This document is for DHCP mode only. Firewalla DHCP mode creates an overlay network above your main network. If you want to create a port forwarding for your devices, such as accessing your NAS or cameras outside your home, you are required to take an extra step to create port mapping on Firewalla in addition to creating port forwarding on your router.
Note: Although this setup allows you to access NAS device or camera remotely while you are outside of your home, this is not the most secure way of doing it. In this article, we suggest our users to use Firewalla VPN service instead, to achieve the same capability with security protection.
How to create port forwarding for devices
For example: If you want to access your home camera's website (http, TCP port 80) remotely, you need to set up port forwarding (e.g. TCP 8080 -> 8081) on your router and set up port forwarding (e.g. TCP 8081 -> 80) on Firewalla. You will be able to access camera website by http://<Firewalla_DDNS>:8080
*Note: For port 8080 and 8081, you can choose your own port, as long as they are consistent between the router and Firewalla. It is not recommended to open any well-known ports on your router (e.g. 22, 80, 443 and etc), because it will much more likely be attacked.
Step 1: On your router, create a port forwarding to forward TCP port 8080 to a Firewalla's Port, say Port 8081. Detailed steps depend on each router's interface.
Here is a general guide: http://www.noip.com/support/knowledgebase/general-port-forwarding-guide/
*Note: If you have multiple layers of routers at your home, you need to set up port forwarding on all routers.
Step 2: On Firewalla, find the Camera you want to access in Devices, tap Port -> Add Port Forwarding to create a new port forwarding. Set the External Port to 8081, as the port on Firewalla; Internal Port to 80, as the Port on your Camera. Tap "Save" to save your setting.
You can also do Port Forwarding via a Specified WAN or VPN. When setting up port forwarding, the interface will be set to all WAN interfaces by default. You can change this to any specific WAN or VPN client interface. To learn more, see our video tutorial.
Note that specifying a WAN or VPN only allows one port forwarding for each external port per WAN IP. Additionally, AnyConnect VPNs are not supported as of box version 1.975.
How to limit access to the port
As of APP 1.50, Firewalla is supporting limiting ingress traffic through the open. On port forwarding setting page, there will be an option INGRESS FIREWALL. This option controls how the open port is managed.
- Any Sources: All ingress traffic will always be allowed.
- None: All ingress traffic will be blocked unless allow rules are created on the local port. It provides an option to schedule the access via separate rules.
- Selected Sources: Only selected sources will be allowed. Tap Add a Source to allow specific sources. It requires box 1.974.
How to access the port