Here is the scenario: VPS with Windows 2003 Server x64 SP2 I would like to configure the RRAS as a firewall. I think it works except for two things: 1. I can't get packet logging working. I have turned on: a. rras->server->properties->logging: log all entries log additional routing and remote access information b. rras->server->ip routing->general->properties->logging log the maximum amount of information c. rras->server->remote access logging all check boxes d. netsh ras set tracing * enabled I get a lot of logs in windir/tracing but nothing that resembles packets. It only logs what server does.. 2. I can't access the web from within the server. Here is my setup: set loglevel info add preferenceforprotocol proto=LOCAL preflevel=1 add preferenceforprotocol proto=STATIC preflevel=3 add preferenceforprotocol proto=NONDOD preflevel=5 add preferenceforprotocol proto=AUTOSTATIC preflevel=7 add preferenceforprotocol proto=NetMgmt preflevel=10 add preferenceforprotocol proto=OSPF preflevel=110 add preferenceforprotocol proto=RIP preflevel=-1 add interface name="venet0" state=enable set filter name="venet0" filtertype=INPUT action=DROP add filter name="venet0" filtertype=INPUT srcaddr=0.0.0.0 srcmask=0.0.0.0 dstaddr=xxx.xxx.xxx.xxx dstmask=255.255.255.240 proto=TCP srcport=0 dstport=3389 add filter name="venet0" filtertype=INPUT srcaddr=0.0.0.0 srcmask=0.0.0.0 dstaddr=xxx.xxx.xxx.xxx dstmask=255.255.255.240 proto=TCP srcport=0 dstport=21 add filter name="venet0" filtertype=INPUT srcaddr=0.0.0.0 srcmask=0.0.0.0 dstaddr=xxx.xxx.xxx.xxx dstmask=255.255.255.240 proto=TCP srcport=0 dstport=25 add filter name="venet0" filtertype=INPUT srcaddr=0.0.0.0 srcmask=0.0.0.0 dstaddr=xxx.xxx.xxx.xxx dstmask=255.255.255.240 proto=TCP srcport=0 dstport=45 add filter name="venet0" filtertype=INPUT srcaddr=0.0.0.0 srcmask=0.0.0.0 dstaddr=xxx.xxx.xxx.xxx dstmask=255.255.255.240 proto=TCP srcport=0 dstport=53 add filter name="venet0" filtertype=INPUT srcaddr=0.0.0.0 srcmask=0.0.0.0 dstaddr=xxx.xxx.xxx.xxx dstmask=255.255.255.240 proto=UDP srcport=0 dstport=53 add filter name="venet0" filtertype=INPUT srcaddr=0.0.0.0 srcmask=0.0.0.0 dstaddr=xxx.xxx.xxx.xxx dstmask=255.255.255.240 proto=TCP srcport=0 dstport=80 add filter name="venet0" filtertype=INPUT srcaddr=0.0.0.0 srcmask=0.0.0.0 dstaddr=xxx.xxx.xxx.xxx dstmask=255.255.255.240 proto=TCP srcport=0 dstport=110 add filter name="venet0" filtertype=INPUT srcaddr=0.0.0.0 srcmask=0.0.0.0 dstaddr=xxx.xxx.xxx.xxx dstmask=255.255.255.240 proto=TCP srcport=0 dstport=443 add filter name="venet0" filtertype=INPUT srcaddr=0.0.0.0 srcmask=0.0.0.0 dstaddr=xxx.xxx.xxx.xxx dstmask=255.255.255.240 proto=TCP srcport=0 dstport=995 add filter name="venet0" filtertype=INPUT srcaddr=0.0.0.0 srcmask=0.0.0.0 dstaddr=xxx.xxx.xxx.xxx dstmask=255.255.255.240 proto=TCP srcport=0 dstport=465 add filter name="venet0" filtertype=INPUT srcaddr=0.0.0.0 srcmask=0.0.0.0 dstaddr=xxx.xxx.xxx.xxx dstmask=255.255.255.240 proto=TCP srcport=0 dstport=8443 add filter name="venet0" filtertype=INPUT srcaddr=0.0.0.0 srcmask=0.0.0.0 dstaddr=xxx.xxx.xxx.xxx dstmask=255.255.255.240 proto=TCP srcport=0 dstport=8425 add filter name="venet0" filtertype=INPUT srcaddr=218.5.80.210 srcmask=255.255.255.255 dstaddr=xxx.xxx.xxx.xxx dstmask=255.255.255.240 proto=ANY add filter name="venet0" filtertype=INPUT srcaddr=0.0.0.0 srcmask=0.0.0.0 dstaddr=xxx.xxx.xxx.xxx dstmask=255.255.255.240 proto=TCP srcport=0 dstport=5000 add filter name="venet0" filtertype=INPUT srcaddr=69.13.54.128 srcmask=255.255.255.240 dstaddr=xxx.xxx.xxx.xxx dstmask=255.255.255.240 proto=ANY add filter name="venet0" filtertype=INPUT srcaddr=0.0.0.0 srcmask=0.0.0.0 dstaddr=xxx.xxx.xxx.xxx dstmask=255.255.255.240 proto=ICMP type=0 code=0 add filter name="venet0" filtertype=INPUT srcaddr=0.0.0.0 srcmask=0.0.0.0 dstaddr=xxx.xxx.xxx.xxx dstmask=255.255.255.240 proto=ICMP type=3 code=0 add filter name="venet0" filtertype=INPUT srcaddr=0.0.0.0 srcmask=0.0.0.0 dstaddr=xxx.xxx.xxx.xxx dstmask=255.255.255.240 proto=ICMP type=4 code=0 add filter name="venet0" filtertype=INPUT srcaddr=0.0.0.0 srcmask=0.0.0.0 dstaddr=xxx.xxx.xxx.xxx dstmask=255.255.255.240 proto=ICMP type=5 code=0 add filter name="venet0" filtertype=INPUT srcaddr=0.0.0.0 srcmask=0.0.0.0 dstaddr=xxx.xxx.xxx.xxx dstmask=255.255.255.240 proto=ICMP type=6 code=0 add filter name="venet0" filtertype=INPUT srcaddr=0.0.0.0 srcmask=0.0.0.0 dstaddr=xxx.xxx.xxx.xxx dstmask=255.255.255.240 proto=ICMP type=8 code=0 add filter name="venet0" filtertype=INPUT srcaddr=0.0.0.0 srcmask=0.0.0.0 dstaddr=xxx.xxx.xxx.xxx dstmask=255.255.255.240 proto=ICMP type=9 code=0 add filter name="venet0" filtertype=INPUT srcaddr=0.0.0.0 srcmask=0.0.0.0 dstaddr=xxx.xxx.xxx.xxx dstmask=255.255.255.240 proto=ICMP type=10 code=0 add filter name="venet0" filtertype=INPUT srcaddr=0.0.0.0 srcmask=0.0.0.0 dstaddr=xxx.xxx.xxx.xxx dstmask=255.255.255.240 proto=ICMP type=11 code=0 add filter name="venet0" filtertype=INPUT srcaddr=0.0.0.0 srcmask=0.0.0.0 dstaddr=xxx.xxx.xxx.xxx dstmask=255.255.255.240 proto=TCP srcport=0 dstport=12443 add filter name="venet0" filtertype=INPUT srcaddr=0.0.0.0 srcmask=0.0.0.0 dstaddr=66.79.172.113 dstmask=255.255.255.255 proto=ANY add filter name="venet0" filtertype=INPUT srcaddr=xxx.xxx.xxx.xxx srcmask=255.255.255.240 dstaddr=0.0.0.0 dstmask=0.0.0.0 proto=TCP srcport=80 dstport=0 add filter name="venet0" filtertype=INPUT srcaddr=xxx.xxx.xxx.xxx srcmask=255.255.255.240 dstaddr=0.0.0.0 dstmask=0.0.0.0 proto=TCP srcport=443 dstport=0 add filter name="venet0" filtertype=INPUT srcaddr=xxx.xxx.xxx.xxx srcmask=255.255.255.240 dstaddr=0.0.0.0 dstmask=0.0.0.0 proto=TCP srcport=53 dstport=0 add filter name="venet0" filtertype=INPUT srcaddr=xxx.xxx.xxx.xxx srcmask=255.255.255.240 dstaddr=0.0.0.0 dstmask=0.0.0.0 proto=UDP srcport=53 dstport=0 add filter name="venet0" filtertype=INPUT srcaddr=xxx.xxx.xxx.xxx srcmask=255.255.255.240 dstaddr=0.0.0.0 dstmask=0.0.0.0 proto=TCP srcport=25 dstport=0 set filter name="venet0" fragcheck=enable add interface name="Internal" state=disable set filter name="Internal" fragcheck=disable add interface name="Loopback" state=enable set filter name="Loopback" fragcheck=disable xxx.xxx.xxx.xxx is my subnet. NAT is not cofigured ( or desired ) As I see it, I have no outgoing filters, so everything should pass through. Also I have set inbound filters to let packets with source from my subnet through. What am I doing wrong ?

