Sonicwall Help

May want to take a look at this whereby the key action is to set access rule in step 5 and define the source and destination IP addresses accordingly. Good to manage the bandwidth limit too. https://www.sonicwall.com/en-us/support/knowledge-base/170505908377871

Hi Glen,

Here is what you need to do assuming you have a 1.1.1.1/29 Public subnet.

Address Objects.

Create new Address Objects for all the Public IPs except your primary on X1. Make sure the Zone is set to WAN.

Public Server Wizard.

Go through the Wizard to allow services through. It is the most comprehensive way to configure port forwarding. It will use the X1 address so once you have concluded go into Access Rules, and NAT Policies and locate them and replace X1 Primary IP with your desired Address Object for the Public IP you want to use.

Public DNS. (optional)

If you want to use a domain name such as cameras.yourdomain.com then add or modify a new A record that uses the new IP address.

Security Architecture for IP Cameras. (Recommended)

For security I'd recommend not opening up remote access (following the steps above) for IP Cameras because they are notoriously insecure and vulnerable. Rather, for management I'd create an SSL-VPN with 2FA (built-in to SonicWALL) and manage the IP Cameras internally. Regardless of if you decide to create port forwarding or use the VPN option, I'd isolate your IP Cameras to a specific subnet and Zone, then block all other Zones from accessing it except YourNewZone>WAN.

Let me know if you have any questions!

If you having CCTV IP cam and doing live capture, you will need a repository for the interim storage which can be huge. So likely to consider some cloud repo such as in AWS or others (WAN) and only allow it to comes into your actual IP cam server (LAN). See an example.
https://www.sonicwall.com/en-us/support/knowledge-base/170503477349850

FYI: the Wizard - Public Server does all of the KB article you listed automatically and is the most comprehensive way to configure port forwarding.

Hi OP

great choice on Firewall by the way I love the NSA series I have worked on Juniper, Fortinet/gate, Palo Alto(blaghh)
its pretty straight forward once you have done it a couple times.
not read the articles that have been posted i'm sure they are helpful.
i'm assuming this is so the security company or yourself can RDP (only example)  in and view/fix/maintenance your server.
you will need to create address two address objects 1 CCTV int and 2 CCTV/NAT ext (call them what you like)
CCTV int assign to your internal LAN and CCTV/NAT ext assign to your WAN interface.
you will then need to create a few NAT policies
1
Source Original :   CCTV int
Source translated: CCTV/NAT ext
Destination Original: any
Destination Translated: Original
services I say leave at any and original not the greatest but i'll explain why in a bit.
Inbound interface: LAN
outbound interface: WAN
(possibly not needed ass your CCTV is going to be accessed not accessing)
2
Source Original : any
Source translated: Original
Destination Original: CCTV/NAT ext
Destination Translated: CCTV int
again services I say leave at any and original not the greatest but i'll explain why in a bit.
Inbound interface: WAN
outbound interface: ANY (you cannot select the external interface the FW has to)
(the rule says if you are external and you are going to the external IP, FW be a good lad and change it to it's internal IP)
3
Source Original: (the address group containing all internal IPs or the one you want to access the CCTV's external IP)
source translate: CCTV/NAT ext
destination Original: CCTV/NAT ext
destination  translate: CCTV int
(this rule will allow you to access the "external" CCTV internally and technically the same way as external users would for testing your FW rules and what ever else.)

after that you will need firewall rules
as its your CCTV system you don't want to have a WAN to LAN rule saying any to CCTV/NAT ext that is asking for trouble.
personally I would create a address Group and call it "CCTVext accGRP" and in that group I would only put in the IP address/FQDN of people you have authorised, that way your rule can be a little bit more relaxed on what ports you allow till you iron out what is actually needed.

further personal advice would be once you have it up and running to then start locking it down.
your NAT rules on number 2  you can set "Source Original: (to your CCTV access group you created)" and the "source Translated" will stay at Original. that should prevent most scanners from seeing that you have another address responding (even denies).
having NAT rule 1 in place can help maintain the devices security, so if you see in the log that the CCTV is actually accessing the internet when it shouldn't be used for internet access you can then lock it down and investigate.

I hope I got it right what you trying to do.
if not please clarify.

regards

Easiest method is using the wizard as BST has pointed out. As long as the address is in the same subnet as the existing public IP you're using, you won't have any issues.