Enable UDP hole punching with hardware firewall

Do you want to include several clients/servers in the oneclick™ mesh network while having a hardware firewall in use?

First check whether you have selected the data center in Germany - Magdeburg for your oneclick™ account. If this is the case, please make the following settings in your firewall. You are not sure which is your selected data center? Check your system data.
If you are using a different oneclick™ data center for streaming, check the requirements for using oneclick™ Mesh first, before making the following settings in your firewall.
If you have already installed the oneclick™ Mesh Client on clients and establishing the connection was not successful, start with the article Mesh installation with hardware firewall failed.

In order for the connection to be established properly in this case via the oneclick™ Mesh Client, you have to:

enable UDP hole punching in your firewall (or disable symmetric NAT, PAT, overload NAT, dynamic NAT or port randomization),
whitelist oneclick™ IP addresses,
set up port forwarding when using multiple clients,
and check connectivity in the oneclick™ Admin.

The following shows you the settings we tested with a pfSense Plus firewall (Contabo Server / System: Netgate 3100 / Version 22.05-RELEASE (arm)).

If you have already installed the oneclick™ mesh client on your computer, first stop the service on the corresponding device.
Log in to your pfSense Plus firewall.
On your dashboard, check your current software version. Click on the Update icon.
In the Firewall tab, go to NAT.
Click Outbound, select Hybrid Outbound NAT rule generation mode and click Save.
Under “Mapping”, enter the data for each client you want to connect to oneclick™ that is behind your firewall.
1. Click Add.
2. At the interface section select WAN.
3. For Address family, select IPv4.
4. For Protocol, select UDP.
5. In the “Source” section select Network as “Type” and enter the internal IP-address of your device in the box next to it.
6. Enter the port 4242.
7. In the “Translation” section enter the Port for NAT. We recommend to number the NAT port for your devices consecutively e.g. 42420, 42421 etc. So, start with 42420.
8. In the "Misc" section you can select a description. As an example, use RDSH01 Mesh.
9. Click Save.

To do so, go to Aliases in the Firewall tab.
Select All and click Add.
Enter a name and description, e.g. oneclick_Whitelist.
Select Host(s) as the “Type”.
Enter the IP-addresses for the oneclick™ mesh and the outgoing IP address for your data center.
Click Save.

In the Firewall tab, go to NAT.
Select Port Forward and click Add.
Enter WAN under “Interface”.
For “Address Family”, select IPv4.
For “Protocol”, select TCP/UDP.
Under “Source”, click Show Advanced.
In the “Source” section, enter Single Host or Alias as the "Type" and oneclick_Whitelist as the "Address" in the field to the right.
In the "Source port range" section, select Any.
Select the WAN address as the "Destination".
Select Other in the "Destination port range" and enter your translation port from above e.g. 40420 next to it.
At "Redirect target IP" select Single host and enter again the internal IP-address of your device.
At "Redirect target port" you can select Other and enter port 4242 again.
For clarity purpose, you can again use the same Description as under "Mapping", e.g. RDSH01 Mesh.
Under "Filter rule association", select None.
Click Save.

Your device now appears in the destinations list. Click on the Sync icon in the row of your destination.
Create an app configuration to configure access to your destination...
... and then create an app instance for your oneclick™ users.