For everyone you have a Sonicwall with enhanced OS and you want to forward a services but the WAN port need to be different from the LAN port. This one is a bit tricky.
Scenario Terminal Services Session
external IP : Port 3387 to Internal IP Port 3389
Create your WAN port Services (if it’s not Standard based on our scenario : 3387)
In the Sonicwall Management :
Go to :
Network -> Services -> Add Service *** Do not add a Services Group ! ***
Name : Custom RDP
Protocol : TCP(6)
Port Range : 3387 – 3387
Create you port forwarding with the Public Server Wizard as usual. (This is more simple all the rules will be created including the NAT)
Go to: Firewall, On the Top, Select Wizards
Select Public Server Wizard, Next
Select the services Type Created previously : Custom RDP, Next
Enter your internal server IP, Next
Enter your Public server IP, Next
Apply, Close
After we will modify the Translation Port manually.
Go To :
Network, Interface, NAT Policies.
Choose you NAT policy :
- Original Source: Any
- Translated Source: Original
- Original Destination: rdp_publicIP
- Translated Destination: rdp_privateIP
- Original Service: Custom RDP
- Translated Service: Terminal Services RDP
- Inbound Interface: WAN
- Outbound Interface: Any
- Comment: Enter a short description
- Enable NAT Policy: Checked
- Create a reflective policy: Unchecked
The Translated Service must be change from Original to The internal Server port
Click OK
Test your RDP with you RDP client :
Address : PublicIP:3387
This should be good !
Hi Guys
This was correct however it didnt work for me until I added a firewall rule
From zone WAN to LAN.
Source = Any
Destination = WAN Primary IP
Service = Public TCP port (3387 from example above)
This threw me off as usually destination is your internal server
But basically this is to direct traffic to the WAN IP and then the NAT rule takes over from there
I’m having to add 3 port forwarding rules for a client, an action that would take 30 seconds with most commercial devices, but instead it has taken me an hour because I can’t…just…specify a PORT NUMBER.
Hi,
The port number will be specify when you add a custom service, or you select it from the list.
For more information on custom service : http://help.mysonicwall.com/sw/eng/305/ui2/23100/Firewall/Services.htm
Let me know if you config is not working.
Thank you this was exactly what I was looking for.
The comment from Gary above is correct: You must make sure to specify the External Port in the Firewall Access Rule that the wizard created using the internal port.
I also agree with Nick Kukich in that Sonicwall’s interface for adding a very simple port forward is quite clunky and slow. This process shouldn’t take that long, home routers make it very easy! This interface makes it **slow** and **more difficult**.
Well home routers aren’t anywhere near as secure or flexible nor are they (typically) capable of multiple LAN/WAN/DMZ segments which is where the need for additional configuration comes into play. When I first started configuring commercial firewalls (Cisco ASA/PIX is just as cumbersome) I couldn’t understand why they felt the need to be so seemingly over-complicated. But now that I’ve spent some years with them, I see why they are like they are now. That being said, in all those years I never thought to use the wizard…duh!
Anyway, I was using a Sonicwall TZ210 with the following versions:
Firmware Version: SonicOS Enhanced 5.6.0.11-61o
Safemode Version: Safemode 5.0.1.13
ROM Version: SonicROM 5.0.2.11
And it created the firewall rules automatically. If I followed the instructions above, it worked perfectly. Nice article, thanks a ton!
This is a great resource , there is one minor change that I would make (just so that the uninitiated can get through this)
If you use the Translated Source “Terminal Services RDP” as suggested in the Nat Policy you will get an “Unknown Service Class” error, this error is caused because the “Terminal Services RDP” service has both TCP and UDP protocols , and the Service we created called “Custom RDP” only has TCP , this mismatch will cause the error . The easiest solution is to use “Terminal Services TCP” instead of “Terminal Services RDP” Hope this helps
This was a huge help. THANKS!!!
It worked immediately for me!
Thank you very much,
PS
Nice article and a good reference.
If you can help it would suggest against using wizard as it WILL add Services Group no matter what and 1 additional Nat policy that is not needed. Less entries = better performing router 🙂
Typically I would add:
1. Service objects (essentially custom ports)
2. Address objects (your LAN and WAN IPs)
3. Services (oddly now located under Network section)
4. add Nat policies
Any Original Your-Public-IP Your- Private-IP Custom-RDP Remote Desktop 3389 X1 Any
with option to create Reflexive policy that adds second rule
Your-Public- Private Your-Public-IP Any Original Any Original Any X1
5. and finally Open Firewall to your needs but basic is
WAN > LAN Any Your-Public-IP Custom-RDP Allow
All the best!
Hi, all
I tried all the way, but unfortunately no luck.
Please help me to out of this.
Hi,
What version of Sonicwall you have ?
Have you modify the Nat rules ?
This worked perfectly. Key is to make sure you use your custom port when you use the wizard. Then change the proper NAT policy to use the Terminal Services TCP.
Many thanks. Saved me hours!