Avatar of kirk_shaw
 asked on

Port 3000 forwarding to different two different IP addresses internally - Sonicwall NSA 3500

We currently have a Sonicwall NSA 3500 and up until recently everything was fine. Anything coming in on port 3000 is currently forwarded to our CCTV system. However, we now have some other critical software that needs to use port 3000 as well. None of these can be changed from port 3000 unfortunately.

Is it possible on the Sonicwall box to be able to have incoming traffic pointing to two different servers and if so how would I be able to accomplish this using the Sonicwall NSA 3500?

Hardware FirewallsNetwork Security

Avatar of undefined
Last Comment
Jeff Nagel

8/22/2022 - Mon
John Smith

Hi Kirk,

If traffic for the CCTV system and this other software are both ingressing the same interface, the only way to accomplish this would be to assign multiple IPs to that ingress interface and to point the CCTV traffic to one IP, and the other traffic to the other iP.

So that I can give you a more detailed answer, would you please share a few more details?

1. Which interface is the traffic for the CCTV system ingressing?
2. Which interface is the traffic for the CCTV sytem egressing?
3. Which interface will the traffic for the other software ingress?
4. Which interface will the traffic for the other software egress?
5. If the ingress interface for both is the same, do you have two IPs in that subnet that can be assigned to the interface?

I can think of three ways to do this, each with different pros and cons:

1) Port address translation

Incoming connections from the Internet on port 3001 go to the CCTV on port 3000, and incoming connections on port 3002 go to the other software on port 3000.

This way each of your internal devices operates on port 3000, but accessing them from the Internet requires you to connect on port 3001 or 3002 depending on which devices you want. The router handles translating port 3001 or 3002 into port 3000 on the desired device.  The client side software needs to support having it's port number changed, though.

2) Multiple public IP addresses

If your ISP provides you with a block of addresses, you can configure it so that port 3000 on IP address #1 goes to the CCTV, and port 3000 on IP Address #2 goes to the other software. Your ISP must provide you with multiple public IP addresses. If they can't give you that then it isn't possible to do this.

3)  VPN

Port forwarding is not used and neither CCTV nor the other software are directly exposed to the Internet. Instead, you connect to the VPN server running on your SonicWall. Once connected to the VPN server, the remote device will have access to the local network where they can connect to either the CCTV device or the other software product via their internal IP address, just like they would if you were on the LAN

View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
Ask your own question & get feedback from real experts
Find out why thousands trust the EE community with their toughest problems.
Jeff Nagel

The simplest way is with port address translation.  You need to create a new service (under network) for the new public port number then edit the NAT rules to change the service tied to the public IP to the new one and edit the firewall rule to use the new service as well.
I started with Experts Exchange in 2004 and it's been a mainstay of my professional computing life since. It helped me launch a career as a programmer / Oracle data analyst
William Peck