This doc does NOT apply to Firewalla: Transparent Bridge Mode
Gold and Purple series boxes maintain private networks in Router mode and DHCP modes. Firewalla will block inbound traffic from the public to secure your network by default. If you want to access your local device or server from the public, port forwarding is an approach to let your traffic in.
- How to do port forwarding?
- How to limit access to the open port?
- Is my device still be protected by Firewalla security protection?
How to do port forwarding?
On box main page, tap Network to open Network manager, tap NAT Settings > Port forwarding > Add Port Forwarding to create a new port forwarding.
Some devices may have multiple IP addresses associated with the MAC address, in this case, Firewalla may not be able to discover them as normal devices. Firewalla lets you create port forwarding per device or IP.
You can also do Port Forwarding via a Specified WAN or VPN. When setting up port forwarding, the interface will be set to all WAN interfaces by default. You can change this to any specific WAN or VPN client interface. To learn more, see our video tutorial.
Note that specifying a WAN or VPN only allows one port forwarding for each external port per WAN IP. Additionally, AnyConnect VPNs are not supported as of box version 1.975.
How to limit access to the open port?
To keep your network as secure as possible with ports open, Firewalla supports limiting ingress traffic for a port forward rule. When you are creating a port forward there is an option Ingress firewall rule. This option controls access to the open port.
- Any Sources: All ingress traffic will always be allowed.
- None: All ingress traffic will be blocked unless allow rules are created on the local port. It provides an option to schedule access via separate rules or can be used to "pause" the port forwarding indefinitely.
- Selected Sources: Only selected sources will be allowed. For example:
Is my device still be protected by Firewalla security protection?
Yes. Security rules and policy rules always have the highest priority in our system. The allow rules on the local ports will not bypass the security rules.
How to debug when the port still shows closed per external port scan?
- Check if there is another rule blocking the traffic. Learn more about rule logic
- Check if there is double NAT. If you have another router in front of Firewalla with DHCP turned on you may have double NAT. How to see if you have a public IP address?
- Check if there is a firewall running on your local device such as a NAS.
In a future release, we are going to integrate the option to specify source in the port forwarding UI, so it will be more intuitive and easy to use.