[NEBULA] Best Practice for NSG behind router

flottmedia
flottmedia Posts: 56  Ally Member
First Answer First Comment Friend Collector Nebula Gratitude
edited April 2021 in Nebula
On one of our sites we currently have a configuration like
internet <-> external router (192.168.2.1/24) <-> NSG100 (WAN:DHCP-Client on external router, LAN1 192.168.10.1/24) <-> NSW (DHCP-Client on LAN1 of NSG) <-> NAP 
The additional router is responsible for the internet uplink and acts as voip gateway. It has a static route over the reserved DHCP address of the NSG to 192.168.10.0/24. Furthermore there are a few more systems in subnet 192.168.2.0/24 that need to be accessible from clients on the NAP WiFi and vice versa. Unfortunatelay we could not find any firewall options / routing policies in Nebula to allow access from WAN-Subnet IPs in 192.168.2.0/24 to LAN1 IPs in 192.168.10.0/24, neither in NAT mode, nor in Router mode of the NSG. 

So, what would be the best practice to set up this setting?

«1

All Replies

  • TomorrowOcean
    TomorrowOcean Posts: 60  Ally Member
    First Comment First Answer Friend Collector Seventh Anniversary
    From your description, it seems your topology is simple and there should be no issue when you set all things up.
    What actual problem do you encounter?
  • flottmedia
    flottmedia Posts: 56  Ally Member
    First Answer First Comment Friend Collector Nebula Gratitude
    edited February 2019
    Thanks for your reply!
    From your description, it seems your topology is simple and there should be no issue when you set all things up.
    That's also what we assumed ... ;)
    What actual problem do you encounter?
    We couldn' find a way to set up firewall rules allowing incoming traffic to subnet 192.168.10.0/24 on LAN1 from subnet 192.168.2.0/24 on WAN1 - the other way works (of course). What we need would be a bi-directional routing between those two subnets over the NSG, but there doesn't seem to be an option for configuring that in nebula ...?
  • TomorrowOcean
    TomorrowOcean Posts: 60  Ally Member
    First Comment First Answer Friend Collector Seventh Anniversary
    Did you configure the static route on the uplink router?
    I think the packet routing from 192.168.2.0/24 to 192.168.10.0/24 should need static route.
  • flottmedia
    flottmedia Posts: 56  Ally Member
    First Answer First Comment Friend Collector Nebula Gratitude
    Sure. There isn't any issue with requests coming from 10.0/24 and going to the Internet. As answers from Internet > external Router > NSG > NSW > NAP > Client work fine, I assume the static route in the uplink router does its job. It's simply that there isn't any place in NCC where we can set a firewall rule allowing all packets from 2.0/24 on WAN1 of the NSG to pass to 10.0/24 on LAN1. Because of that e.g. the NSW web interface behind the NSG is not reachable from a client in 2.0/24.

    As far as I can see (and as you mentioned above) this setting should be a really simple configuration option for EVERY router, right? Or are we too stupid to find it, @Nebula_Dean, @Nebula_Bayardo, @Nebula_CSO, @Nebula_Irene, @Nebula_Chris?
  • ivers
    ivers Posts: 45  Freshman Member
    First Comment First Answer Friend Collector Fifth Anniversary
    It's looks like you need setup the virtual server then can access from WAN to LAN's NSW web GUI.
    Assume you are using NAT mode and the initioator from WAN to LAN, LAN IP assign the NSW IP.
    You can find it in Gateway>fiewall>NAT


  • flottmedia
    flottmedia Posts: 56  Ally Member
    First Answer First Comment Friend Collector Nebula Gratitude
    Thanks for the reply, @ivers! We (of course) tried that before this post. Unfortunately neither the 1:1 NAT, nor the Virtual Server settings seem to allow "any" IPs or whole subnets with all ports as mappings. We simply need all traffic (including e.g. pings over ICMP) to pass from 192.168.2.0/24 on WAN1 to 192.168.10.0/24 on LAN1 while traffic from the Internet originating from the external router (= all other non internal subnets / addresses) is still blocked / filtered for 192.168.10.0/24.

