Windows 7 Firewall Prevents Access from Foreign Subnet

By default the firewall of Windows 7 is configured in such a way that the firewall only accepts connections from one of the subnets for which the system has at least one network interface. All other connections are blocked by default. This may become tricky as soon as your network has multiple subnets, for example, if you are using a Virtual Private Network (VPN) setup. Picture this:

  • Your Windows 7 PC has the IP address 192.168.10.15 on the subnet 192.168.10.0/255.255.255.0.
  • You are connected to a router which has the IP address 192.168.10.1 on the same subnet.
  • The router is connected to the internet and allows access to foreign system via a VPN which has the subnet configuration 192.168.200.0/255.255.255.0.
  • Such a VPN client with IP address 192.168.200.10 is connecting to your network and tries to ping you at 192.168.10.15.

Without changing your Windows Firewall’s configuration the ping will not work. Additionally, you are also not able to connect via TCP or UDP to the Windows 7 box. This also affects File Sharing, Printer Sharing and all sort of services you may have on your network (be it jukebox services or watching TV).
As depicted above, the root cause for this is that the Windows Firewall simply drops packages silently which are not coming from an IP address for which at least one local network interface is active. In the example setup above, this is the case, as the requesting client at 192.168.200.10 is not part of the “local” subnet of 192.168.10.0.

A forum post at Ubuntu described this problem and provides a brief solution for this matter by creating a new firewall rule at the Windows client (in our example, the system which has the address 192.168.10.15).

  1. Open the “Control Panel”.
  2. Choose “Windows Firewall”.
  3. Select “Advanced Settings” from the left panel.
  4. On the left panel, choose “Inbound Rules”.
  5. On the right panel, which is labeled “Actions”, select “New Rule”.
  6. Choose “Custom” as type for your rule. Click Next.
  7. Keep “All Programs”. Click Next.
  8. Keep “All Protocols”. Click Next.
  9. On the step “Scope”, change the radio button to “these IP Adresses” of “remote IP address” (“any IP address” is not doing the trick here) and add the foreign subnet to the list. In our example this would be “192.168.200.0/24”. Click Next.
  10. Keep “Accept Connection”. Click Next.
  11. Depending on your firewall’s configuration and the network profile your network is on (typically Private or Domain), keep the checkbox flagged. However, I surely would deselect “Public” here in this case, as you might jeopardize your security settings in case that you logon your system to a Wireless network such as at an airport or some coffee. Click Next.
  12. On the final screen, enter some name for the rule, such as “Subnet x.x.x.x everything’s allowed”. This is just for your reference that you know what you did. Finally, click on “Finish”.

Having done this try again if you are now able to connect to your Windows 7 PC as expected.
Finally, one word of a warning on this matter: What you just did is, you allowed every external package which reports to be from the foreign subnet to enter your system. Neither did it authorize in some way, nor did you check that the IP address was forged in some way. If your router is misconfigured or is going havoc, this may have open up the gates for potential attackers. Therefore, it might be a good idea to limit the access via the “protocol” tab of your rule appropriately.

VN:F [1.9.22_1171]
Rating: 0.0/5 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

Leave a Reply

Your email address will not be published. Required fields are marked *

*

This blog is kept spam free by WP-SpamFree.