I do not believe that this is the problem. The "firewall" block is not Wordfence blocking me, but the actual host blocking my IP to the entire shared hosting facility - I can not visit any site that the host is hosting (not just mine!).
Perhaps I am misunderstanding your question/suggestion. Does Wordfence need admin user to put in an IP address each time they login using a different network. If I am on a train and my IP address changes every so often do I need to keep updating the whitelist to continue to use Wordfence.
Also I am not sure why Wordfence would need or want to use an IP address of the user each time it wanted to use admin-ajax. Surely checking to make sure that the user is logged in as an admin would be sufficient?