Create Port Forwarding on Gold/Purple Series

Follow

Comments

13 comments

  • Avatar
    firewalla

    Hi. Can you change the example port mapping to use a different external vs internal port ?

    It's not clear which port number is being used in the Rule you create.

     

    Thanks.

    1
    Comment actions Permalink
  • Avatar
    Geoff Akens

    First, thanks for adding this feature.  It's very useful for self-hosting services behind the Cloudflare DNS proxy.  With this option, I can now limit access to my server to ONLY Cloudflare IP addresses.

    When setting this up, I noticed a bug (I think), and have a suggestion for how the feature could be improved.

    Bug:  I needed to configure rules for every Cloudflare IP range, and for both TCP/80 and TCP/443 (a total of 42 rules).  Adding this many rules is tedious from a phone interface, so I used the web interface.  However, the rules created by the web interface are outbound only, when I wanted inbound only rules.  The web interface does not seem to have a way to specify whether the rule should be inbound or outbound.  I had to use the phone interface to update the rules to be inbound only.

    Improvements:

    1.  Allow multiple ports per rule (i.e. 80, 443).  Currently, I can only add either a single port or a port range.

    2.  Allow custom regions.  It would be nice to be able to create a custom "Cloudflare" region with all of the Cloudflare IP ranges, and then just create a single rule allowing traffic from that region.

    1
    Comment actions Permalink
  • Avatar
    Raul

    @Geoff

    Just set up my Firewalla Purple and I also ran into that same bug with Outbound only rules using the Web GUI. I've found that the Web GUI is very limited in functionality. I've been using it just for reporting/graph purposes. Hopefully the Firewalla team invests more time in the Web GUI when they have the resources.

    Otherwise, amazing product, still tinkering and finding new ways to secure my app-heavy network.

    0
    Comment actions Permalink
  • Avatar
    Ben Smith

    While this article is great, if the device (ie. MyMac) is in a group, how to you select this device? I put all my devices into different groups, so step here "applied the rule to Device MyMac." doesn't work, unless I'm missing something, I can find no way to select a device (ie. my server) which is in a group.

    0
    Comment actions Permalink
  • Avatar
    Support Team

    @Ben Currently, if your device is added to a group, there will be a limit on our app that only allows you to apply rules to the entire group. But I do see the reason why a rule with the local port specified should be a special case. I'll forward your comments to the team and see if we can support this type of rules in future updates. 

     

    2
    Comment actions Permalink
  • Avatar
    Raul

    @Firewalla, add my support for this as well! I had to remove a device from a group due to not being able to add a device-specific local port rule to a device due to being part of a group.

    2
    Comment actions Permalink
  • Avatar
    Eric Flores

    Please correct me if I'm wrong, but as I understand this article, enabling 'Allow on Firewall', as special as it sounds, is the normal NAT behavior from other routers. Right?

    Disabling it can be used to specify a source using rules now, but the implementation will improve in the future.

    0
    Comment actions Permalink
  • Avatar
    Support Team

    "Alow on Firewall" is a firewall rule, not a NAT configuration. When it's disabled, the NAT mapping will still be established, but the firewall will block all traffic by default.

    As you said, with "Allow on Firewall" disabled, you can use Rules to specify what source can access the port. If "Allow on Firewall" is enabled, basically it allows everywhere to access the port.

    0
    Comment actions Permalink
  • Avatar
    Michael Turchin

    Say I was to forward a port where the internal port maps to my Mac OS Server. For the allow rules on ingress traffic, there is target list, IP address, IP address range, and Region.

    I am always hesitant about opening up ports on my network as it is - is there anyway to *only* allow ingress traffic from a specific device (I.e., I only want to allow traffic from my MacBook Pro)? If not now, would this be something that is even possible to do in the future by only allowing ingress traffic from a specific MAC address?

    0
    Comment actions Permalink
  • Avatar
    Firewalla

    @Michael, if you want specific devices to access, have you tried using the VPN server feature? This way, you don't have to open ports, or manage complex IP list to know where your MAC is at?

    0
    Comment actions Permalink
  • Avatar
    Thomas Bergman

    @Firewalla, is there a way to permit the port forwarding rule based on the ingress host name? For instance, mapping a.domain.com to the internal address of 10.0.0.1 and b.hostname.com to 10.0.0.2?

    1
    Comment actions Permalink
  • Avatar
    Joshua Manton

    @Firewalla It is really import for me to do port forwarding based on the ingress host name. My Gold Plus has a domain name associated with it using DDNS. I can create unlimited subdomains to point to different service/host combinations on the internal network. Let's say I wanted to ssh to internal server A. The request coming through the WAN connection would be A.mydomain.com on port 22.  I can then forward that to the correct host on the internal network. 

    0
    Comment actions Permalink
  • Avatar
    Rafael Martinez

    Have a feature request/improvement for the UPNP toggle. Wanted to explore the setting since I'll probably be setting up VLANs soon, and when I hit the toggle for UPNP to see the submenus inside regarding networks, I immediately got notices about devices already opening ports. You should let us configure the network portion before actually "enabling" UPNP so we get to decide what to apply it to before it turns on. Just a thought.

    0
    Comment actions Permalink

Please sign in to leave a comment.