There is experimental udp transport support available, which tries to punch through nats, but it’s not enabled by default.
You can try that by adding kcp://:22067 to listen addressed on both sides yet I am not sure if it will help as you haven’t quantified what the firewall is preventing exactly.
Does discovery work in general?