Hey,
Can you post the logs of the Firewalled peer?
Are you bootstrapping to the same peer that shows the Failed to heartbeat messages? If not, can you try that?
If NAT hole-punching works, and you bootstrap directly to the cluster Raft leader, I think that the firewalled peer should then manage to punch holes to the rest of peers. But if bootstrapping to someone that is not the leader, that makes the leader not be able to heartbeat the firewalled peer.
If you are indeed already bootstrapping to the leader, then libp2p’s NAT hole-punching may not work in your environment. We might explore other options like QUIC or libp2p circuits then, but I haven’t tried them myself.