Configuring a SonicWall Firewall¶

This guide explains how to configure a SonicWall firewall to allow Reemo to use an optimal connection (direct/udp) and avoid unnecessary fallback to relays.
A proper configuration reduces latency and improves the audio/video quality of sessions.  
Without this configuration, Reemo can still work, but connections will fall back to relays (relay/tcp, relay/udp, websocket) with reduced performance.

Before you begin, make sure your SonicWall firewall (SonicWall NGFW, SonicOS 7.x or 8.x) is properly installed and accessible via its web administration interface.

Then log in to the interface with your administrator credentials.

Note

This configuration is provided as an example.  
Screens may vary slightly depending on your SonicWall version (SonicOS).  
The suggested object names (Reemo TURN1, Reemo Services, etc.) are indicative: you may use your own conventions.

Step 1: Configure the TURN servers¶

In Policies > Objects > Address Objects, add the following addresses:

Reemo TURN1:
- Zone Assignment: WAN
- Type: FQDN
- FQDN Hostname: turn1.reemo.io

Reemo TURN2:
- Zone Assignment: WAN
- Type: FQDN
- FQDN Hostname: turn2.reemo.io

Create an Address Group combining TURN1 and TURN2.

Next, add the required services:

Service UDP 443 (TURN):
- Protocol: UDP(17)
- Port Range: 443 - 443

Service UDP 58200 (TURN):
- Protocol: UDP(17)
- Port Range: 58200 - 58200

Service TCP 443 (TURN):
- Protocol: TCP(6)
- Port Range: 443 - 443

Create a Service Group combining these three services.

Finally, configure the rules:

Create an Access Rule to allow TURN servers with high priority:
- Policy Name: Reemo TURN
- Action: Allow
- From: LAN
- To: WAN
- Source Port: Any
- Service: Reemo TURN Services
- Source: LAN Subnets
- Destination: Reemo TURN Servers
- Users Included: All

Add a NAT Policy for the TURN servers:
- Name: Reemo NAT TURN Servers
- Original Source: LAN Subnets
- Original Destination: Reemo TURN Servers
- Original Service: Reemo TURN Services
- Enable NAT Policy: checked
- Advanced > Disable Source Port Remap: checked

Note

The Disable Source Port Remap option is essential to preserve the original source port and ensure optimal compatibility with Reemo.

Step 2: Configure the Reemo service¶

Add a Service Object for the Reemo protocol:

Name: Reemo Services
Protocol: UDP(17)
Port Range: 58200 - 58400

Then create an Access Rule:

Policy Name: Reemo Service
Action: Allow
From: LAN
To: WAN
Service: Reemo Services
Source: LAN Subnets
Destination: Any
Users Included: All

Finally, create an associated NAT Policy, with high priority:

Name: Reemo Service NAT
Original Source: LAN Subnets
Original Destination: Any
Original Service: Reemo Services
Enable NAT Policy: checked
Advanced > Disable Source Port Remap: checked

Step 3: Extended UDP configuration for Reemo¶

Add a Service Object specifically for UDP:

Name: Reemo UDP
Protocol: UDP(17)
Port Range: 1024 - 65535

Create an Access Rule:

Policy Name: Reemo UDP
Action: Allow
From: LAN
To: WAN
Source Port: Reemo Services (58200–58400)
Service: Reemo UDP (1024–65535)
Source: LAN Subnets
Destination: Any
Users Included: All

Finally, create an associated NAT Policy:

Name: Reemo UDP NAT
Original Source: LAN Subnets
Original Destination: Any
Original Service: Reemo UDP
Enable NAT Policy: checked
Advanced > Disable Source Port Remap: checked

Configuration overview¶

Configured Rules:

Configured NAT Policies:

Summary: Ports and addresses to open¶

For quick reference, here is a summary table of the flows required for Reemo to work properly in direct/udp mode:

Usage	Protocol	Ports	Destination
Signal server	TCP/UDP	443	`signal.reemo.io`
TURN servers	TCP/UDP	443	`turn1.reemo.io`, `turn2.reemo.io`
Reemo Protocol In	UDP	58200–58400	Browser (client device)
Reemo Protocol Out	UDP	1024–65535 (src 58200–58400)	Remote computer (Reemo Agent)