computer. There are one no value in column overrides. Every rule have this value set to no and I did not found how to change this value. -
Ben N almost 8 years@Misaz Interesting. Do any other programs now work when connecting to that subnet? If so, this other question might help. Are there any Block entries in the list? Do you have any antivirus program that could be causing trouble?
-
Misaz almost 8 yearsno, I tested RDP and the same. There are just one rule blocking Node.js server on public profile. I added result of Wireshark to question while trying to connect to the server. The output is the same for SSH and RDP.
-
Ben N almost 8 years@Misaz ICMP redirects can indicate less-than-ideal configuration. Are there other routers in play? Do the routers in between do any filtering? I'm also curious to see if anything happens if you change the firewall rule to
192.168.0.0/24. If not, does adding an identical outbound rule have an effect? -
Misaz almost 8 yearsI changed
192.168.0.128/25in rule to192.168.0.0/24and that works! Thank you very much. The routers are just simple OpenWRT router with default firewall configuration. -
Misaz almost 8 yearsCould you update answer with more informations about how can firewall cause ICMP redirects?
-
Ben N almost 8 years@Misaz I don't believe Windows Firewall can cause ICMP redirects; that was just another thing to check on your network. I did update my answer to include what solved the problem.