Configure Windows to block access to a device via LAN but still allow access via TAN¶
It is possible to block access to a server from the local area network and allow access from the trusted area network by using a combination of network profiles and the Windows firewall. This allows you to protect a device, even from bad actors plugged into the same physical local area network.
Set the network profile¶
Using the Windows Settings app¶
Open the Windows Settings app
Select Network and internet and click on the entry for your network connection
Tip
When you are connected using WiFi you will need to select "SSID properties" of your current WiFi network to reach the next screen
Set the Network profile type to Public network
Using Windows PowerShell¶
Run the following script in an Administrator PowerShell prompt to set all network interfaces, except the Connect TAN interface, to the Public network profile
# Get all interfaces except Connect and set the network profile to public
$InterfaceAliases = Get-NetConnectionProfile | Select-Object -ExpandProperty InterfaceAlias | Where-Object { $_ -ne 'connect' }
foreach ($InterfaceAlias in $InterfaceAliases) {
Set-NetConnectionProfile -InterfaceAlias $InterfaceAlias -NetworkCategory Public
}
# Set Connect to Private
Set-NetConnectionProfile -InterfaceAlias "connect" -NetworkCategory Private -ErrorAction -Ignore
Block Incoming Connections¶
Using the Windows Security app¶
Open the Windows Security app, either by following the Configure firewall and security settings link in Network settings or from the Start menu
Select Firewall & network protection if it is not already open and then click on the Public network link
In the Public network profile enable the Blocks all incoming connections, including those in the list of allowed apps. checkbox
Using Windows PowerShell¶
Run the following command in an Administrator PowerShell prompt to set the Windows firewall to block incoming network connections on interfaces set to the Public network profile