Configure a Fortinet Firewall

This guide explains how to configure a Fortinet firewall to allow Reemo to use an optimal connection (direct/udp) and avoid unnecessary fallback to relays.

A correct configuration significantly reduces latency and improves the audio/video quality of sessions.

Without this configuration, Reemo can still work, but connections will fall back to relays (relay/tcp, relay/udp, websocket) with reduced performance.

Before starting, make sure your Fortinet firewall (FortiGate NGFW, FortiOS 6.x or 7.x) is properly installed and accessible via its web administration interface.

Then log in to the interface with your administrator credentials.

Note

This configuration is provided as an example.

Steps may vary slightly depending on your Fortinet version.

The proposed names for objects (Reemo_TURN1, Reemo_Protocol_in, etc.) are indicative: you may use your own naming conventions.

Step 1: Add the Reemo servers

In the menu Firewall Objects > Address > Addresses, add the following addresses:

• Reemo_TURN1:

  • Type: FQDN

  • FQDN: turn1.reemo.io

Add TURN1 address.

• Reemo_TURN2:

  • Type: FQDN

  • FQDN: turn2.reemo.io

Add TURN2 address.

• Reemo_Signal:

  • Type: FQDN

  • FQDN: signal.reemo.io

Add SIGNAL address.

Step 2: Add the required services

In the menu Firewall Objects > Services, add:

• Reemo_UDP443:

  • Service Type: Firewall

  • Protocol: UDP

  • Destination Port: 443

Add UDP443 service.

• Reemo_Protocol_in:

  • Service Type: Firewall

  • Protocol: UDP

  • Destination Port: 58200–58400

Add Reemo Protocol In service.

• Reemo_Protocol_out:

  • Service Type: Firewall

  • Protocol: UDP

  • Destination Port: 1024–65535

  • Source Port: 58200–58400

Add Reemo Protocol Out service.

Note

The wide port range (1024–65535) is required by WebRTC to establish peer-to-peer connections. Traffic remains end-to-end encrypted and restricted to Reemo communications.

Step 3: Create firewall rules

Note

On recent Fortinet versions, enable the Preserve Source Port option for optimal compatibility.

Preserve Source Port option.

In the Policy menu, add these firewall rules:

Global Rules

• Reemo TURN:

  • Source Address: LAN

  • Destination Address: Reemo_TURN1, Reemo_TURN2

  • Service: Reemo_UDP443, Reemo_Protocol_in

  • Action: ACCEPT

Add Reemo TURN firewall rule.

• Reemo SIGNAL:

  • Source Address: LAN

  • Destination Address: Reemo_Signal

  • Service: HTTPS

  • Action: ACCEPT

Add Reemo SIGNAL firewall rule.

Rules for the remote computer (“Reemo Side”)

These rules concern the outgoing traffic generated by the remote computer running the Reemo Agent. They allow the machine to correctly communicate with the client browser via the defined UDP ports.

Reemo Side Firewall.

• Reemo Protocol Out:

  • Source Address: LAN (remote computer)

  • Destination Address: all

  • Service: Reemo_Protocol_out

  • Action: ACCEPT

Add Reemo Protocol Out firewall rule (Reemo Side).

Overview of Reemo Side rules

Example configuration on the remote computer side.

Rules for the browser (“Browser Side”)

These rules concern the incoming traffic on the browser side (the user’s workstation). They ensure that UDP flows sent by the Reemo Agent properly reach the browser through the defined port range.

Browser Side Firewall.

• Reemo Protocol In:

  • Source Address: LAN

  • Destination Address: all

  • Service: Reemo_Protocol_in

  • Action: ACCEPT

Add Reemo Protocol In firewall rule (Browser Side).

Overview of Browser Side rules

Example configuration on the browser side.

Summary: Ports and addresses to open

For quick reference, here is a summary table of the required flows for Reemo to function in direct/udp mode:

Usage	Protocol	Ports	Destination
Signal server	TCP/UDP	443	signal.reemo.io
TURN servers	UDP	443	turn1.reemo.io, turn2.reemo.io
Reemo Protocol In	UDP	58200–58400	Browser (client workstation)
Reemo Protocol Out	UDP	1024–65535 (src 58200–58400)	Remote computer (Reemo Agent)