I see a strange behavior with Add-VMNetworkAdapterExtendedAcl and IPv6. When a rule with a IPv6 subnet in the RemoteIPAddress is used, other matching allow rules are ignored.
Windows Server 1809 17763.55
Demonstration
$VMName = "my.vm.local"
$SwitchName = "External"
$ExternalIP4 = "1.1.1.1/30"
$ExternalIP6 = "2:3:4:5::/64"
VMNetworkAdapter = Get-VMNetworkAdapter -VMName $VMName | Where-Object -Property SwitchName -EQ $SwitchName
# remove all acls from VM
Get-VMNetworkAdapterExtendedAcl -VMName $VMName | Remove-VMNetworkAdapterExtendedAcl
# Allow SMTP 25 (later referred as Rule 1)
Add-VMNetworkAdapterExtendedAcl -VMNetworkAdapter $VMNetworkAdapter -Action "Allow" -Direction "Inbound" -LocalPort 25 -Protocol "TCP"-Weight 10 -Stateful $True
# Traffic between VMs with external IPv6 (Rule 2)
Add-VMNetworkAdapterExtendedAcl -VMNetworkAdapter $VMNetworkAdapter -Action "Allow" -Direction "Inbound" -RemoteIPAddress $ExternalIP6-Weight 11
# Block all incoming
Add-VMNetworkAdapterExtendedAcl -VMNetworkAdapter $VMNetworkAdapter -Action "Deny" -Direction "Inbound" -Weight 1
What I'm expecting is that telnet 2:3:4:5::4 25 works. However this is not the case.
Now if I exchange the weight of rule 1 and 2, it works as expected:
# Allow SMTP 25 (later referred as Rule 1)
Add-VMNetworkAdapterExtendedAcl -VMNetworkAdapter $VMNetworkAdapter -Action "Allow" -Direction "Inbound" -LocalPort 25 -Protocol "TCP"-Weight 11 -Stateful $True
# Traffic between VMs with external IPv6 (Rule 2)
Add-VMNetworkAdapterExtendedAcl -VMNetworkAdapter $VMNetworkAdapter -Action "Allow" -Direction "Inbound" -RemoteIPAddress $ExternalIP6-Weight 10
What is interesting, is that it works correctly when using a IPv4 subnet:
# Allow SMTP 25 (later referred as Rule 1)
Add-VMNetworkAdapterExtendedAcl -VMNetworkAdapter $VMNetworkAdapter -Action "Allow" -Direction "Inbound" -LocalPort 25 -Protocol "TCP"-Weight 10 -Stateful $True
# Traffic between VMs with external IPv6 (Rule 2)
Add-VMNetworkAdapterExtendedAcl -VMNetworkAdapter $VMNetworkAdapter -Action "Allow" -Direction "Inbound" -RemoteIPAddress $ExternalIP4-Weight 11
Windows Server 1809 17763.55
Demonstration
$VMName = "my.vm.local"
$SwitchName = "External"
$ExternalIP4 = "1.1.1.1/30"
$ExternalIP6 = "2:3:4:5::/64"
VMNetworkAdapter = Get-VMNetworkAdapter -VMName $VMName | Where-Object -Property SwitchName -EQ $SwitchName
# remove all acls from VM
Get-VMNetworkAdapterExtendedAcl -VMName $VMName | Remove-VMNetworkAdapterExtendedAcl
# Allow SMTP 25 (later referred as Rule 1)
Add-VMNetworkAdapterExtendedAcl -VMNetworkAdapter $VMNetworkAdapter -Action "Allow" -Direction "Inbound" -LocalPort 25 -Protocol "TCP"-Weight 10 -Stateful $True
# Traffic between VMs with external IPv6 (Rule 2)
Add-VMNetworkAdapterExtendedAcl -VMNetworkAdapter $VMNetworkAdapter -Action "Allow" -Direction "Inbound" -RemoteIPAddress $ExternalIP6-Weight 11
# Block all incoming
Add-VMNetworkAdapterExtendedAcl -VMNetworkAdapter $VMNetworkAdapter -Action "Deny" -Direction "Inbound" -Weight 1
What I'm expecting is that telnet 2:3:4:5::4 25 works. However this is not the case.
Now if I exchange the weight of rule 1 and 2, it works as expected:
# Allow SMTP 25 (later referred as Rule 1)
Add-VMNetworkAdapterExtendedAcl -VMNetworkAdapter $VMNetworkAdapter -Action "Allow" -Direction "Inbound" -LocalPort 25 -Protocol "TCP"-Weight 11 -Stateful $True
# Traffic between VMs with external IPv6 (Rule 2)
Add-VMNetworkAdapterExtendedAcl -VMNetworkAdapter $VMNetworkAdapter -Action "Allow" -Direction "Inbound" -RemoteIPAddress $ExternalIP6-Weight 10
What is interesting, is that it works correctly when using a IPv4 subnet:
# Allow SMTP 25 (later referred as Rule 1)
Add-VMNetworkAdapterExtendedAcl -VMNetworkAdapter $VMNetworkAdapter -Action "Allow" -Direction "Inbound" -LocalPort 25 -Protocol "TCP"-Weight 10 -Stateful $True
# Traffic between VMs with external IPv6 (Rule 2)
Add-VMNetworkAdapterExtendedAcl -VMNetworkAdapter $VMNetworkAdapter -Action "Allow" -Direction "Inbound" -RemoteIPAddress $ExternalIP4-Weight 11