Skip to Content
Troubleshooting & FAQFirewall SetupWindows

Windows — Firewall Setup

Rabtly uses Windows Firewall via netsh advfirewall to enforce port-level access control rules on Windows. Rules are tagged with group="Rabtly" so they can be managed and inspected as a unit.

Requirements

  • Windows 10 (version 1903+), Windows 11, or Windows Server 2019+
  • Windows Firewall service (MpsSvc) must be running
  • netsh is always present — no installation needed

Check if Windows Firewall is running

Open an elevated Command Prompt or PowerShell:

sc query MpsSvc | findstr STATE

Expected: STATE : 4 RUNNING

If it shows STOPPED:

sc start MpsSvc
sc config MpsSvc start=auto

Check if Rabtly rules are installed

netsh advfirewall firewall show rule group="Rabtly"

If rules are listed, the firewall is working. If you see “No rules match the specified criteria”, the daemon hasn’t applied rules yet — check rabtly status.

After enabling

Restart the Rabtly service:

sc stop Rabtly
sc start Rabtly

Or from PowerShell:

Restart-Service Rabtly

Verify

rabtly status

Look for firewall_enforced=true. Then inspect the rules:

netsh advfirewall firewall show rule group="Rabtly" verbose

You should see rules like:

Rule Name:           Rabtly-In-0-All
Direction:           In
Profiles:            Any
RemoteIP:            100.64.0.2/32,100.64.0.3/32
Protocol:            Any
Action:              Allow
---
Rule Name:           Rabtly-In-1-TCP
Direction:           In
Profiles:            Any
RemoteIP:            100.64.1.1/32
Protocol:            TCP
LocalPort:           5432
Action:              Allow

Troubleshooting

Windows Firewall is disabled by Group Policy

In enterprise environments, IT may disable Windows Firewall via GPO (e.g. because a third-party firewall is deployed). Check:

netsh advfirewall show allprofiles state

If it shows State: OFF for all profiles, and you can’t enable it due to policy, port ACLs cannot be enforced. The VPN still works — the device just won’t filter inbound traffic by port.

Talk to your IT team about either:

  1. Enabling Windows Firewall alongside the third-party firewall (many enterprise firewalls support this).
  2. Accepting that port ACLs are enforced on other devices but not this one.

Third-party firewalls (ESET, Norton, Kaspersky, etc.)

Some third-party security suites replace Windows Firewall entirely (they stop MpsSvc and register their own WFP driver). In this case:

  • Rabtly’s netsh rules won’t be applied (the service isn’t running).
  • The device shows Firewall: off in the dashboard.
  • The VPN connection still works normally.

This is a known limitation. A future version will use WFP (Windows Filtering Platform) directly, which coexists with third-party firewalls.

”netsh add rule failed” errors in the daemon log

Common causes:

1. Not running as administrator: The Rabtly service normally runs as LocalSystem which has full admin rights. If you’re running rabtly up manually, make sure you’re in an elevated prompt.

2. Rule name conflicts: Another application created a rule with the same name (unlikely, since Rabtly uses the Rabtly- prefix). Fix:

netsh advfirewall firewall delete rule group="Rabtly"
sc restart Rabtly

3. Antivirus blocking netsh: Some security tools monitor netsh.exe invocations and block rule additions. Check your AV’s quarantine log. Add an exception for the Rabtly service.

Rules exist but traffic is still blocked

If netsh show rule group="Rabtly" lists the rules but traffic isn’t flowing:

1. Check the remoteip filter: Rabtly rules use remoteip=100.64.x.x/32 to scope to VPN peers. If your peer’s VPN address doesn’t match what’s in the rule, the rule won’t apply.

rabtly status

Compare the peer addresses with what’s in the rules.

2. Higher-priority WFP filters: EDR products (CrowdStrike, SentinelOne, Microsoft Defender ATP) register WFP filters at a higher weight that can silently drop traffic before Windows Firewall evaluates it. This affects Rabtly the same way it affects any WireGuard-based VPN (including Tailscale).

3. Windows Firewall profiles: Rabtly rules are set to profile=any (Domain, Private, and Public). If the network connection is in a profile where Windows Firewall is disabled, rules for that profile won’t apply. Check:

netsh advfirewall show currentprofile

Windows Server Core

Windows Server Core includes netsh and Windows Firewall by default. Rabtly works identically to desktop Windows — no extra steps needed.

Windows Sandbox / Windows containers

Windows Sandbox and Hyper-V containers have their own isolated firewall state. The Rabtly service inside the sandbox manages its own rules independently from the host.

How Rabtly uses Windows Firewall

  • Rule group: Rabtly — all rules tagged for bulk management
  • Rule names: Rabtly-In-0-TCP, Rabtly-Out-1-UDP, etc. (unique, inspectable in MMC)
  • Scope: Rules use remoteip= to limit to VPN peer addresses (100.64.x.x range)
  • Protocols: Separate rules per protocol (TCP, UDP, ICMPv4, ICMPv6) — netsh requires this
  • Port format: localport=22,80,8000-8100 (comma-separated, hyphen ranges)
  • Direction: Both in and out rules are installed
  • Apply method: Delete all group="Rabtly" rules, then re-add. Brief window (~100ms) during reload
  • No default-deny: Windows Firewall’s default “block unsolicited inbound” profile provides this. Rabtly only adds allow-rules.

Viewing rules in Windows Firewall GUI

  1. Press Win + R, type wf.msc, press Enter.
  2. Click Inbound Rules in the left panel.
  3. Sort by Group column — look for “Rabtly”.
  4. Each rule shows the remote IPs, protocol, and ports.

Cleaning up

If you uninstall Rabtly and want to remove leftover rules:

netsh advfirewall firewall delete rule group="Rabtly"
macOS