NAT rule "allow remote IP" on USG LITE 60AX no subnets?
Freshman Member
First go around with the USG LITE 60AX. NAT rules "allow remote IP" doesn't seem to support a subnet, only a single IP (unless I'm doing something wrong). Is the only option to leave it at Any, the create firewall rules to limit allowed inbound subnets? Do NAT rules in this case also implicitly create the matching firewall rules (whether visible or not)? The device seems to have no concept of groups of networks, or groups of services, like it's bigger brothers, so this is going to be a laborious task. Thanks.
All Replies
-
Hi @rustywheelus,
We’ve confirmed the following points:
- “Allow remote IP” currently accepts a single IP address only (subnets/CIDR are not supported).
- Creating a NAT rule on Nebula automatically installs a matching firewall rule in the local device (not visible on the Nebula UI).
- While an approach is to set Allow remote IP = Any and then constrain sources with security policies, we’d like to first understand your scenario to see if there’s a cleaner fit. To provide more precise guidance, could you share a bit about your network topology and the application/usage you’re trying to achieve?
Zyxel Tina
0 -
Very small site with simple /24 network for LAN. Legacy database on internal server at, e.g. 10.9.8.90. Static WAN address of x.x.x.x. Need to allow access from several locations with large range of public IPs. On most any USG device, I'd create a NAT rule: x.x.x.x port 8084 to 10.9.8.90 port 5432. Then a couple network objects that are subnets, say a.a.a.a/28 and b.b.b.b/24, maybe a group G that includes these subnets; finally firewall policy that allows inbound to x.x.x.x port 8084 only from group G.
For future reference on your first two points above, are these limitations or implementations a result of Nebula, or the USG Lite device?
If we do proceed with security policies to constrain sources, how do we know where the (not visible) firewall rule created by the NAT falls in the hierarchy of firewall rules?
Site only has 4 users and a dozen network devices, so USG Lite seemed appropriate, but maybe we just need to use a more suitable model….
Thanks
0 -
For future reference on your first two points above, are these limitations or implementations a result of Nebula, or the USG Lite device?
This is the design of USG Lite device.
If we do proceed with security policies to constrain sources, how do we know where the (not visible) firewall rule created by the NAT falls in the hierarchy of firewall rules?
NAT rule has higher priority than security policy.
Zyxel Tina
0 -
The use of remote IP (aka source IP) for the NAT rule is so you can allow from different remote IP on the same port to different servers on one WAN IP.
If this is not want you need then setting remote IP to any will be fine the NAT with deal with the packet then the security policy as to allow or not.
0
Master Member
Guru Member
Categories
- All Categories
- 439 Beta Program
- 2.8K Nebula
- 196 Nebula Ideas
- 123 Nebula Status and Incidents
- 6.3K Security
- 481 USG FLEX H Series
- 313 Security Ideas
- 1.6K Switch
- 83 Switch Ideas
- 1.3K Wireless
- 46 Wireless Ideas
- 6.8K Consumer Product
- 284 Service & License
- 450 News and Release
- 88 Security Advisories
- 31 Education Center
- 10 [Campaign] Zyxel Network Detective
- 4.3K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 85 About Community
- 93 Security Highlight
