Sonicwall Port Forwarding is used in small and large businesses everywhere.  We broke down the topic a further so you are not scratching your head over it.

Additional Resources:

Basic Sonicwall Setup and Registration

Sonicwall Router Email IPS Alerts and Notifications

How to Enable Port Forwarding

The illustration below features the older Sonicwall port forwarding interface.    Please go to “manage”, “objects” in the left pane, and “service objects” if you are in the new Sonicwall port forwarding interface.  Note:  The illustration to the right, demonstrates really bad naming for troubleshooting port forwarding issues in the future.  Please see the section below called “Friendly Service Names – Add Service” for understanding best practice naming techniques.  Note:  We never advise setting up port 3394 for remote access.  These are all just example ports and illustrations.

Bad Practice – Do not setup naming conventions like this.

Follow these steps in this order below…

• Add Service
  • Go to section called “friendly service names – add service”
• Add All services into “Service Group”
  • Go to section called “friendly service names – add groups”
• Add Address Object
  • Go to section called “Friendly Object Names – Add Address Object”
    • Note:  This is usually the hosting name of whatever server is hosting the service
• Add Inbound NAT
  • Go to section called “add inbound NAT”
    • Note:  You need the NAT policy for allowing all people from the internet to access one private IP
• Add Outbound NAT
  • Go to section called “add outbound NAT”
• Add Access Rules – WAN to LAN
  • Go to section called “WAN to LAN access rules”
• Add Hair Pin or Loopback NAT for sites lacking an Internal DNS Server
  • Go to section called “Hair Pin or Loopback NAT – No Internal DNS Server”

Friendly Service Names – Add Service

Some IT support label DSM_WebDAV, “Port 5005-5006”   That’s fine but labeling “DSM_webDAV” is probably more helpful for everyone else trying to figure out what the heck you did.   We jotted down our port forwarding game plan in a notepad before implementing the Sonicwall port forwarding.  I suggest you do the same.

Friendly Service Group Name – Add Group

The illustration below features the older Sonicwall port forwarding interface. Please go to “manage”, “objects” in the left pane, and “service objects” if you are in the new Sonicwall port forwarding interface.  You will see two tabs once you click “service objects”

• Service Objects
• Service Groups
  • Please create friendly object names.  See new Sonicwall GUI below.

Legacy GUI illustrated here.

Friendly Object Names – Add Address Object

Some support teams label by IP address in the “name” field.  I suggest adding the name of the server you are providing access to.

Add Inbound NAT

Be default, the Sonicwall does not do port forwarding NATing.  You have to enable it for the interface.  We called our policy “DSM Inbound NAT Policy”

Add Outbound NAT

Best practice is to enable this for port forwarding.  We called our policy “DSM Outbound NAT Policy”

WAN to LAN Access Rules

This rule gives permission to enter.  By default, the SonicWALL security appliance’s stateful packet inspection allows all communication from the LAN to the Internet.  However, we have to add a rule for port forwarding WAN to LAN access.  This is the last step required for enabling port forwarding of the above DSM services unless you don’t have an internal DNS server.

Bad Practice. Change service (DSM_BkUp) to the group.

Hair Pin or Loopback NAT – No Internal DNS Server

“Hair pin” is for configuring access to a server behind the SonicWall from the LAN / DMZ using Public IP addresses.  Basically, the DSM services that my LAN hosts do not work if my PC is pointed to an external IP and port.   There’s a very convoluted Sonicwall KB article to read up on the topic more.  We included an illustration to follow and break down the “hair pin” further below.

Hair Pin NAT Policy

New Hairpin or loopback rule or policy.   This rule is neccessary if you don’t host your own internal DNS.  THe routing table does not understand by default to send back internally because it thinks it an outside or external IP or service.  THat’s why we enable Hairpin NAT.

(Source) LAN: 192.168.1.0/24 (PC) >> (Destination) WAN-X1 IP: 74.88.x.x:DSM services  mysynology.synology.me  -> needs to resolve DNS   ping mysynology.synology.me  (They’re default rules to ping the WAN Interface)  (resolves WAN IP)  port 5002 —>  192.168.1.97  mysynology.synology.me:5002

By default, my PC can hit the external WAN inteface but the Sonicwall will deny DSM (5002) services.  It will be dropped.

Implement a NAT policy to trigger  Destination IP  74.88.x.x and Port  5002 to work

Translate

74.x.x.x >>> 192.168.1.97               : original (DSM services)

No Outgoing Ports are not blocked by default

It’s important to understand what Sonicwall allows in and out.   There are no outgoing ports that are blocked by default on the Sonicwall.  Ie email delivery for SMTP relay.  By default, all outgoing port services are not blocked by Sonicwall.  Restart your device if it is not delivering messages after a Sonicwall replacement.

Traffic to LAN Blocked

The following behaviors are defined by the “Default” stateful inspection packet access rule enabled in the SonicWALL security appliance:

Bad Practice in name labeling “service” port 3394

Best Practice

NAT – Many to One NAT
***Need to talk public to private IP

This is the most common NAT policy on a SonicWall, and allows you to translate a group of addresses into a single address. Most of the time, this means that you’re taking an internal “private” IP subnet and translating all outgoing requests into the IP address of the SonicWall’s WAN port, such that the destination sees the request as coming from the IP address of the SonicWall’s WAN port, and not from the internal private IP address.  View more info on the NAT topic here.

Sonicwall Port Forwarding Summary

More resources:

https://support.sonicwall.com/kb/sw7712

Open up Ports

https://support.sonicwall.com/kb/sw7027