The right way to configure the firewall for OTA?

Yesterday I tried using OTA programming for the first time and the only way for that to work at the moment is disabling the firewall which is not very convenient.

I’ve seen here there is the note:

For windows users. To manage OTA check the ESP wifi network profile isn’t checked on public be sure it’s on private mode.

The network I am using for OTA is on private profile and when I disable the firewall for the private profile OTA works well.

I enabled firewall logging trying to find out to which program firewall blocked the access and pfirewall.log looked like this:

#Version: 1.5
#Software: Microsoft Windows Firewall
#Time Format: Local
#Fields: date time action protocol src-ip dst-ip src-port dst-port size tcpflags tcpsyn tcpack tcpwin icmptype icmpcode info path

2021-06-25 02:50:11 DROP TCP 57196 46067 44 S 1848201026 0 5744 - - - RECEIVE
2021-06-25 02:50:14 DROP TCP 57196 46067 44 S 1848201026 0 5744 - - - RECEIVE
2021-06-25 02:50:17 DROP TCP 57196 46067 44 S 1848201026 0 5744 - - - RECEIVE
2021-06-25 02:50:20 DROP TCP 57196 46067 44 S 1848201026 0 5744 - - - RECEIVE is ESP32 and is computer. I thougth there would be some information about the program (destination) towards which the blocked traffic was going but the log doesn’t show such an information.

Then I tried to make an exception in the firewall. There are espota.exe and in C:\Users\xxxxxxxx\.platformio\packages\framework-arduinoespressif32\tools but seems as the .py version is used by the PlatformIO and not the .exe!? I figured that out when I made a mistake in platformio.ini - I wrote:

upload_flags =
    --host_port = 45678

instead of:

upload_flags =

and the error was:

Usage: [options] error: no such option: --host_port

so it was useles to make an exception for espota.exe

Then I saw here someone said:

Problem with Firewall. I have given permisions to Visual Studio Code to use ports.

But my Visual Studio Code already is allowed in the firewall :-/

Then I saw this article and configured fixed host port:

upload_flags =

and then I opened TCP 45678 port in the firewall’s inbound rules for private network and OTA still didn’t work.

I tried to open even UDP port, then I tried to open even any protocol and finally I tried to open any protocol on any network (even on public one) but OTA still worked if and only if I disabled the firewall on the private network.

At that point I’ve run out of ideas what to try next and I would really like to know why opening ports didn’t work.

BTW, as a side note - it took me a few hours to realize OTA can work only after adding:

board_build.partitions = default.csv

to platformio.ini. There really should be a note in OTA documentation similar to:

For OTA to work the line board_build.partitions = default.csv should be added to platformio.ini

And some additional explanations would be helpful as well. For example, I am aware that line changed the way SPIFFS is partitioned but I am not sure what are the consequences on maximum program size and/or some other aspects of firmwares (maybe maximum image resolution to work with in the case of ESP32 CAM?) after changing that option.

I’ve finally found what was the problem. There were two firewall rules for blocking all TCP and UDP traffic for:


I’ve now changed that firewall rule from Block to Allow and added TCP port used by OTA (the one configured with --host_port) and IP range of ESP32 boards as a condition for applying the rule and OTA now works without disabling the firewall.