by lunarg on April 28th 2015, at 15:24

This article is a quick reminder (for myself) on how to properly configure port forwarding on a Dell Sonicwall firewall.


First, create the address and services objects you need for the port forwarding. In case of multiple addresses or services, create a group and add all objects in that group.

Address object for a local server

Service group with multiple services

Predefined objects, such as the WAN IP are already present and do not have to be created again. Also, the advantage of using these predefined objects is that they are dynamic: e.g. if the WAN IP changes, the policies and rules that use this object will not have to be changed.

Once the objects are in place, they can be referenced from the NAT policies.

NAT policies

NAT policies define the actual port forwarding. For a port forwarding to work properly, there are 3 policies that have to be defined:

  • Inbound policy: directs and translates the service from WAN to the computer behind the firewall.
  • Outbound policy (also called "reflexive" policy): outbound traffic from the computer back to WAN (and the client) gets properly directed (and translated if needed).
  • Loopback policy: allows clients behind the firewall to use the WAN IP to connect to the computer which is also behind the firewall. Sonicwall is one of the few firewalls that actually support this without strenuous configuration.

Create the policies like so, referencing the objects you've created earlier.

Inbound policy

Outbound policy

Loopback policy

Firewall rules

With the NAT policies in place, you still have to configure the required firewall rule to allow traffic to pass through the firewall. Set the destination address object to the WAN IP address, as it will be enough to accept the traffic for the services on the WAN IP of your firewall. Once the traffic is on the firewall, the NAT policies will do the rest.

You may also have to create an outgoing firewall rule to allow traffic from the computer behind the firewall to WAN. In this case, the source address will be the internal address object of your computer.

« June 2024»
« Most people tend to avoid true conflict. Ironically this breeds more conflict. »