[NEBULA] dmz to lan
Ally Member
How do we configure a simple dmz-sone and open some ports in to a specific server on Lan1?
Could you provide an easy guide? Are doing this all time in USG but not sure what is the correct way in nsg.
Comments
-
Virtual Server can be reached the puepose of port mapping to a specific server on LAN1 through WAN.
Enter you signature0 -
it is not lan1 we want to. We need a Wan to a DMZ sone.0
-
Isn't DMZ just a LAN with a set of strict network policies?
So why not dedicate LAN2 as a DMZ and use firewall security policies to enfocre your inbound rules?
If you need access to your web server from the Internet, then ITPro is right. Use Virtual Server under firewall settings.
Your Virtual server entry would look something like this:
Uplink: WAN 1
Public IP: 39.5.1.1
Public Port: 55000
LAN IP: 172.16.1.100 (your web server IP)
Local Port: 443 (for HTTPS)
Allowed remote IP: any
Description: Web_service
So if you need to access your Web server from the Internet, the URL needed would be "https://39.5.1.1:55000"0 -
which rule would you setup to restrict access from lan2 to lan1 for only port 1494?
that is the port the webserver needs to talk to our internal citrixserver.0 -
CrazyTacos said:Isn't DMZ just a LAN with a set of strict network policies?
So why not dedicate LAN2 as a DMZ and use firewall security policies to enfocre your inbound rules?
If you need access to your web server from the Internet, then ITPro is right. Use Virtual Server under firewall settings.
Your Virtual server entry would look something like this:
Uplink: WAN 1
Public IP: 39.5.1.1
Public Port: 55000
LAN IP: 172.16.1.100 (your web server IP)
Local Port: 443 (for HTTPS)
Allowed remote IP: any
Description: Web_service
So if you need to access your Web server from the Internet, the URL needed would be "https://39.5.1.1:55000"If it is possible to be LAN2 as DMZ, then set the outbound rule to restrict the traffic from LAN2 to LAN1 to protect with. Virtual server is still set from WAN to LAN. it may be a workaround to realize on NSG.
Enter you signature0 -
Thanks for @CrazyTacos and @ITPro. It seems to be a similar way to realize DMZ on NSG at this stage.
However, I have raise a post for DMZ in the Idea section for @FrankIversen and someone who need DMZ on NSG. Link is here, https://businessforum.zyxel.com/discussion/992/dmz#latest you can hit Like
to support.
0 -
Hi all Nebula Users,
DMZ is a feature to create a public zone in your network so that you can put your public servers in that zone for public access. Its typical rule is to allow traffic from WAN & LAN, but disallow traffic from DMZ to LAN. Although currently you can’t find “DMZ” in NSG menu, you still can achieve it by combining the customized Outbound rules and Virtual Server settings. The detail information is as below.
Demilitarized Zone / DMZ
The DeMilitarized Zone (DMZ) provides a way for public servers (Web, e-mail, FTP, etc.) to be visible to the outside world (while still being protected from DoS (Denial of Service) attacks such as SYN flooding and Ping of Death). These public servers can also still be accessed from the secure LAN.
By default,
- Traffic between the WAN and the DMZ is allowed (red line).
- Traffic from the LAN to the DMZ is allowed (green line).
- Traffic from the DMZ to the LAN is denied.
Internet users can have access to host servers on the DMZ but no access to the LAN, unless special filter rules allowing access were configured by the administrator or the user is an authorized remote user.
- Topology
What should we do on USG?
[ Steps to realize on USG: set up native DMZ ]
- Create Port Role as DMZ: go to Configuration > Network > Interface > Port Role, and then select port(s) as dmz(DMZ) and click Apply.
- Port mapping setting: go to Configuration > Network > NAT
How to realize DMZ on NSG?
DMZ is a native feature on USG, and because the firewall rules are set up well by default, there are two steps need to be configured. Although there is not native feature on NSG, we can dedicate LAN/VLAN as a DMZ to realize.
[ Steps to realize on NSG: set LAN/VLAN as a DMZ ]
Before Nebula Phase III, we can dedicate a LAN/VLAN as a DMZ.
- Create Port Role as DMZ: dedicate/create a LAN/VLAN as a DMZ. (We call it as DMZ LAN.)
- Set Outbound Rule: go to GATEWAY > Configure > Firewall > Outbound rules, and
then deny the traffic from DMZ LAN to other LAN/VLAN(s).
- Port mapping setting: go to GATEWAY > Configure > Firewall > Virtual Server
Result: Traffic from DMZ LAN to other LAN/VLAN(s) is denied.- Clients under LAN can ping to Server locate under DMZ LAN.
- Server locate under DMZ LAN cannot ping to Clients under LAN.
After Nebula Phase III, we can dedicate a Guest zone as a DMZ.
- Create Port Role as DMZ: enable Guest zone for a LAN/VLAN.
- Port mapping setting: go to GATEWAY > Configure > Firewall > Virtual Server
By the way, Nebula Phase III will be coming soon, let’s look forward to it.
4 -
Nebula_Irene,Its my first post here and I am new to Nebula. What I want to accomplish is to issulate traffic on LAN2 port(s) from main LAN1. Like a DMZ, open only to the internet.Under Port Group Settings I gave LAN2 its own IP ScopeUnder Firewall I added Outbound Rule to denid any LAN1 to LAN2, creating a LAN2-DMZ, just like your item 2. Outbound rule above.
- in LAN1 the NSG100 = 192.168.20.1
- in LAN2 the NSG100 = 192.168.5.1
When pinging from this LAN2 (DMZ) to the LAN1 all IP addresses are beeing blocked, except the NSG100. In other words I am on a device in the 192.168.5.0/24 range and I can reach 192.168.20.1 by opening the web portal and pinging it, while all the rest of the 192.168.20.0/24 scope is totally blocked. Why is the whole range blocked except 192.168.20.1 ?Thanks,Volker
0 -
Hello @Volker
Welcome to Nebula Community!
Since the security policy can allow/deny the traffic between the different interface subnet, except the traffic to the device itself, that's why the device still respond the ping and web portal request.
If you don't want the device respond the ping, you can enable the guest zone on LAN2 at interface addressing, and have security policy to deny the traffic from LAN1 to LAN2, then device would not answer the ping request.
However in current stage, we cannot restrict device to respond the web portal request, got the little limitation on it since the captive portal.
Hope it can helps you!0
Freshman Member
Zyxel Employee
Categories
- All Categories
- 415 Beta Program
- 2.4K Nebula
- 144 Nebula Ideas
- 94 Nebula Status and Incidents
- 5.6K Security
- 237 USG FLEX H Series
- 267 Security Ideas
- 1.4K Switch
- 71 Switch Ideas
- 1.1K Wireless
- 40 Wireless Ideas
- 6.3K Consumer Product
- 247 Service & License
- 384 News and Release
- 83 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.2K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 83 About Community
- 71 Security Highlight
