NAT rule "allow remote IP" on USG LITE 60AX no subnets?

rustywheelus
rustywheelus Posts: 4  Freshman Member
First Comment
in Security

First go around with the USG LITE 60AX. NAT rules "allow remote IP" doesn't seem to support a subnet, only a single IP (unless I'm doing something wrong). Is the only option to leave it at Any, the create firewall rules to limit allowed inbound subnets? Do NAT rules in this case also implicitly create the matching firewall rules (whether visible or not)? The device seems to have no concept of groups of networks, or groups of services, like it's bigger brothers, so this is going to be a laborious task. Thanks.

All Replies

  • Zyxel_Tina
    Zyxel_Tina Posts: 155  Zyxel Employee
    Zyxel Certified Network Administrator - Security Zyxel Certified Network Administrator - Switch 25 Answers First Comment

    Hi @rustywheelus,

    We’ve confirmed the following points:

    • “Allow remote IP” currently accepts a single IP address only (subnets/CIDR are not supported).
    • Creating a NAT rule on Nebula automatically installs a matching firewall rule in the local device (not visible on the Nebula UI).
    • While an approach is to set Allow remote IP = Any and then constrain sources with security policies, we’d like to first understand your scenario to see if there’s a cleaner fit. To provide more precise guidance, could you share a bit about your network topology and the application/usage you’re trying to achieve?

    Zyxel Tina

  • rustywheelus
    rustywheelus Posts: 4  Freshman Member
    First Comment

    Very small site with simple /24 network for LAN. Legacy database on internal server at, e.g. 10.9.8.90. Static WAN address of x.x.x.x. Need to allow access from several locations with large range of public IPs. On most any USG device, I'd create a NAT rule: x.x.x.x port 8084 to 10.9.8.90 port 5432. Then a couple network objects that are subnets, say a.a.a.a/28 and b.b.b.b/24, maybe a group G that includes these subnets; finally firewall policy that allows inbound to x.x.x.x port 8084 only from group G.

    For future reference on your first two points above, are these limitations or implementations a result of Nebula, or the USG Lite device?

    If we do proceed with security policies to constrain sources, how do we know where the (not visible) firewall rule created by the NAT falls in the hierarchy of firewall rules?

    Site only has 4 users and a dozen network devices, so USG Lite seemed appropriate, but maybe we just need to use a more suitable model….

    Thanks

Categories

Security Help Center

EnglishTiếng ViệtРусскийไทย中文(台灣)