This doc does NOT work for Firewalla: Transparent Bridge Mode
Gold and Purple maintain private networks in router mode and DHCP mode. Firewalla will block inbound traffic from the public to secure your network by default. If you want to access your local device or server from the public, port forwarding is an approach to let your traffic in.
How to limit access to the open port?
Is my device still be protected by Firewalla security protection?
How to do port forwarding?
On box main page, tap Network to open Network manager, tap NAT Settings -> Port forwarding -> Add Port Forwarding to create a new port forwarding.
Some devices may have multiple IP addresses associated with the MAC address, in this case, Firewalla may not be able to discover them as normal devices. Firewalla lets you create port forwarding per device or IP.
In the 1.52 app release, you can now also do Port Forwarding via a Specified WAN or VPN. When setting up port forwarding, the interface will be set to all WAN interfaces by default. You can change this to any specific WAN or VPN client interface. Watch a video tutorial or read more about this feature in our 1.52 App Release Notes.
How to limit access to the open port?
To keep your network as secure as possible with ports open, Firewalla supports limiting ingress traffic through the open. When you are creating a port forwarding, there will be an option Ingress firewall. This option controls how the open port is managed.
- Any Sources: All ingress traffic will always be allowed.
- None: All ingress traffic will be blocked unless allow rules are created on the local port. It provides an option to schedule the access via separate rules.
- Selected Sources: Only selected sources will be allowed.
Is my device still be protected by Firewalla security protection?
Yes. Security rules and policy rules always have the highest priority in our system. The allow rules on the local ports will not bypass the security rules.
How to debug when the port still shows closed per external port scan?
- Check if there is another rule blocking the traffic. Learn more about rule logic
- Check if there is double NAT. How to see if you have a public IP address?
- Check if there is any firewall running on your local device.
In the future release, we are going to integrate the option to specify source in the port forwarding UI, so it will be more intuitive and easy to use.
Comments
11 comments
Hi. Can you change the example port mapping to use a different external vs internal port ?
It's not clear which port number is being used in the Rule you create.
Thanks.
First, thanks for adding this feature. It's very useful for self-hosting services behind the Cloudflare DNS proxy. With this option, I can now limit access to my server to ONLY Cloudflare IP addresses.
When setting this up, I noticed a bug (I think), and have a suggestion for how the feature could be improved.
Bug: I needed to configure rules for every Cloudflare IP range, and for both TCP/80 and TCP/443 (a total of 42 rules). Adding this many rules is tedious from a phone interface, so I used the web interface. However, the rules created by the web interface are outbound only, when I wanted inbound only rules. The web interface does not seem to have a way to specify whether the rule should be inbound or outbound. I had to use the phone interface to update the rules to be inbound only.
Improvements:
1. Allow multiple ports per rule (i.e. 80, 443). Currently, I can only add either a single port or a port range.
2. Allow custom regions. It would be nice to be able to create a custom "Cloudflare" region with all of the Cloudflare IP ranges, and then just create a single rule allowing traffic from that region.
@Geoff
Just set up my Firewalla Purple and I also ran into that same bug with Outbound only rules using the Web GUI. I've found that the Web GUI is very limited in functionality. I've been using it just for reporting/graph purposes. Hopefully the Firewalla team invests more time in the Web GUI when they have the resources.
Otherwise, amazing product, still tinkering and finding new ways to secure my app-heavy network.
While this article is great, if the device (ie. MyMac) is in a group, how to you select this device? I put all my devices into different groups, so step here "applied the rule to Device MyMac." doesn't work, unless I'm missing something, I can find no way to select a device (ie. my server) which is in a group.
@Ben Currently, if your device is added to a group, there will be a limit on our app that only allows you to apply rules to the entire group. But I do see the reason why a rule with the local port specified should be a special case. I'll forward your comments to the team and see if we can support this type of rules in future updates.
@Firewalla, add my support for this as well! I had to remove a device from a group due to not being able to add a device-specific local port rule to a device due to being part of a group.
Please correct me if I'm wrong, but as I understand this article, enabling 'Allow on Firewall', as special as it sounds, is the normal NAT behavior from other routers. Right?
Disabling it can be used to specify a source using rules now, but the implementation will improve in the future.
"Alow on Firewall" is a firewall rule, not a NAT configuration. When it's disabled, the NAT mapping will still be established, but the firewall will block all traffic by default.
As you said, with "Allow on Firewall" disabled, you can use Rules to specify what source can access the port. If "Allow on Firewall" is enabled, basically it allows everywhere to access the port.
Say I was to forward a port where the internal port maps to my Mac OS Server. For the allow rules on ingress traffic, there is target list, IP address, IP address range, and Region.
I am always hesitant about opening up ports on my network as it is - is there anyway to *only* allow ingress traffic from a specific device (I.e., I only want to allow traffic from my MacBook Pro)? If not now, would this be something that is even possible to do in the future by only allowing ingress traffic from a specific MAC address?
@Michael, if you want specific devices to access, have you tried using the VPN server feature? This way, you don't have to open ports, or manage complex IP list to know where your MAC is at?
@Firewalla, is there a way to permit the port forwarding rule based on the ingress host name? For instance, mapping a.domain.com to the internal address of 10.0.0.1 and b.hostname.com to 10.0.0.2?
Please sign in to leave a comment.