block/allow IP ranges w2k8

I would like to block/allow ip ranges with the w2k8 firewall. In principle, the ideas is to block e. g. a huge ip range and by a second rule open it for a sub-ip range of the just blocked one. I tried this with two Inbound rules, but it seems that the first blocking rule "dominates" the second one.

Any ideas?
Who is Participating?
Radhakrishnan RConnect With a Mentor Senior Technical LeadCommented:

I believe that the deny rule take precedence even if you except 0/24. Unfortunately i haven't tested this before like this scenario. I use hardware firewall to allow/block ip addresses.
GeologyETHAuthor Commented:
Thanks. I guess I misunderstand something. As an example, I want to block e.g. the range abc.def.0.0/16 (remote IP addresses), but allow an ip ranges, e.g.
Thus I created in inbound rule which blocks the range abc.def.0.0/16 and a second inbound rule which allows access for

But it does not work this way, the range abc.def.0.0/16 and with it is blocked.

Any idea?
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

Radhakrishnan RSenior Technical LeadCommented:

I think you have selected the first opion (I.e - This IP addresses or subnet) but you need to select the second option "This IP address range" then you will be able to provide the from ip range and to ip range.

The same procedure can be applied both allow or denied rule.

Reboot the server to take effect the new settings and see it working as expected.
GeologyETHAuthor Commented:
yes, I selected "This IP addresses or subnet" to block the subnet abc.def.0.0/16 and for the second rule the same to allow (and other such ip ranges).
Now I changed in the blocking rule to "This IP address range", i.e. "From: abc.def.0.0" and "To: abc.def.255.255", but this is the same.
GeologyETHAuthor Commented:
Ok, I found which tells that blocking rules take precedence. Thus, it's not possible to block and then to re-open.
But does this mean, to be able to block abc.def.0.0/16, except (and other such ip ranges), needs a blocking rule defining all sub-ranges of abc.def.0.0/16, except

GeologyETHAuthor Commented:
If it's not possible that way, (how) can a rule restrict the access to (and other such ip ranges)? Ideas?

Thanks in advance.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.