[NEBULA] dmz to lan

FrankIversen
FrankIversen Posts: 92  Ally Member
edited April 14 in Nebula
Hi.
How do we configure a simple dmz-sone and open some ports in to a specific server on Lan1?
Could you provide an easy guide? Are doing this all time in USG but not sure what is the correct way in nsg.

Comments

  • ITPro
    ITPro Posts: 11  Freshman Member

    Virtual Server can be reached the puepose of port mapping to a specific server on LAN1 through WAN.

    Enter you signature
  • FrankIversen
    FrankIversen Posts: 92  Ally Member
    it is not lan1 we want to. We need a Wan to a DMZ sone.
  • CrazyTacos
    CrazyTacos Posts: 53  Ally Member
    Isn't DMZ just a LAN with a set of strict network policies?
    So why not dedicate LAN2 as a DMZ and use firewall security policies to enfocre your inbound rules?
    If you need access to your web server from the Internet, then ITPro is right. Use Virtual Server under firewall settings.
    Your Virtual server entry would look something like this:
      Uplink:   WAN 1
      Public IP: 39.5.1.1
      Public Port: 55000 
      LAN IP:  172.16.1.100   (your web server IP)
      Local Port: 443   (for HTTPS) 
      Allowed remote IP: any
      Description: Web_service

    So if you need to access your Web server from the Internet, the URL needed would be "https://39.5.1.1:55000"
  • FrankIversen
    FrankIversen Posts: 92  Ally Member
    which rule would you setup to restrict access from lan2 to lan1 for only port 1494?
    that is the port the webserver needs to talk to our internal citrixserver.
  • ITPro
    ITPro Posts: 11  Freshman Member
    edited January 2018
    Isn't DMZ just a LAN with a set of strict network policies?
    So why not dedicate LAN2 as a DMZ and use firewall security policies to enfocre your inbound rules?
    If you need access to your web server from the Internet, then ITPro is right. Use Virtual Server under firewall settings.
    Your Virtual server entry would look something like this:
      Uplink:   WAN 1
      Public IP: 39.5.1.1
      Public Port: 55000 
      LAN IP:  172.16.1.100   (your web server IP)
      Local Port: 443   (for HTTPS) 
      Allowed remote IP: any
      Description: Web_service

    So if you need to access your Web server from the Internet, the URL needed would be "https://39.5.1.1:55000"

    If it is possible to be LAN2 as DMZ, then set the outbound rule to restrict the traffic from LAN2 to LAN1 to protect with. Virtual server is still set from WAN to LAN. it may be a workaround to realize on NSG.

    Enter you signature
  • Zyxel_Irene
    Zyxel_Irene Posts: 132  Zyxel Employee
    edited February 2018
    Thanks for @CrazyTacos and @ITPro. It seems to be a similar way to realize DMZ on NSG at this stage. 
    However, I have raise a post for DMZ in the Idea section for @FrankIversen and someone who need DMZ on NSG. Link is here, https://businessforum.zyxel.com/discussion/992/dmz#latest   you can hit Like :+1: to support.
  • Volker
    Volker Posts: 7

    Nebula_Irene,
    Its my first post here and I am new to Nebula. What I want to accomplish is to issulate traffic on LAN2 port(s) from main LAN1. Like a DMZ, open only to the internet.
    Under Port Group Settings I gave LAN2 its own IP Scope
    Under Firewall I added Outbound Rule to denid any LAN1 to LAN2, creating a LAN2-DMZ, just like your item 2. Outbound rule above. 
    • in LAN1 the NSG100 = 192.168.20.1
    • in LAN2 the NSG100 = 192.168.5.1
    When pinging from this LAN2 (DMZ) to the LAN1 all IP addresses are beeing blocked, except the NSG100. In other words I am on a device in the 192.168.5.0/24 range and I can reach 192.168.20.1 by opening the web portal and pinging it, while all the rest of the 192.168.20.0/24 scope is totally blocked. Why is the whole range blocked except 192.168.20.1 ?

    Thanks,
    Volker






  • Zyxel_Chris
    Zyxel_Chris Posts: 398  Zyxel Employee
    Hello @Volker :)
    Welcome to Nebula Community!
    Since the security policy can allow/deny the traffic between the different interface subnet, except the traffic to the device itself, that's why the device still respond the ping and web portal request.
    If you don't want the device respond the ping, you can enable the guest zone on LAN2 at interface addressing, and have security policy to deny the traffic from LAN1 to LAN2, then device would not answer the ping request.
    However in current stage, we cannot restrict device to respond the web portal request, got the little limitation on it since the captive portal.
    Hope it can helps you!
    Chris
Sign In to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click on this button!