This doc does NOT apply to Firewalla: Transparent Bridge Mode.
This article explains how to manage port forwarding on the Firewalla Gold and Purple series. If you are setting up the Firewalla VPN Server and want to know how to create port forwarding on your upstream router, please consult this article: Setting Up VPN Server Port Forwarding.
Gold and Purple series boxes maintain private networks in Router and DHCP modes. Firewalla will block inbound traffic from the public by default to secure your network. If you want to access your local device or server from the public, port forwarding is an approach to letting your traffic in.
- How do I do automatic port forwarding with UPnP?
- How do I setup manual port forwarding?
- How do I limit access to the open port?
- Is my device still be protected by Firewalla security protection?
- How do I debug when the port still shows closed per external port scan?
VPN or Port Forward?
Port forward is needed if you want to access a device inside your network. It is always 'better' if you can access the device via a VPN Server. The VPN Server will allow all accesses to be encrypted, and the VPN port is highly secure. See https://help.firewalla.com/hc/en-us/articles/115004274633-Firewalla-VPN-Server for details.
How do I do automatic port forwarding with UPnP?
UPnP allows applications on a device to automatically open ports on a router for internet access, enabling features like gaming, streaming, and remote access without manual port forwarding. While it simplifies connectivity, leaving UPnP enabled can expose a network to potential security risks, as unauthorized devices could open ports without user oversight. We suggest using manual port forwarding.
For users who only want to enable UPnP for specific networks, say a gaming VLAN, we are now providing the ability to configure it on your local networks separately. This is a much safer way than enabling on all networks.
- In Network Manager, go to NAT Settings > Port Forwardings, tap Apply To > Specific Networks, and you can check/uncheck your networks.
(Please note there is a known issue that the UPnP ports will be hidden 30 mins after expiration or disabling. So, you may not see an immediate change after turning off UPnP on your networks even though the ports are already closed and UPnP is disabled. This issue will be fixed in the upcoming release.)
How do I set up manual port forwarding?
On box main page, tap Network to open Network manager, tap NAT Settings > Port forwarding > Add Port Forwarding to create a new port forwarding.
Some devices may have multiple IP addresses associated with the MAC address. In this case, Firewalla may not be able to discover them as normal devices. Firewalla lets you create port forwarding per device or IP.
You can also do Port Forwarding via a Specified WAN or VPN. When setting up port forwarding, the interface will be set to all WAN interfaces by default. You can change this to any specific WAN or VPN client interface. To learn more, see our video tutorial.
Note that specifying a WAN or VPN only allows one port forwarding for each external port per WAN IP. Additionally, Port Forwarding is not supported on AnyConnect VPNs.
How do I limit access to the open port?
To keep your network as secure as possible with ports open, Firewalla supports limiting ingress traffic for a port forward rule. When you create a port forward, there is an option called "Ingress Firewall". This option controls access to the open port.
- None: All ingress traffic will be blocked unless allow rules are created on the local port. It provides an option to schedule access via separate rules or can be used to "pause" the port forwarding indefinitely.
- Any Sources: All ingress traffic will always be allowed.
- Selected Sources: Only selected sources will be allowed. For example:
Is my device still protected by Firewalla's security protection?
Yes. Security rules and policy rules are always the highest priority in our system. The allow rules on the local ports will not bypass the security rules.
How do I debug when the port still shows closed per external port scan?
- Check if there is another rule blocking the traffic. Learn more about rule logic
- Check if there is double NAT. If you have another router in front of Firewalla with DHCP turned on you may have double NAT. How to see if you have a public IP address?
- Check if there is a firewall running on your local device such as a NAS.
Comments
13 comments
Hi. Can you change the example port mapping to use a different external vs internal port ?
It's not clear which port number is being used in the Rule you create.
Thanks.
First, thanks for adding this feature. It's very useful for self-hosting services behind the Cloudflare DNS proxy. With this option, I can now limit access to my server to ONLY Cloudflare IP addresses.
