I can not find the SMTP port under "Windows Firewall with Advanced Security" so I'm not sure how Exchange configured the firewall there.
However, I did try to change the IP ranges in the network tab under the receive connector in the hub transport role of the server configuration. This broke everything, I could no longer get email, I got the following error:
#5.7.1 smtp;530 5.7.1 Client was not authenticated> #SMTP#
I am attaching the file "network_cap_1.JPG" to show what I have before I change anything. "network_cap_2.JPG" shows the EOP IP ranges added and when I add those I get the above error.
I checked the IP that EOP is using to deliver mail to me and that IP currently is 18.104.22.168, so that should be covered by the 22.214.171.124/24 scope, shouldn't it?
Also since I am leaving the default 10.1.1.0-10.1.1.0 & 10.1.1.2-10.1.1.255 entries alone I'm not understanding two things:
1) Why does adding the EOP IPs break everything
2) Why is any email coming in since those IP ranges are local and not external.