Hi, Please check the article below to see if it can be helpful to you: Remote Access Design Guidelines Part 4: IP Routing and DNS http://blogs.technet.com/b/rrasblog/archive/2009/03/17/remote-access-design-guidelines-part-4-ip-routing-and-dns.aspx In the meantime, I suggest we ask in our Networking forum to get more effective suggestion by other experts who familiar with this topic. Network Infrastructure Servers http://social.technet.microsoft.com/Forums/en/winserverNIS/threads Your understanding is appreciated. Regards Kevin

Hi, Please check the article below to see if it can be helpful to you: Remote Access Design Guidelines Part 4: IP Routing and DNS http://blogs.technet.com/b/rrasblog/archive/2009/03/17/remote-access-design-guidelines-part-4-ip-routing-and-dns.aspx In the meantime, I suggest we ask in our Networking forum to get more effective suggestion by other experts who familiar with this topic. Network Infrastructure Servers http://social.technet.microsoft.com/Forums/en/winserverNIS/threads Your understanding is appreciated. Regards Kevin

Thanks Kevin, I posted there pointing here: http://social.technet.microsoft.com/Forums/en/winserverNIS/thread/119a8ac5-1049-414d-979e-8a7c4ec88581

I have had no help from the replies on either threads I am afraid. My understanding at the moment is RRAS is not fit to use for ip-filtering alone eventhough one might think that.