Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

How to NAT based on FQDN behind another router

This is what i have (dns to WANIP) (dns to WANIP) (dns to WANIP) (dns to WANIP)   


 | WANIP = public static WAN ipv4



  FREEBOX mode routeur DMZ set to









   |__ lan gw  port 8443

 |___ serveur1 port 7777

 |___ serveur2 port 8888

 |___ serveur3 port 9999


 and i like to allow accès from WAN to map to;7777

 and i like to allow accès from WAN to map to;8888


Category: Entry Level Firewalls


  • BWCBWC Cybersecurity Overlord ✭✭✭

    @zizounet short answer, you can't because NAT is not SNI based. You need to get yourself a reverse proxy.


  • prestonpreston Enthusiast ✭✭
    edited July 2023

    Hi @zizounet , you would need to use PAT create a NAT rule for each on the SonicWall in the NAT rules

    Important make sure you change the HTTPS management port first if enabled on the WAN Interface to another port like 444

    in your first example as below :

    Original Source = ANY - Translated Source = Original

    Original Destination = set to the destination FQDN (

    Translated Destination =

    then set the Original Service = HTTPS and set the Destination Service = 7777

    Access Rules - In the WAN to LAN access rules Source (ANY) Destination (your SonicWall WAN IP) add the Translated Ports i.e.7777 to the Destination service, do not change the Source Port on the rule

    How to Set up PAT below :

    you may also need to create port forwarding on your freebox to the (DMZ IP) SonicWall WAN IP for HTTPS, I know on my Orange Live box even though I have the DMZ option enabled it still requires me to add the NAT rules for each service I'm forwarding to the SonicWAll.

  • prestonpreston Enthusiast ✭✭

    @zizounet the above doesn't work as expected, I need to do some further testing

  • MustafaAMustafaA SonicWall Employee

    As @BWC highlighted the requirement cannot be fulfilled as is, since the NAT policies are not based on SNIs (Server Name Indicator). You have two options;

    1. Use reverse proxy, or
    2. Give each URI a distinct port so that it can be translated to the internal IP-Port pair
  • prestonpreston Enthusiast ✭✭

    @MustafaA , Yes I realised after I wrote the comment, but it doesn't let you delete your own comments

Sign In or Register to comment.