Port fowarding, IP Cameras, and a SonicWALL router

Does anyone have any familiarity with this?

To describe my needs:

We are in the process of having a wISP connection setup at a 100 horse barn. The intentions is to grant specific customers and staff members the ability to view our on-site IP cameras from their location.

All cameras currently get recorded by a linux based QNAP NVR. When the wISP setup is complete, I plan on adding a static public IP for this device. But, I am worried about giving access to a security device online. I am thinking it may be better to port forward a range of ports to the specific cameras, so only 1 device can be viewed at a time remotely, per customer.

The issue I face is that SonicWALLs blow.

I had port forwarding setup for an internal VOIP server, but it always seemed like the server had issues receiving incoming calls. In theory, everything was setup perfectly, but in practice, the firewall was constantly closing out UDP ports that the VOIP server received calls on. I ended up moving the VOIP server to sit both on the LAN and directly on the internet, and setup a lot of routing via IPTables to secure it. Now all phone devices use the internal LAN network to communicate with the VOIP server, and the public interface is used purely for the SIP trunks. All other traffic (except SSH on a non standard port) is instantly trashed. The server also has BFD and APF installed to cut out port scans long before the scanner gets up into the range serving SSH.

I want to setup port fowarding for each of the cameras, using the port range of 8080 through 8120. Does anyone have any familiarity with setting this up who can confirm what other ports may need to be unblocked for the cameras to work? A confirmation this is even possible with a SonicWALL TZ210 would be awesome too.

If this is not viable, would you place the NVR both on the LAN and the internet? How would you secure it so it could not be used to attack the secured LAN, etc.

Getting rid of the SonicWALL is out of the question, it handles our VPNs, content filtering, LAN security, etc. Replacing it with a Cisqo product is also not possible, the 3 routers were recently renewed at $3k a device.