Articles

QUIC Through Firewalls: Fix UDP Blocking Issues (2026)

April 18, 2026 3 min read

QUIC’s UDP-based nature means it often gets blocked by firewalls that are only inspecting TCP traffic.

Common Causes and Fixes for UDP Blocking

  1. Stateful Firewall Misconfiguration: Many firewalls are configured to allow established TCP connections but treat UDP traffic as potentially suspicious, especially if it’s not on a well-known port.

    • Diagnosis: Check your firewall’s active connection table for UDP traffic on the port your QUIC service is using (default is 443). Look for denied UDP packets.
    • Fix: Create a firewall rule to explicitly allow UDP traffic on the relevant port (e.g., allow udp any any eq 443). This tells the firewall to permit UDP packets without deep inspection, assuming they are legitimate.
    • Why it works: This bypasses the firewall’s default-deny or stateful inspection limitations for UDP by creating an explicit exception.

  2. Network Address Translation (NAT) Issues: Some older NAT devices or configurations might not handle UDP sessions gracefully, especially with the ephemeral port changes that can occur in QUIC’s connection migration.

    • Diagnosis: Use tcpdump on the server to see if UDP packets are arriving. On the client, use ping -u <server_ip> (if supported) or a tool like nmap -sU -p 443 <server_ip> to test UDP reachability.
    • Fix: Ensure your NAT device has "UDP Flood Protection" or similar features disabled or set to very high thresholds. If possible, configure static NAT for the UDP port.
    • Why it works: Disabling UDP flood protection prevents the NAT from mistaking legitimate QUIC traffic for an attack. Static NAT ensures consistent mapping between the external and internal IP/port.

  3. Intrusion Detection/Prevention Systems (IDS/IPS): Some IDS/IPS systems might flag QUIC traffic as suspicious due to its encryption and multiplexing capabilities, which can be similar to some malicious UDP-based protocols.

    • Diagnosis: Review IDS/IPS logs for any alerts related to UDP traffic on port 443, or specifically for QUIC-related signatures.
    • Fix: Create an exception or whitelist rule within your IDS/IPS for UDP traffic on port 443 originating from or destined to your known QUIC servers.
    • Why it works: This tells the IDS/IPS to ignore QUIC traffic, preventing it from being blocked or throttled.

  4. ISP or Cloud Provider Restrictions: Some Internet Service Providers or cloud infrastructure providers might block UDP traffic on common ports to prevent abuse (e.g., DDoS amplification attacks using DNS or NTP).

    • Diagnosis: If you control the network edge and firewall, check those first. If not, consult your ISP or cloud provider’s documentation or support. Try a different port (e.g., 8443) to see if the blocking is port-specific.
    • Fix: Request your ISP or cloud provider to unblock UDP traffic on the necessary port. If they refuse, you may need to tunnel QUIC over TCP (less efficient) or use a different provider.
    • Why it works: This directly addresses the external blocking by getting it removed.

  5. Client-Side Antivirus or Firewall: Similar to network firewalls, client-side security software can also interfere with UDP traffic.

    • Diagnosis: Temporarily disable your client’s antivirus and firewall software and try to establish a QUIC connection.
    • Fix: Configure your client’s security software to allow UDP traffic on port 443 for your browser or application.
    • Why it works: This grants explicit permission for the QUIC client to send and receive UDP packets.

  6. Incorrect QUIC Implementation or Configuration: While less common for standard libraries, a custom or misconfigured QUIC implementation might not adhere strictly to standards, leading to unexpected firewall behavior.

    • Diagnosis: Ensure you are using a well-maintained QUIC library (e.g., quiche, lsquic, aioquic) and that its configuration (like initial connection IDs, retry tokens) is standard.
    • Fix: Update your QUIC library to the latest stable version and review its configuration parameters against RFC 9000.
    • Why it works: Adhering to standards ensures interoperability and reduces the likelihood of triggering heuristic-based blocking mechanisms.

After fixing UDP blocking, you might encounter issues with QUIC connection migration or path MTU discovery failures.

Want structured learning?

Take the full Quic course →