How to detect if RRAS server is dropping all other traffic except VPN traffic

I have seen this a common customer query: My 2K, 2K3 server was working as DNS, DHCP, AD etc and stopped working after RRAS is installed.


The main reason for this is because: When RRAS server is configured using RRAS configuration wizard and you select VPN path, it enables static filters on the public interface - to allow "only" VPN traffic to pass through. This is to protect the RRAS box from the Internet side. This can be optionally disabled while you configure RRAS using RRAS configuration wizard (by unchecking the checkbox "Enable static filters on the selected interface" while selecting Internet interface), but ensure your box is protected by some firewall running infront of RRAS server.


Lot of customers deploy RRAS in a single NIC scenario (i.e. behind a NAT router) - hosting multiple roles (like DNS, DC, NAT for LAN clients and VPN server for internet based remote access clients). In such a scenario, if you enable static filters on RRAS server to allow only VPN traffic, then all the other roles (like DNS, DC) will not function properly - as their packets will be dropped. In such a scenario, you need to add all the relevant ports for those services in RRAS static filters.


To quickly find out whether RRAS is running run the following commands from the command prompt: (after logging in as administrator on the RRAS server box):

1) sc query remoteaccess


2)sc query rasman


If the state of above two commands output is shown as "Running" (as given below), then it means RRAS is running on that box

C:>sc query remoteaccess

SERVICE_NAME: remoteaccess
WIN32_EXIT_CODE : 0 (0x0)


3) netsh routing ip show filter

The above command shows the number of filters added inside RRAS static filter - for each interface. Filters gets applied only if RRAS is running (i.e. remoteaccess and rasman services are running).

Example output:

Input Output Demand-dial Frag. Check Interface
--------- ---------- ------------- -------------- ----------------

1 (DROP) 0 (FORWARD) 0 (FORWARD) Disabled Local Area Connection 6
0 (FORWARD) 0 (FORWARD) 0 (FORWARD) Disabled Local Area Connection 5


4) netsh routing ip show filter "Local Area Connection 6"

The above command shows the exact filter added for that interface.

To add/delete filters from a given interface, you can do it in one of the two ways:-

1) Open RRAS MMC Snap-in, go under Server->IP->Interface->Properties and select Inbound or outbound filters


2) Use following netsh commands:

netsh routing ip add filter ?

netsh routing ip delete filter ?

For more info on single NIC scenario:


For more info about static filter:


For more info about port numbers used by VPN server:


For more info about ports used by Microsoft Server:



Samir Jain
Lead Program Manager
RRAS, Windows Enterprise Networking

[This posting is provided "AS IS" with no warranties, and confers no rights.]