Script to add a rule for Routing and Remote Access

kinderu81 · 07 Mar 2021

From Firewall I want to add a rule - Routing and Remote Access.
This rule can be added manually, but I want to add it from the command prompt.
I am using Windows 10 Pro 20H2.
To add manualy, open Control Panel -> Windows Defender Firewall -> Advanced Settings ->
-> Inbound Rules or Outbound Rules -> New Rule -> Predefined -> from drop down list choose Routing and Remote Access ->
-> Next -> Check all checkbox
Routing and Remote Access (PPTP-In),
Routing and Remote Access (L2TP-In),
Routing and Remote Access (GRE-In) -> Next... Next - see print screen.
How to add from CMD ?

zebal · 10 Mar 2021

Hello, to do this you need to copy predefined rules from read only (inactive) policy store into desired active policy store.

A policy store is a collection of firewall rules, depending on firewall settings only a portion of policy stores (and their rules) are active.

To copy predefined rules "Routing and remote Access" from read only store you run:

Code:

Copy-NetFirewallRule -PolicyStore SystemDefaults -Group "@FirewallAPI.dll,-33752" -Direction Inbound -NewPolicyStore PersistentStore

This command will copy entry group of rules "Routing and remote Access" (read only policy store: SystemDefaults) into Windows firewall in control panel (Policy store: PersistentStore), only inbound rules in this case.

You notice that you don't name your group as you read it in firewall management console that is "Routing and remote Access", but instead specify group reference (there is a special name for this but I forgot how is it called)

You next issue is how do you learn group reference name, to get this info run:

Code:

Get-NetFirewallRule -PolicyStore SystemDefaults | Sort-Object -Unique Group |
Sort-Object DisplayGroup | Format-Table DisplayGroup, Group

This will give you a list of all predefined rules and their reference names that you can use to copy by group into target policy store.

Commands are run in PowerShell console which you can access in Start menu.
To create a script, create a file with *.ps1 extension and simply enter your commands into a file one by one.

You can then execute this script from PowerShell, ex. if the file is called "MyRules.ps1" you run:

Code:

.\MyRules.ps1

or if the file is in another directory then run:

Code:

C:\SomeDirectory\MyRules.ps1

You could also do it in CMD (command prompt) but syntax is different and deprecated.

EDIT:
If you get an error with "PersistentStore", such as "File already exists" this could mean there rules are already present in said store, to get around this try with "ActiveStore".

The difference is that Active store represents all rules that are currently active, not just firewall from control panel.