You can configure IP filters in both connection request policies and network policies by using netsh nps commands. The following sections provide details on the commands and parameters to use to configure IP filters for IPv4 or IPv6.
Commands for configuration of IP filters
The following netsh nps commands allow you to configure IP filters that are applied at the network access server for connection requests that match the respective policies.
- add crp. This command allows you to add a new connection
request policy to the Network Policy Server (NPS)
configuration.
- set crp. This command allows you to modify an existing
connection request policy.
- add np. This command allows you to add a new network
policy to the NPS server configuration.
- set np. This command allows you to modify an existing
network policy.
With these commands, you can configure IP filters using the parameters profileid, advprofiletype, and advprofiledata. The following sections provide details for each parameter.
profileid
The following values for profileid are valid for the configuration of IP filters.
| Name | ID |
|---|---|
|
MS-Quarantine-IPFilter |
0x1045 |
|
MS-Filter |
0x102f |
|
MS-IPv6-Filter |
0x1fd0 |
advprofiletype
The following values for advprofiletype are valid for the configuration of IP filters.
| Name | Type |
|---|---|
|
IPv4 Input filters |
IPFILTER_IPV4INFILTER |
|
IPv4 Output filters |
IPFILTER_IPV4OUTFILTER |
|
IPv6 Input filters |
IPFILTER_IPV6INFILTER |
|
IPv6 Output filters |
IPFILTER_IPV6OUTFILTER |
advprofiledata
The following syntax and comma-separated list of parameters for advprofiledata are valid for the configuration of IP filters.
Syntax
advprofiledata= action,ip address,mask,protocol,source port,destination port
Parameters
| Name | Description |
|---|---|
|
action |
Required. Specifies whether IP traffic is permitted or denied. PERMIT specifies that all IP traffic is permitted except for the packets that you designate with the ip address, mask, protocol, source port, and destination port parameters. DENY specifies that all IP traffic is denied except for the packets that you designate with the ip address, mask, protocol, source port, and destination port parameters. |
|
ip address |
Required. Specifies either an IPv4 or an IPv6 address. |
|
mask |
Required. Specifies the subnet mask for an IPv4 address or the prefix length for an IPv6 address in the following formats: "x.x.x.x" specifies an IPv4 subnet mask, while <number> specifies an IPv6 prefix length. |
|
protocol |
Optional. Specifies the protocol number as an integer, such as 6 for TCP or 17 for User Datagram Protocol (UDP). |
|
source port and destination port |
Optional. Specifies the source port and destination port as integers. If specified, you must designate both a source port and a destination port. If you do not specify a source port and destination port, all IP traffic to the specified IP address is permitted or denied, depending on the value of action. |