Understanding Local vs Remote IP Address Scope in Windows Server 2008 Firewall Rules for Virtualized Environments


10 views

In Windows Firewall with Advanced Security (WFAS), the Scope tab in rule properties defines network boundaries:

Local IP address: The interface(s) receiving the traffic (your server)
Remote IP address: The source(s) initiating the connection

For your physical host (public IP) + virtual machine (public IP) + private subnet (192.168.123.0/24) setup:

  • From VM's perspective: Physical host is "remote" when communicating via 192.168.123.0 subnet
  • From host's perspective: VM is "remote" on the same subnet

For domain communication (SMB example):

# PowerShell to create SMB rule (host perspective)
New-NetFirewallRule -DisplayName "Allow Domain SMB" -Direction Inbound 
-LocalPort 445 -Protocol TCP -Action Allow 
-LocalAddress 192.168.123.1 -RemoteAddress 192.168.123.2

Common misconfigurations to check:

  1. Ensure bidirectional rules exist for all required ports (135, 445, 49152-65535)
  2. Verify subnet mask consistency (mismatched /24 vs /16 causes silent failures)
  3. Check interface binding order with netsh interface ipv4 show interfaces

When using virtualization-specific subnets:

Placement Effect
Local IP field Filters which NIC accepts the traffic
Remote IP field Filters source VM/host addresses

For complex virtualization stacks (Hyper-V specific):

# Allow management traffic between host and VMs
$vSwitchIP = "192.168.123.1"
$vmSubnet = "192.168.123.0/24"

New-NetFirewallRule -Name "Hyper-V Management" -DisplayName "HV Host-VM Comm" 
-Enabled True -Direction Inbound -Protocol TCP -Action Allow 
-LocalAddress $vSwitchIP -RemoteAddress $vmSubnet 
-LocalPort @("135","445","2179","5985")

In Windows Firewall with Advanced Security (WFAS), the distinction between local and remote IP addresses determines which endpoints initiate or receive traffic:

  • Local IP: The destination address where the firewall-protected service is listening
  • Remote IP: The source address of incoming connections

In your specific setup with:

Physical Host:
- Interface 1: Public IP (Inbound traffic gateway)
- Interface 2: 192.168.123.0/24 (Virtual subnet)

Virtual Machine:
- Connected to Interface 2 via 192.168.123.0/24

The routing behavior changes based on scope configuration:

Configuration Traffic Flow
192.168.123.0/24 in Local IP Allows services on VM to accept connections from ANY remote IP
192.168.123.0/24 in Remote IP Restricts which hosts can initiate connections TO the VM

For domain communication (SMB ports 445/TCP, 445/UDP):

# PowerShell to create rules
New-NetFirewallRule -DisplayName "Allow Domain SMB (Local Scope)" 
-Direction Inbound -LocalAddress 192.168.123.0/24 
-Protocol TCP -LocalPort 445 -Action Allow

New-NetFirewallRule -DisplayName "Allow Domain SMB (Remote Scope)" 
-Direction Inbound -RemoteAddress 192.168.123.0/24 
-Protocol TCP -LocalPort 445 -Action Allow
  • For bidirectional domain communication, configure both Local and Remote scopes
  • Virtual NICs may require explicit rules even for local subnet traffic
  • Always verify with Test-NetConnection after rule creation
  1. Verify network profile (Domain/Private/Public) matches expected behavior
  2. Check for conflicting rules with Get-NetFirewallRule | Where {$_.Enabled -eq "True"}
  3. Capture traffic with netsh trace start capture=yes when testing