How to effectively connect a QuWAN device with third-party firewall solutions?
Applicable Products
- QuWAN Orchestrator
- QuRouter 2.4.4 and later versions
Details
To utilize QuWAN services, configure the necessary service ports on the third-party firewall device.
The network topology depicted in the image illustrates a hub-and-edge SD-WAN deployment leveraging QNAP's QuWAN infrastructure. The key components and their roles are as follows:
QuRouter (QNAP router): Positioned at the network perimeter, this device connects to a third-party firewall device and functions as either a hub for internal traffic or an edge device for external connectivity, depending on the deployment. Third-party firewall: Situated behind the QNAP router, this firewall enforces security policies, regulates network traffic, and manages access control.
Best Practices
To ensure seamless connectivity to QuWAN Orchestrator, configure the following firewall rules on all routers in your network topology before accessing Orchestrator from a client device (such as a browser). These settings enable secure VPN communication, proper traffic routing, and uninterrupted access to QuWAN services.
1. Configure Firewall Rules for QuWAN Orchestrator
- Source: Any
- Protocol: TCP
- Destination ports: 8883 (MQTT), 443 (HTTPS)
2. Configure Firewall Rules for QuWAN QBelt VPN Server
| Traffic Type | Source | Protocol | Source Ports | Destination | Destination Ports | Action |
|---|---|---|---|---|---|---|
| Outbound | Click Define to specify the source connection | UDP | 5533 (QuWAN QBelt VPN Server) | Any | - | Allow |
| Inbound | Click Define to specify the remote device details | UDP | Any | - | 5533 (QuWAN QBelt VPN Server) | Allow |
To add a new firewall rule in QuWAN Orchestrator, see the "Adding a device firewall rule" topic in the QuWAN and QuWAN Orchestrator Web Help.
3. Configure Firewall Rules for Mesh VPN Site-to-Site Traffic
When using QuRouter in a mesh VPN setup, you must configure firewall rules on a third-party firewall device to allow site-to-site VPN traffic. These rules ensure that IPSec communication between the hub and edge sites is not blocked, enabling secure VPN tunnel establishment.
On the third-party firewall device, allow inbound and outbound UDP traffic on the following ports:
- 500 (ISAKMP/IKE): Used for key exchange in IPSec VPN connections.
- 4500 (IPSec NAT Traversal): Used when VPN traffic traverses NAT devices.
- 61001-61999 (Dynamic high ports for IPSec NAT Traversal): Required for certain IPSec configurations.
Configure the firewall rules as follows:
- Inbound traffic: Allow VPN packets from remote sites to reach the firewall.
- Outbound traffic: Permit VPN packets to be sent to remote sites without interference.
Properly configuring these rules on the third-party firewall device ensures uninterrupted VPN connectivity between mesh sites.
| QuRouter Role | Hub | Edge |
|---|---|---|
| Protocol | UDP | UDP |
| Inbound traffic |
|
|
| Outbound traffic |
|
|
- * The default port for hubs and edge devices is 4500.
- * The system selects a random port between 61001-61999. To check the router service ports, select your organization and device in QuWAN Orchestrator, and then go to Service Management and review the port details in IPSec NAT Traversal.
4. Allow IP Ranges for QuWAN Communication
To ensure proper communication between QuWAN Orchestrator and your existing firewall services, it is essential to configure your firewall and router to allow specific IP ranges related to QuWAN. The router plays a crucial role by routing traffic between your local network and external networks, while the firewall filters and permits necessary QuWAN-related traffic to ensure secure and uninterrupted communication. Without proper configuration, you may encounter disruptions.
Follow the steps below to add the necessary QuWAN-related IP ranges to your firewall's allow list:
- QuWAN VPN tunnel
- Add
198.19.0.0/16to your firewall's allow list to ensure that VPN tunnel connections established by QuWAN are not blocked:
- Add
- QuWAN LAN IP subnet
- Identify the LAN IP subnet of your QuWAN deployment and include it in your firewall's allow list.
- To locate the LAN IP subnet, navigate to QuWAN Device > System Status > Network > LAN Details in the QuWAN Orchestrator interface.
By configuring both your firewall and router with these settings, you can ensure proper traffic routing, secure filtering, and uninterrupted communication between QuWAN services and your network, minimizing potential disruptions caused by blocked traffic.
For further assistance, refer to the QuWAN Orchestrator documentation or contact QNAP Customer Service.
Additional Notes
To enable internet pings from LAN to WAN, add a firewall rule:
- Destination: Click Define to specify the internet gateway address
- Protocol: ICMP
- Source: Any (allows traffic from any device on your LAN)
- Destination: Your LAN subnet (e.g., 192.168.60.1/24)
- Action: Allow
If a device remains offline despite an active WAN connection, verify that ports 8883 (MQTT) and 443 (HTTPS) are not blocked by the firewall.
For detailed instructions on configuring firewall rules in QuWAN Orchestrator, see the Firewall and Traffic Mapping section in the QuWAN and QuWAN Orchestrator Web Help.
To modify service ports, perform the following actions:
- For QuWAN vRouter, log in to QuWAN Orchestrator, select your organization and device, and then go to Service Management. For details, see the Service Management section in the QuWAN and QuWAN Orchestrator Web Help.
- For QNAP routers, log in to QuRouter, and go to Service Port Management. For details, see the Service Port Management section in the QuRouter Web Help for QHora Routers or QuRouter Web Help for QHora Routers.
