USG Flex 200 - Firewall by WAN

Dear support, is possible to configure firewall rules different for WAN1 and WAN2 ?
«1

All Replies

  • PeterUK
    PeterUK Posts: 2,655  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer

    Sadly no...wish the same thing is does for routing.

  • FelixSchneider
    FelixSchneider Posts: 49  Freshman Member
    First Anniversary 10 Comments Friend Collector
    I also wish there was the possibility to do so, would make things easier or in your case possible  :'(
  • Zyxel_Jeff
    Zyxel_Jeff Posts: 1,039  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer

    Thanks for your inquiry but we don't support this feature.
    May I know do you have any specific purpose or scenario in your environment?
    Maybe you can share it with us and come up with a workaround for you.
  • FelixSchneider
    FelixSchneider Posts: 49  Freshman Member
    First Anniversary 10 Comments Friend Collector
    @Zyxel_Jeff
    So here is the thing, we know compared to the on premise configuration Nebula is locked down, but many of us come from IP-Tables and Object Based Firewall Rules etc. so it's a bit frustrating and unclear how to do certain things. For the barebones stuff it is "easier" or different, but as soon as you want to do something a little bit advanced it's not a great time.

    As for the usecase I think all Implementations of Firewall Rule creation ways that i have seen be it Cisco,  Opensense, Ubiquiti all have some kind of specifying wan or outside.



    For my usecase I would like to have Wan as a specifyer to not having my network wide open to my guests...
    My fix to mitigate this I have to do this:

    It's ok but unneccessary because in the on premise mode it's so much clearer what to do... Just select Wan.

    If i had a wish I would like the object based Firewall Rules from the on premise mode, combined with the simple and really beautiful overview of the different Dashboards in Nebula. :3

    Kind Regards
    Felix Schneider
  • PeterUK
    PeterUK Posts: 2,655  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer

    Hmm you might like to use the stand-alone without NEBULA as that gives you more control. I'm a bit surprised NEBULA don't do this. For the USG Flex 200 when looking at your issue was thinking you mean WAN1 and WAN2 are in zone WAN but if all you care about is which zone goes to where stand-alone is for you plus you can make WAN VLAN's with a zone.



  • FelixSchneider
    FelixSchneider Posts: 49  Freshman Member
    First Anniversary 10 Comments Friend Collector
    Just an Idea, maybe a Policy Route will also work ,but you would have to configure this for every Subnet/Interface as the Source.


  • Zyxel_Jeff
    Zyxel_Jeff Posts: 1,039  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Hi @aalfano_sirm

    Regarding the feedback which was from PeterUK and FelixSchneider, you could create a policy route to allow traffics could be passed through the specific wan interface for a workaround solution, please refer to this discussion Selected LAN IP via selected WAN to internet.


  • Zyxel_Jeff
    Zyxel_Jeff Posts: 1,039  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    @Zyxel_Jeff
    So here is the thing, we know compared to the on premise configuration Nebula is locked down, but many of us come from IP-Tables and Object Based Firewall Rules etc. so it's a bit frustrating and unclear how to do certain things. For the barebones stuff it is "easier" or different, but as soon as you want to do something a little bit advanced it's not a great time.

    As for the usecase I think all Implementations of Firewall Rule creation ways that i have seen be it Cisco,  Opensense, Ubiquiti all have some kind of specifying wan or outside.



    For my usecase I would like to have Wan as a specifyer to not having my network wide open to my guests...
    My fix to mitigate this I have to do this:

    It's ok but unneccessary because in the on premise mode it's so much clearer what to do... Just select Wan.

    If i had a wish I would like the object based Firewall Rules from the on premise mode, combined with the simple and really beautiful overview of the different Dashboards in Nebula. :3

    Kind Regards
    Felix Schneider

    OK, many thanks for your user experience sharing.
  • Hi @aalfano_sirm

    Regarding the feedback which was from PeterUK and FelixSchneider, you could create a policy route to allow traffics could be passed through the specific wan interface for a workaround solution, please refer to this discussion Selected LAN IP via selected WAN to internet.



    Absolutely not, i give you a stupid example of our customer:

    WAN1: Allow HTTP-HTTPS-POP3-SMTP
    WAN2: Allow POP3-SMTP

    Now if i configure a policy routing for POP3 and SMTP they pretend to work only on WAN1 or only on WAN2 but cannot work on both of them, also i have WAN2 that is a backup channel with low limit on monthly bandwidth so i cannot pretend to use it when WAN1 is working and cause to break the monthly limit costantly.

    I'll add also that we have a custom product (same cost of Zyxel but with lifetime license) that do this type of job from about 10 years, but we cannot use with our customer because is not so famous as Zyxel one, so it's absurd that a product like Zyxel this cannot do this.
  • FelixSchneider
    FelixSchneider Posts: 49  Freshman Member
    First Anniversary 10 Comments Friend Collector
    edited January 2023
    @aalfano_sirm
    Is your customer or you as provider dead set on using Nebula?

    Zyxels standard configuration, alias on premise or stand-alone offers much more flexibility and you can certainly, speaking from experience, create firewall rules with a specific outside interface, also QoS and BWM is possible. Maybe useful for tackling the wan2 monthly limit.

    I'm with @PeterUK on this one there seems to be no chance you will get what you want with Nebula Control Center.
    I know it's a bummer been there myself.

    Kind regards
    Felix Schneider

    edit:
    Did you specify wan2 as Backup interface on the very bottom of the Routing page when testing ?

Nebula Tips & Tricks