Understanding Local vs Remote IP Address Scope in Windows Server 2008 Firewall Rules for Virtualized Environments


2 views

In Windows Firewall with Advanced Security (WFAS), the Scope tab in rule properties defines network boundaries:

Local IP address: The interface(s) receiving the traffic (your server)
Remote IP address: The source(s) initiating the connection

For your physical host (public IP) + virtual machine (public IP) + private subnet (192.168.123.0/24) setup:

  • From VM's perspective: Physical host is "remote" when communicating via 192.168.123.0 subnet
  • From host's perspective: VM is "remote" on the same subnet

For domain communication (SMB example):

# PowerShell to create SMB rule (host perspective)
New-NetFirewallRule -DisplayName "Allow Domain SMB" -Direction Inbound 
-LocalPort 445 -Protocol TCP -Action Allow 
-LocalAddress 192.168.123.1 -RemoteAddress 192.168.123.2

Common misconfigurations to check:

  1. Ensure bidirectional rules exist for all required ports (135, 445, 49152-65535)
  2. Verify subnet mask consistency (mismatched /24 vs /16 causes silent failures)
  3. Check interface binding order with netsh interface ipv4 show interfaces

When using virtualization-specific subnets:

Placement Effect
Local IP field Filters which NIC accepts the traffic
Remote IP field Filters source VM/host addresses

For complex virtualization stacks (Hyper-V specific):

# Allow management traffic between host and VMs
$vSwitchIP = "192.168.123.1"
$vmSubnet = "192.168.123.0/24"

New-NetFirewallRule -Name "Hyper-V Management" -DisplayName "HV Host-VM Comm" 
-Enabled True -Direction Inbound -Protocol TCP -Action Allow 
-LocalAddress $vSwitchIP -RemoteAddress $vmSubnet 
-LocalPort @("135","445","2179","5985")

In Windows Firewall with Advanced Security (WFAS), the distinction between local and remote IP addresses determines which endpoints initiate or receive traffic:

  • Local IP: The destination address where the firewall-protected service is listening
  • Remote IP: The source address of incoming connections

In your specific setup with:

Physical Host:
- Interface 1: Public IP (Inbound traffic gateway)
- Interface 2: 192.168.123.0/24 (Virtual subnet)

Virtual Machine:
- Connected to Interface 2 via 192.168.123.0/24

The routing behavior changes based on scope configuration:

Configuration Traffic Flow
192.168.123.0/24 in Local IP Allows services on VM to accept connections from ANY remote IP
192.168.123.0/24 in Remote IP Restricts which hosts can initiate connections TO the VM

For domain communication (SMB ports 445/TCP, 445/UDP):

# PowerShell to create rules
New-NetFirewallRule -DisplayName "Allow Domain SMB (Local Scope)" 
-Direction Inbound -LocalAddress 192.168.123.0/24 
-Protocol TCP -LocalPort 445 -Action Allow

New-NetFirewallRule -DisplayName "Allow Domain SMB (Remote Scope)" 
-Direction Inbound -RemoteAddress 192.168.123.0/24 
-Protocol TCP -LocalPort 445 -Action Allow
  • For bidirectional domain communication, configure both Local and Remote scopes
  • Virtual NICs may require explicit rules even for local subnet traffic
  • Always verify with Test-NetConnection after rule creation
  1. Verify network profile (Domain/Private/Public) matches expected behavior
  2. Check for conflicting rules with Get-NetFirewallRule | Where {$_.Enabled -eq "True"}
  3. Capture traffic with netsh trace start capture=yes when testing