Skip to content

Configure Windows to block access to a device via LAN but still allow access via TAN

It is possible to block access to a server from the local area network and allow access from the trusted area network by using a combination of network profiles and the Windows firewall. This allows you to protect a device, even from bad actors plugged into the same physical local area network.

Set the network profile

Using the Windows Settings app

Open the Windows Settings app

Open Windows Settings

Select Network and internet and click on the entry for your network connection

Select Network and internet

Tip

When you are connected using WiFi you will need to select "SSID properties" of your current WiFi network to reach the next screen

Select wireless network

Set the Network profile type to Public network

Set network profile to public

Using Windows PowerShell

Run the following script in an Administrator PowerShell prompt to set all network interfaces, except the Connect TAN interface, to the Public network profile

# Get all interfaces except Connect and set the network profile to public
$InterfaceAliases = Get-NetConnectionProfile | Select-Object -ExpandProperty InterfaceAlias | Where-Object { $_ -ne 'connect' }

foreach ($InterfaceAlias in $InterfaceAliases) {
    Set-NetConnectionProfile -InterfaceAlias $InterfaceAlias -NetworkCategory Public
}

# Set Connect to Private
Set-NetConnectionProfile -InterfaceAlias "connect" -NetworkCategory Private -ErrorAction -Ignore

Block Incoming Connections

Using the Windows Security app

Open the Windows Security app, either by following the Configure firewall and security settings link in Network settings or from the Start menu

Open Windows Security

Select Firewall & network protection if it is not already open and then click on the Public network link

Select Firewall and network protection

In the Public network profile enable the Blocks all incoming connections, including those in the list of allowed apps. checkbox

Enable block all incoming connections

Using Windows PowerShell

Run the following command in an Administrator PowerShell prompt to set the Windows firewall to block incoming network connections on interfaces set to the Public network profile

netsh advfirewall set publicprofile firewallpolicy blockinboundalways,allowoutbound