Windows 10: Why is Windows 11 Defender Firewall blocking an inbound port with inbound rule set up?

I'm setting up a Windows 11 system. I have some software I'm trying out on the system called Stickies by Zhorsoftware that has been around for quite some time, not to be confused with Sticky Notes by Microsoft. I'm using the latest version of Stickies. Also, Windows 11 is current on updates.Stickie notes should be able to

:)

 

Why is Windows Defender Firewall blocking an inbound port?

I have Windows 11 and am using Xfinity as my ISP.
I have port forwarded Port 2346 in my router.
In Defender Firewall I have set up an Inbound Rule for Port 2346 to "Allow the connection."
Defender Firewall is still blocking the port. I know it is Defender Firewall because if I turn it off then the port is no longer blocked. When I turn Defender Firewall back on the port is blocked.

How do I fix this so that I can keep Defender Firewall running and not block the port?

 

Inbound Firewall Rule that Blocks

Code:

Please help me understand how the 2 Inbound Rules created by MMC actually operate.

Action, Enabled, Service, Program,                     Protocol

Block,  Yes,     Any,     C:\windows\system32\mmc.exe, TCP

Block,  Yes,     Any,     C:\windows\system32\mmc.exe, UDP
If these 2 rules were Outbound Rules, I'd say that client process 'mmc.exe' is blocked.

But applying equivalent logic (that 'mmc.exe' is blocked) to Inbound Rules doesn't make sense -- why would 'mmc.exe' (which created these Rules) block itself?

What (somewhat) makes sense is that 'mmc.exe' is a requester, and that these rules block all TCP & UDP datagrams & all processes.

If so, then there's quite a difference between Outbound & Inbound Rules.

In Outbound Rules, 'Program' specifies the target (the process that's blocked), whereas in Inbound Rules, 'Program' specifies the requester (the process that provokes blocking).

This is crucial reasoning because, if correct, then, as a consequence, every process is the target of Inbound Rules that Block.

What about Inbound Rules that Allow? I've always assumed that an Inbound+Allow means the specified 'Program' installs a listener (i.e., has handler(s) for the specified socket(s)).

I think that's pretty straightforward.

I've read what Microsoft provides and it's grossly inadequate -- what a surprise, eh?

Microsoft documentation presents only trivial explanation of how to complete the fields (example: "Type the path to the program in the text box"), or the tutorial's scope is limited (example: "On the Action page, select Allow the connection, and then click
 Next" -- no mention of "Block the connection").

Other web hits are just plain wrong (examples: "Program – Block or allow a program"; "Program - creates rule that controls connections for an app or program"; "if you are downloading a file through BitTorrent, the download of that file is filtered through an
 inbound rule" -- Rules control connections, not streams) or show ridiculous cases (example: "I want to block all outgoing connections on port 80").
Does anyone know of an architectural reference or guidebook that explains how Firewall Rules are implemented in a running system?
Warm Regards -- Mark.

 

Inbound firewall rule for trusted subnets not working as expected

I'm trying to create a basic domain firewall policy (primarily for Win7) that does two things;

Allow two trusted subnets inbound connection to the host on ALL ports (so essentially open)

Block everything else

All outbound traffic will be unfiltered - only the inbound traffic is being controlled.

I created a domain firewall policy

I added an 'allow trusted subnets' inbound rule, which is as follows;

Action: Allow the connection

Allow all programs

Protocol Type: Any

Scope

Local IP addresses: Any

Remote IP addresses: My two subnets in CIDR annotation

Advanced

Profile: Domain

Block Edge traversal

I then set the Domain profile firewall state to ON, and set Inbound to Block (default) and Outbound to Allow (default). Running RSoP shows the policy is being applied, but here's the problem. Windows still allows inbound connectivity from all untrusted subnets!
My understanding is that setting the Domain policy state to ON means that all traffic inbound will be blocked unless specifically allowed, and I specifically allowed connectivity from only two trusted subnets!

I tried created a 'Deny All' rule after the allow one (even though that should be implied), and that worked great - it blocked everything inbound, even my trusted subnets!!!

Anyone have any idea what's going on here. I'm very familiar with firewalls in general, but this just isn't working as it should do. No other firewall policies are being applied according to RSoP and my testing.

Thanks