Configure Packet Filters for a VPN Server

Updated: April 30, 2010

Applies To: Windows Server 2008, Windows Server 2008 R2

Routing and Remote Access provides a configurable set of packet filters that work in addition to any firewall software that you might run on the server, such as Windows Firewall with Advanced Security. You can configure these packet filters with rules that restrict the packets that a VPN server can send or receive and controls intranet traffic to and from VPN clients, based on your network security policies.

The Routing and Remote Access Server Setup Wizard automatically configures the appropriate packet filters for VPN traffic. Alternatively, you can use the Routing and Remote Access snap-in to manually configure the packet filters.

To configure IPv4 packet filters manually

Membership in the local Administrators group, or equivalent, is the minimum required to complete this procedure.

  1. Open the Routing and Remote Access MMC snap-in.

  2. In the console tree, expand the server name, and then expand IPv4.

  3. Under IPv4, click General.

  4. In the details pane, right-click the interface on which you want to configure packet filters, and then click Properties.

  5. On the General tab, click one of the following, depending on the type of filter you want to configure:

    • Inbound Filters

    • Outbound Filters

  6. Click New.

  7. In the Add IP Filter dialog box, select Source network (the network from which the packet is coming) or Destination network (the network to which the packet is going).

  8. Enter the appropriate IP address, subnet mask, protocol, and other information as required (for example, source and destination ports), and then click OK.

  9. Select the filter action, and then click OK.

For more information, see Appendix B: VPN Servers and Firewall Configuration.


Use care when configuring both RRAS packet filters and Windows Firewall with Advanced Security firewall rules. Conflicting rules can result in connectivity problems that are difficult to troubleshoot. Ensure that if you use both RRAS packet filters and firewall rules that you configure identical allow and block settings for each.