The Firewalla VPN Server requires its port to be accessible from outside your network. If your Firewalla is running in router mode and has a public IP address, Firewalla will take care of everything for you– no need to take extra steps to set up port forwarding. If you're using OpenVPN, Firewalla's upstream router has UPnP enabled, and your box isn't in router mode, Firewalla will also automatically set up port forwarding for you via UPnP.
In all other cases, you will need to manually set up port forwarding on your home router.
By default, Firewalla uses UDP port 1194 for OpenVPN, and 51820 for WireGuard VPN. Basically, you need to map your upstream router's public port to Firewalla's local port.
If you have a double NAT setup and are looking for instructions on how to configure port forwarding on the second router, just replace the IP address of your Firewalla box in Step 2 with the IP address of your first router. The rest of these instructions is the same.
On your VPN Server's Setup page, Firewalla will automatically detect whether port forwarding needs to be set up manually. If it does, the app will display a "Need Manual Setup" link. Tap on the link and follow the instructions to set it up.
Step 1: Get the IP Address of your Firewalla Box
If you have a single WAN setup with Firewalla, tap on the gear button on the top right of your box's main page. The number in the IP Address field is your box's IP Address.
If you have a dual-WAN setup, you may need to set up port forwarding on both of your upstream routers in order to make both WANs work properly.
On your box's main page, tap Network Manager, tap on the WAN connections, and write down each of their IP Addresses.
Note: if Firewalla is in DHCP mode, and your overlay network is configured to be the same subnet as the primary network, the VPN server may use Firewalla's IP address in the overlay network to talk with VPN clients instead of the IP address in the primary network. When configuring port forwarding, make sure you forward to Firewalla's IP address in the overlay network. On Firewalla Red, Blue, or Blue Plus, you can check the IP address information in Settings -> Advanced -> Network Settings.
Step 2: Set up Port Mapping on your Router
We'll use Apple AirPort as an example here. For other brands of routers, we recommend checking out this website for detailed instructions. If your router is not listed and you have trouble setting up port mapping, please email us at firstname.lastname@example.org.
On AirPort Utility, select the base station > Edit > Network tab:
- Click the "+" (Add) button under Port Settings or Port Mappings.
- Description: <enter: Firewalla VPN>
- Public UDP Ports: <enter 1194>
- Public TCP Ports: <leave blank>
- Private IP Address: <enter the IP address from Step 1>
- Private UDP Ports: <enter 1194>
- Private TCP Ports: <leave blank>
- Click "Save"
- Click "Update"