[NEBULA] Add extra external IP and map service

JorisK
JorisK Posts: 4  Freshman Member
First Comment First Anniversary
edited April 2021 in Nebula
Hi,

I configured a NSG100 with a static public IP, it connects to the internet, everything fine.

Is it possible for me to add three additional public IP's to the WAN1 interface? And, on top of that, map some ports on these 'extra' IPs to internal hosts?

Ex:
WAN1 IP: 1.1.1.1/29
WAN1 IP2: 1.1.1.2:80 to 192.168.1.10:80
WAN1 IP3: 1.1.1.3:443 to 192.168.1.20:443

Many thanks!

Regards,
J

Comments

  • Zyxel_Irene
    Zyxel_Irene Posts: 118  Zyxel Employee
    5 Answers First Comment Friend Collector First Anniversary
    Hi @JorisK
    Welcome to Nebula Forum! sunglasses
    I have seen you created a ticket regarding this question through our technical support channel, I will reply you through ticket. After the case is clarified I'll update once more here in the post


    Irene
  • Zyxel_Irene
    Zyxel_Irene Posts: 118  Zyxel Employee
    5 Answers First Comment Friend Collector First Anniversary
    Hi @JorisK

    I am glad to hear from you that it works on your side, and there is update for all Nebula users here!  :) 

    The requirement can be reached with the following setting,

     
    Have a great new year!  :3

  • blechkiste
    blechkiste Posts: 14  Freshman Member
    First Comment Friend Collector Third Anniversary
    Hi @Nebula_Irene

    I have been configuring my NSG this way, having 3 public IPs for my servers. Inbound access works fine but I am having the issue that for any outbound traffic, it does not use the public IP of the Virtual server but rather the public IP of the NSG.
    This causes issues with an email server where the MX record does not match the public IP of the mail server, hence outbound emails are considered spam and not delivered. I could help myself with an SPF record that included the public IP of the NSG. 

    Nonetheless, I was wondering how I could make it working without configuring 1-1 NAT, where this can be solved but at the price of having no security policies protecting my servers behind the NSG.

    Being an "ex USG" user, I must admit that the NSG is still very confusing for me. I am missing the possibilities of 1-1 NAT and firewall rules to restrict inbound traffic. Could it be that I do not understand how to setup my NSG properly? Is there any documentation with examples for above scenario? Appreciate your help.

    Regards
    Walter
  • Zyxel_Chris
    Zyxel_Chris Posts: 705  Zyxel Employee
    Zyxel Certified Network Administrator - WLAN Zyxel Certified Network Administrator - Nebula Zyxel Certified Sales Associate 50 Answers
    Hello @blechkiste
    Our virtual server current design does not support it but can use 1-1 NAT for the workaround, on the other hand you can still set the security policy to block the inbound traffic as your request, for instance to block the source IP 10.214.30.131 RDP to the 1-1 NAT server 192.168.25.33.
    Hope it can help.


    /Chris
  • blechkiste
    blechkiste Posts: 14  Freshman Member
    First Comment Friend Collector Third Anniversary
    edited June 2019
    Hi @Nebula_Chris

    thanks for your help. I've set it up and it works fine. 

    I've also figured out that you can add several destination addresses, separating them by a comma and also several ports into the same rule. This comes closer to the "objects" definitions with the USG.

    Nonethless, one thing that I do not understand is why for the above configuration, the GUI section of Security Policy refers to "Outbound rules", which they are not when I seem to configure inbound rules.
    For inbound rules, it states "Inbound traffic will be restricted to this service in NAT settings".
    This is the reason why I did not even consider using the security policies for my scenario.

    Is there any "reference" manual of the UI that explains every configuration in more details? Together with a couple of examples, this would be very useful for many users.

    Kind regards
    Walter
  • Zyxel_Chris
    Zyxel_Chris Posts: 705  Zyxel Employee
    Zyxel Certified Network Administrator - WLAN Zyxel Certified Network Administrator - Nebula Zyxel Certified Sales Associate 50 Answers
    Hi @blechkiste
    The NSG is the stateful firewall which means all traffic from WAN to LAN will be block, the application of inbound traffic rule is related to the NAT service in usual case. (That's why we put this note.)
    However, we still have the flexibility on this part if the user has the request to configure the inbound traffic rule, like this case.
    BTW, the 1-1 NAT and virtual server can edit the white list (allowed remote IP) which do not need to add the additional security policy if you need this feature. (Currently support syntax "," for specify and CIDR)


    /Chris

Nebula Tips & Tricks