Jason
See how you've made an impact in Zyxel Community this
year!
https://bit.ly/Your2024Moments_Community
how to create a DMZ on USG FLEX on Nebula
Ciao, sorry in advance for my bad english.
Wich is the correcty way to create a DMZ LAN on USG Flex on Nebula. I've tryed to follow this guide but don't work... I'm sure I'm doing something wrong but I don't find a correspondence of the menus.
As the image I need to have a DMZ on port4 192.168.99.0/24 that can only go in internet and can't see the LAN on port3 192.168.94.0/24.
Thanks in advance
0
All Replies
-
Hi @alberico,
Welcome to Zyxel Community!
Form your description, I assume you are looking for the configuration page to setup guest interface for LAN interface 192.168.99.0/24.
You may go to USG FLEX > Configure > Interface and toggle on the Guest button.
For example screenshot:
After saving and the configuration status is up to date, the clients under 192.168.99.0/24 should be able to go to the Internet but can't communicate with 192.168.94.0/24.
Hope it helps.
0 -
Ciao Jason,thanks for the reply...I've already tried this but don't work...If i ping from 192.168.94.16 > 192.168.99.100 it works and is OK but work also from 192.168.99.100 > 192.168.94.16 there is a reply so that mean that "guest" is not applied in right mode or i need to do something else?0
-
Ciao @Zyxel_Jason, do you have any suggestion?
0 -
Hi @albe,
I have tried to reproduce your symptom in my local test, but I don't see the same symptom.
May you help to enable Zyxel Support at Help > Support request page and share your organization/site name, so we can access your site to check?
Thanks.Jason
See how you've made an impact in Zyxel Community this year!
https://bit.ly/Your2024Moments_Community0 -
0
-
I'm sorry but now it works, I've changed a rule.The Zyxel Support still active if you want to see if it's all okay...Thank you in anticipation
1 -
Hey, thanks for the solution. I got the same initial Problem...
So what exactly does turning on Guest on an Interface do? Just limit to Device and Allow "Internet" whatever that means? Also why is there no way to just reference the WAN "ZONE" ?
But most importantly why isn't the Implicit deny rule working ? There is no rule to be found that states Guest_10.0.200.1 may access e.g Home_10.0.100.1 or Any ?
It is just confusing.
Not beeing able to change those implicit rules is one thing, but that they supposedly don't do what they should is basically a voulnarability for the Network, especially for People without advanced knowledge about Networking, for which Nebula is supposed to be!
@Zyxel_Stanley
I would appreciate your help on finding the root of this problem, because I don't feel compfortable with the current situation.
Kind regards
Felix Schneider
0 -
Hi @FelixSchneider
In the default "Guest" interface, it is only allow guests accessing to internet and alos some (DNS/HTTP/HTTPS) of build-in services. It is doesn't allow guests access to others intranet.
In the default setting policy contorl rule doesn't allow traffic from Internet to Intranet.
And also i doesn't support "WAN zone" as incoming object, but "Any" should enough to be "non-Intranet IP addresses".
Your question:
There is no rule for "Guest_10.0.200.1" may access "Home_10.0.100.1" ?
Implicit rule allow "From: 10.0.100.0/24, To: Any"
-> It allow traffic from Home subnet to any Intranet, Device and Internet.
Implicit rule allow "From: 10.0.200.0/24, To: Internet"
-> It allow traffic from Guest subnet to Internet, but doesn't allow access to other Intranet subnet.
Policy control function detects the traffic by "initializing direction".
If the traffic come from Home subnet, it still could get reply from Guest subnet.
If the traffic come from Guest subnet, it is unable to get reply fomr Home subnet.
0 -
Hi, @Zyxel_Stanley
the last part is exactly the problem, without any extra rules and Guest Toggle enabled, Clients on Guest can access Home.
I had to deny the acces explicitly.
Is this a bug ?0 -
Hi @FelixSchneider
You may enable "Support request" function to us, then we may have further check current status on your device. (Help > Support requst > enable Zyxel Support Access)
And also provide your Organization and Site name by private message to me.0
Categories
- All Categories
- 415 Beta Program
- 2.4K Nebula
- 147 Nebula Ideas
- 96 Nebula Status and Incidents
- 5.7K Security
- 262 USG FLEX H Series
- 271 Security Ideas
- 1.4K Switch
- 74 Switch Ideas
- 1.1K Wireless
- 40 Wireless Ideas
- 6.4K Consumer Product
- 249 Service & License
- 387 News and Release
- 84 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.5K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 85 About Community
- 73 Security Highlight