Port Forward through Site to Site VPN
I have been fighting with this for a couple of weeks going over many tutorials and I just cant make it work.
Situation is I need to access a security camera DVR on site B by using the WAN IP of site A. I have a Site to Site VPN from A to B up and working fine.
I have the same type of security camera system at Site A and have made the port forwarding rules for it and can access it just fine. But trying to do the same to get to the cameras on Site B just doesn't work. I can access the site B cameras from site A as long as I am on the site A LAN, so I know that the cameras are accessible from A, just can't do it from the WAN
Any guidance I can get would be great. This wasn't an issue until I switched site B to Starlink so it doesn't have a static IP any more. That is why I need to get in from Site A
Site A: SonicWall TZ-300
WAN = 74.220.8.xx
LAN = 192.168.76.1
Site B: UniFi USG-PRO-4
WAN = Dynamic
LAN = 192.168.77.1
Camera DVR 192.168.77.25 Port 8005
Best Answer
-
Ajishlal Community Legend ✭✭✭✭✭
its possible. Follow the below steps.
Assume SITE A to SITE B VPN tunnel is UP.
SITE A Firewall Configuration: Create Firewall Access Rule as same as below. ( Create a service group and add the CCTV ports of the Site B NVR)
Once you done the above step, Create NAT Rule as same as below;
I hope above configuration will solve your problem.
1
Answers
While Ajishlal's screenshots are helpful, we do not know what your current configuration is as you did not provide its details.
Think about the flow of both the inbound and outbound traffic. Inbound from the requester will hit Site A WAN, translate to the site B DVR address, and send that traffic over the existing tunnel (because that subnet exists in its routing table).
Outbound from the DVR will NEED to traverse the VPN to reply properly. How can we get it to do that?
NAT needs to be applied to the SOURCE AND DESTINATION of the original inbound traffic.
Site A:
Create address objects for the chosen WAN IP used for access, the Service(s) (Ports) required, and the IP address of the DVR in the VPN zone.
You'll need an Access Rule (on SITE A firewall) as follows.
Action: Allow; From: WAN; To: VPN; Source: Any; Destination: (your chosen WAN IP e.g. 74.220.8.11); Service: (TCP & UDP Port 8005)
NAT rule as follows.
Original Source: Any; Translated Source: (internal LAN interface IP e.g. X0 IP); Original Destination: (your chosen WAN IP e.g. 74.220.8.11); Translated Destination: (DVR IP); Original Service: (TCP & UDP Port 8005); Translated Service: Original; Inbound Interface: (WAN interface); Outbound Interface: Any
The reason you need to translate the source is because of your VPN tunnel. If you don't translate the source, the DVR will receive a packet with a source of the senders WAN IP, so the DVR will reply to that address, and the traffic will be sent out the local gateway (not over the VPN tunnel).
That did it thank you. I was really close just have a couple of selection wrong.