When setting this up, I noticed a bug (I think), and have a suggestion for how the feature could be improved.
Bug: I needed to configure rules for every Cloudflare IP range, and for both TCP/80 and TCP/443 (a total of 42 rules). Adding this many rules is tedious from a phone interface, so I used the web interface. However, the rules created by the web interface are outbound only, when I wanted inbound only rules. The web interface does not seem to have a way to specify whether the rule should be inbound or outbound. I had to use the phone interface to update the rules to be inbound only.
Improvements:
1. Allow multiple ports per rule (i.e. 80, 443). Currently, I can only add either a single port or a port range.
2. Allow custom regions. It would be nice to be able to create a custom "Cloudflare" region with all of the Cloudflare IP ranges, and then just create a single rule allowing traffic from that region.
@Geoff
Just set up my Firewalla Purple and I also ran into that same bug with Outbound only rules using the Web GUI. I've found that the Web GUI is very limited in functionality. I've been using it just for reporting/graph purposes. Hopefully the Firewalla team invests more time in the Web GUI when they have the resources.
Otherwise, amazing product, still tinkering and finding new ways to secure my app-heavy network.
While this article is great, if the device (ie. MyMac) is in a group, how to you select this device? I put all my devices into different groups, so step here "applied the rule to Device MyMac." doesn't work, unless I'm missing something, I can find no way to select a device (ie. my server) which is in a group.
@Ben Currently, if your device is added to a group, there will be a limit on our app that only allows you to apply rules to the entire group. But I do see the reason why a rule with the local port specified should be a special case. I'll forward your comments to the team and see if we can support this type of rules in future updates.
@Firewalla, add my support for this as well! I had to remove a device from a group due to not being able to add a device-specific local port rule to a device due to being part of a group.
Please correct me if I'm wrong, but as I understand this article, enabling 'Allow on Firewall', as special as it sounds, is the normal NAT behavior from other routers. Right?
Disabling it can be used to specify a source using rules now, but the implementation will improve in the future.
"Alow on Firewall" is a firewall rule, not a NAT configuration. When it's disabled, the NAT mapping will still be established, but the firewall will block all traffic by default.
As you said, with "Allow on Firewall" disabled, you can use Rules to specify what source can access the port. If "Allow on Firewall" is enabled, basically it allows everywhere to access the port.
Say I was to forward a port where the internal port maps to my Mac OS Server. For the allow rules on ingress traffic, there is target list, IP address, IP address range, and Region.
I am always hesitant about opening up ports on my network as it is - is there anyway to *only* allow ingress traffic from a specific device (I.e., I only want to allow traffic from my MacBook Pro)? If not now, would this be something that is even possible to do in the future by only allowing ingress traffic from a specific MAC address?
@Michael, if you want specific devices to access, have you tried using the VPN server feature? This way, you don't have to open ports, or manage complex IP list to know where your MAC is at?
@Firewalla, is there a way to permit the port forwarding rule based on the ingress host name? For instance, mapping a.domain.com to the internal address of 10.0.0.1 and b.hostname.com to 10.0.0.2?
@Firewalla It is really import for me to do port forwarding based on the ingress host name. My Gold Plus has a domain name associated with it using DDNS. I can create unlimited subdomains to point to different service/host combinations on the internal network. Let's say I wanted to ssh to internal server A. The request coming through the WAN connection would be A.mydomain.com on port 22. I can then forward that to the correct host on the internal network.
Have a feature request/improvement for the UPNP toggle. Wanted to explore the setting since I'll probably be setting up VLANs soon, and when I hit the toggle for UPNP to see the submenus inside regarding networks, I immediately got notices about devices already opening ports. You should let us configure the network portion before actually "enabling" UPNP so we get to decide what to apply it to before it turns on. Just a thought.
Please sign in to leave a comment.