    Nevertheless, we hopefully found a solution: Till now, we were always looking for a way to set a kind of "inbound rules", but as it seems the NSG needs an "outbound rule" allowing traffic from 192.168.2.0/24 to 192.168.10.0/24 on "any" port to enable the routing described above. Maybe then the respective inbound rule is set somehow automatically in NCC?

    Although our issue seems to be solved for the moment, we would be quite happe if someone from Zyxel could finally give a statement here, if this way REALLY is the "best practive" for the described scenario (e.g. @Zyxel_Charlie, @Zyxel_Stanley, @Zyxel_Emily, @Zyxel_Cooldia, @Zyxel_Jason) ...
  • Zyxel_Chris
    Zyxel_Chris Posts: 727  Zyxel Employee
    Zyxel Certified Network Administrator - WLAN Zyxel Certified Network Administrator - Nebula Zyxel Certified Sales Associate 50 Answers
    Please correct me if I'm wrong, you just need to allow the internal subnet from WAN to access LAN and you also need the service which incloud ICMP, if it is the case then 1:1 NAT may fit you.
    You can specify the paticular IP on "allowed remote IP" in your case is 192.168.2.0/24
    BTW, you mentioned that virtual server allow any ports as mapping which is not possible, may I know have you upgrade the NSG firmware to the latest version?

    /Chris


  • Ian31
    Ian31 Posts: 174  Master Member
    5 Answers First Comment Friend Collector Sixth Anniversary
    edited February 2019
    Hi,
    I think to allow to add inbound firewall rules is better to fit for pure routing scenario.
    Hope this could be consider in the further release.

  • flottmedia
    flottmedia Posts: 56  Ally Member
    First Answer First Comment Friend Collector Nebula Gratitude
    Thanks for the replay, @Nebula_Chris. What we want, is a simple routing of the subnets 192.168.2.0/24 on WAN1 and 192.168.10.0/24 on LAN1 (and only those two subnets) without any firewall interference. 

    As far as I can see, 1:1 NAT (as the name already says) only alows the mapping of one public IP to one private IP. At least we weren't able to use something like 192.168.2.0/24 as Public or LAN IP. 

    BTW, you mentioned that virtual server allow any ports as mapping which is not possible, may I know have you upgrade the NSG firmware to the latest version?
    Where exactly did you get that from? Anyhow, the firmware of all devices is up to date, and I can confirm that "Public port" and "Local port" don't (!) allow "any". Furthermore the LAN IP doesn't allow something like 192.168.10.0/24. 

    So, my question again: is using the "Outbound rules" with 

    Allow - Any - 192.168.2.0/24 - 192.168.10.0/24 - any - Always

    really (!) the best practice for our scenario?

    If so, I would agree with @lan31, that the currently somehow automatic generated Inbound rules in NCC would be much more intuitive to set. Especially the note "Inbound traffic will be restricted to this service in NAT settings" instead of configurable Inbound rules is not very helpful for the described scenario ...
  • RUnglaube
    RUnglaube Posts: 135  Ally Member
    5 Answers First Comment Friend Collector Third Anniversary

    So, my question again: is using the "Outbound rules" with 

    Allow - Any - 192.168.2.0/24 - 192.168.10.0/24 - any - Always

    really (!) the best practice for our scenario?
    I think the answer is yes! Basically what you need is to open the WAN to LAN networks access which by default should be normally blocked. 
    192.168.2.0/24 and 192.168.10.0/24 are both part of the device so that's why you use outbound rules. Inbound rules will have to be used for internet or networks not configured in the device.

    I guess the external router is doing NAT already, if so I would use "Router" mode on the NSG.
    "You will never walk along"

Nebula Tips & Tricks