Windows Server 2025: Firewall Blocks All Traffic from a specific routed subnet when Network Profile is 'Private', despite explicit 'Allow' and IPsec Bypass rules.

I. Problem Summary

A clean installation of Windows Server 2025 (Standard, non-domain-joined) on a virtual machine (Proxmox VE + VirtIO drivers) systematically and repeatedly blocks all network traffic from a specific, correctly routed VPN subnet (10.7.2.0/24).

Crucially, the connection works for a period of time (e.g., an hour) after the firewall profile is toggled (disabled and then re-enabled), but then inexplicably stops working. This behavior is not exclusive to the "Private" profile and occurs on any active profile.

At the same time, traffic from another, more distant routed VPN subnet (10.8.0.0/24) is handled correctly and remains stable, regardless of the firewall's state. The problem is resolved instantly and temporarily by toggling the active firewall profile off and on again.

II. Network Architecture Description

• Virtualization Host: Proxmox VE 8.x
• Virtual Machine: Clean installation of Windows Server 2025 Standard (with the latest VirtIO drivers).
• VM Network Configuration:
  • Single network interface on the 10.10.60.0/24 network (Proxmox vmbr1).
    • VM IP Address: 10.10.60.20
      • Subnet Mask: 255.255.255.0
        • Default Gateway: 10.10.60.1 (the Proxmox host's bridge address).
        • VPN & Routing Topology:
          • Subnet 10.7.2.0/24 (The Problematic Subnet): This is a WireGuard VPN network terminated within an LXC container on the same Proxmox host (P2). The VPN container's IP is 10.10.60.4. A static route exists on the host: ip route add 10.7.2.0/24 via 10.10.60.4. From the VM's perspective, traffic from this subnet arrives from its default gateway (10.10.60.1).
            • Subnet 10.8.0.0/24 (The Working Subnet): This is a WireGuard VPN network terminated on a remote host (M-1) in a different geographical location. Traffic from this network is routed over a Site-to-Site tunnel, a vRack, and multiple hops before reaching the VM.

III. Observed Behavior (The "Firewall Glitch" Cycle)

1. A connection from the problematic subnet 10.7.2.0/24 (e.g., RDP or SQL) initially fails.
2. We disable the active firewall profile on the Windows Server VM (Set-NetFirewallProfile -Enabled False).
3. The connection from 10.7.2.0/24 can now be established successfully.
4. We immediately re-enable the firewall profile (Set-NetFirewallProfile -Enabled True).
5. The existing connection remains active and works correctly for a period of time (e.g., one hour).
6. After this period, the connection is dropped, and all new connection attempts from the 10.7.2.0/24 subnet are blocked again, returning to step 1.
7. Throughout this entire cycle, connections from the 10.8.0.0/24 subnet remain stable and unaffected.

IV. Troubleshooting & Remediation Steps Performed

All of the following advanced troubleshooting steps have been performed and have failed to provide a permanent solution:

1. Network Path Verification: End-to-end network connectivity has been confirmed with ping and tcpdump. Packets from 10.7.2.0/24 correctly arrive at the VM's network interface.
2. TCP Checksum Offloading Disabled: All checksum offloading features have been disabled on the VM's VirtIO network adapter.
3. Specific Allow Rules Created: Precise Allow rules for RDP/SQL ports from the 10.7.2.0/24 source, assigned to all profiles, were created. Result: No effect. The block still occurs after a period of time.
4. Default Rules Disabled: All default "Remote Desktop" group rules were disabled to eliminate conflicts. Result: No effect.
5. Overarching Allow Rule Created: A single, powerful "MASTER ALLOW" rule permitting any protocol and any port from the 10.7.2.0/24 source was created. Result: No effect. The block still occurs.
6. IPsec Bypass Rule Created: A New-NetIPsecRule of type Bypass (-Mode None -InboundSecurity None) was implemented to instruct the filtering engine to ignore default policies for the 10.7.2.0/24 subnet. Result: No effect. The block still occurs.

