[ATP/FLEX] How to Set up DMZ on Nebula

Zyxel_James

DMZ is a feature to create a public zone in your network so that you can put your public servers in that zone for public access. Its typical rule is to allow traffic from WAN & LAN, but disallow traffic from DMZ to LAN. Although currently, you can’t find the “DMZ” option on Nebula Control Center menu, you are still able to achieve it by combining the customized Guest Interface and NAT settings.

Traffic rules of DMZ:

1.     Traffic from WAN to DMZ: Allowed, it could be achieved by NAT rules

2.     Traffic from LAN to DMZ: Allowed, it’s achieved by default security rule

3.     Traffic from DMZ to LAN: Denied, it could be achieved by guest interface

Configure Steps

Go to Configure > Firewall > Port, click +Add to create LAN Group 3, and apply on Optional Port(P6)

Go to Configure > Firewall > Interface, and click +Add to create a LAN interface.

Configure the LAN interface.

Enabled: Turn it on.

Interface Name: DMZ

Port Group: LAN Group 3

IP address assignment: 192.168.13.1/255.255.255.0

DHCP Setting: DHCP server

Now the interface for DMZ is created, we have to guest interface button and NAT rule to make it behave like a real DMZ interface.

 

Go to Configure > Firewall > Interface, and enable Guest button on the DMZ interface. Guest interface means that client devices that connect to a Guest interface have interface access but cannot access other LAN interfaces.

Go to Configure > Firewall > NAT, and create NAT rules to map the WAN IP address to the Server IP address. If you have several ports needed to be mapped to the server in the DMZ, you need to create each port for each entry, or input a range of ports to Public Ports/Local Ports.

Test the Result

Client: 192.168.11.33

Server: 192.168.13.11

•  Clients under LAN can ping to Server locate under DMZ LAN

• Server locate under DMZ LAN cannot ping to clients under LAN