V. Key Question for Microsoft Support

1. What underlying mechanism in Windows Server 2025, likely related to Network Location Awareness (NLA) or the Base Filtering Engine (BFE), could cause the firewall to "forget" or begin ignoring a valid, existing Allowrule for a specific subnet after a period of time?
2. Why does this behavior only affect traffic from a locally routed subnet (10.7.2.0/24) and not from a remote, multi-hop routed subnet (10.8.0.0/24), and what undocumented policy could be causing this discrepancy?
3. Is this a known issue, and is there a registry key, group policy, or other advanced method to permanently designate a specific subnet as "fully trusted" to prevent this periodic re-evaluation and blocking?I. Problem Summary A clean installation of Windows Server 2025 (Standard, non-domain-joined) on a virtual machine (Proxmox VE + VirtIO drivers) systematically and repeatedly blocks all network traffic from a specific, correctly routed VPN subnet (10.7.2.0/24). Crucially, the connection works for a period of time (e.g., an hour) after the firewall profile is toggled (disabled and then re-enabled), but then inexplicably stops working. This behavior is not exclusive to the "Private" profile and occurs on any active profile. At the same time, traffic from another, more distant routed VPN subnet (10.8.0.0/24) is handled correctly and remains stable, regardless of the firewall's state. The problem is resolved instantly and temporarily by toggling the active firewall profile off and on again. II. Network Architecture Description
   • Virtualization Host: Proxmox VE 8.x
   • Virtual Machine: Clean installation of Windows Server 2025 Standard (with the latest VirtIO drivers).
   • VM Network Configuration:
   • Single network interface on the 10.10.60.0/24 network (Proxmox vmbr1).
   • VM IP Address: 10.10.60.20
   • Subnet Mask: 255.255.255.0
   • Default Gateway: 10.10.60.1 (the Proxmox host's bridge address).
   • VPN & Routing Topology:
   • Subnet 10.7.2.0/24 (The Problematic Subnet): This is a WireGuard VPN network terminated within an LXC container on the same Proxmox host (P2). The VPN container's IP is 10.10.60.4. A static route exists on the host: ip route add 10.7.2.0/24 via 10.10.60.4. From the VM's perspective, traffic from this subnet arrives from its default gateway (10.10.60.1).
   • Subnet 10.8.0.0/24 (The Working Subnet): This is a WireGuard VPN network terminated on a remote host (M-1) in a different geographical location. Traffic from this network is routed over a Site-to-Site tunnel, a vRack, and multiple hops before reaching the VM.
   III. Observed Behavior (The "Firewall Glitch" Cycle)
   1. A connection from the problematic subnet 10.7.2.0/24 (e.g., RDP or SQL) initially fails.
   2. We disable the active firewall profile on the Windows Server VM (Set-NetFirewallProfile -Enabled False).
   3. The connection from 10.7.2.0/24 can now be established successfully.
   4. We immediately re-enable the firewall profile (Set-NetFirewallProfile -Enabled True).
   5. The existing connection remains active and works correctly for a period of time (e.g., one hour).
   6. After this period, the connection is dropped, and all new connection attempts from the 10.7.2.0/24 subnet are blocked again, returning to step 1.
   7. Throughout this entire cycle, connections from the 10.8.0.0/24 subnet remain stable and unaffected.
   IV. Troubleshooting & Remediation Steps Performed All of the following advanced troubleshooting steps have been performed and have failed to provide a permanent solution:
   1. Network Path Verification: End-to-end network connectivity has been confirmed with ping and tcpdump. Packets from 10.7.2.0/24 correctly arrive at the VM's network interface.
   2. TCP Checksum Offloading Disabled: All checksum offloading features have been disabled on the VM's VirtIO network adapter.
   3. Specific Allow Rules Created: Precise Allow rules for RDP/SQL ports from the 10.7.2.0/24 source, assigned to all profiles, were created. Result: No effect. The block still occurs after a period of time.
   4. Default Rules Disabled: All default "Remote Desktop" group rules were disabled to eliminate conflicts. Result: No effect.
   5. Overarching Allow Rule Created: A single, powerful "MASTER ALLOW" rule permitting any protocol and any port from the 10.7.2.0/24 source was created. Result: No effect. The block still occurs.
   6. IPsec Bypass Rule Created: A New-NetIPsecRule of type Bypass (-Mode None -InboundSecurity None) was implemented to instruct the filtering engine to ignore default policies for the 10.7.2.0/24 subnet. Result: No effect. The block still occurs.
   V. Key Question for Microsoft Support
   1. What underlying mechanism in Windows Server 2025, likely related to Network Location Awareness (NLA) or the Base Filtering Engine (BFE), could cause the firewall to "forget" or begin ignoring a valid, existing Allowrule for a specific subnet after a period of time?
   2. Why does this behavior only affect traffic from a locally routed subnet (10.7.2.0/24) and not from a remote, multi-hop routed subnet (10.8.0.0/24), and what undocumented policy could be causing this discrepancy?
   3. Is this a known issue, and is there a registry key, group policy, or other advanced method to permanently designate a specific subnet as "fully trusted" to prevent this periodic re-evaluation and blocking?