how to create a DMZ on USG FLEX on Nebula

alberico
alberico Posts: 1
Ciao, sorry in advance for my bad english.

Wich is the correcty way to create a DMZ LAN on USG Flex on Nebula. I've tryed to follow this guide but don't work... I'm sure I'm doing something wrong but I don't find a correspondence of the menus.


As the image I need to have a DMZ on port4 192.168.99.0/24 that can only go in internet and can't see the LAN on port3 192.168.94.0/24.

Thanks in advance :)


All Replies

  • Zyxel_Jason
    Zyxel_Jason Posts: 394  Master Member
    First Anniversary 10 Comments Friend Collector First Answer
    Hi @alberico,

    Welcome to Zyxel Community!

    Form your description, I assume you are looking for the configuration page to setup guest interface for LAN interface 192.168.99.0/24.

    You may go to USG FLEX > Configure > Interface and toggle on the Guest button.
    For example screenshot:

    After saving and the configuration status is up to date, the clients under 192.168.99.0/24 should be able to go to the Internet but can't communicate with 192.168.94.0/24.

    Hope it helps.
    Jason
  • Ciao Jason,
    thanks for the reply...

    I've already tried this but don't work...

    If i ping from 192.168.94.16 > 192.168.99.100 it works and is OK but work also from 192.168.99.100 > 192.168.94.16 there is a reply so that mean that "guest" is not applied in right mode or i need to do something else?





  • Ciao @Zyxel_Jason, do you have any suggestion?
  • Zyxel_Jason
    Zyxel_Jason Posts: 394  Master Member
    First Anniversary 10 Comments Friend Collector First Answer
    Hi @albe,

    I have tried to reproduce your symptom in my local test, but I don't see the same symptom.
    May you help to enable Zyxel Support at Help > Support request page and share your organization/site name, so we can access your site to check?


    Thanks.
    Jason

  • PENTASOFT SRL

    Zyxel Support enabled...

    Thank you in anticipation


  • pentasoft_albe
    pentasoft_albe Posts: 9
    First Anniversary Friend Collector
    edited July 2021

    I'm sorry but now it works, I've changed a rule.



    The Zyxel Support still active if you want to see if it's all okay...

    Thank you in anticipation

  • FelixSchneider
    FelixSchneider Posts: 49  Freshman Member
    First Anniversary 10 Comments Friend Collector
    edited September 2022
    Hey, thanks for the solution. I got the same initial Problem...

    So what exactly does turning on Guest on an Interface do? Just limit to Device and Allow "Internet" whatever that means? Also why is there no way to just reference the WAN "ZONE" ?

    But most importantly why isn't the Implicit deny rule working ? There is no rule to be found that states Guest_10.0.200.1 may access e.g Home_10.0.100.1 or Any ?

    It is just confusing.
    Not beeing able to change those implicit rules is one thing, but that they supposedly don't do what they should is basically a voulnarability for the Network, especially for People without advanced knowledge about Networking, for which Nebula is supposed to be!




    @Zyxel_Stanley

    I would appreciate your help on finding the root of this problem, because I don't feel compfortable with the current situation.

    Kind regards
    Felix Schneider 
  • Zyxel_Stanley
    Zyxel_Stanley Posts: 1,361  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Hi @FelixSchneider
    In the default "Guest" interface, it is only allow guests accessing to internet and alos some  (DNS/HTTP/HTTPS) of build-in services. It is doesn't allow guests access to others intranet.

    In the default setting policy contorl rule doesn't allow traffic from Internet to Intranet.
    And also i doesn't support "WAN zone" as incoming object, but "Any" should enough to be "non-Intranet IP addresses". 

    Your question:
    There is no rule for "Guest_10.0.200.1" may access "Home_10.0.100.1" ?
    Implicit rule allow "From: 10.0.100.0/24,  To: Any"   
    -> It allow traffic from Home subnet to any Intranet, Device and Internet.
    Implicit rule allow "From: 10.0.200.0/24,  To: Internet"
    -> It allow traffic from Guest subnet to Internet, but doesn't allow access to other Intranet subnet.

    Policy control function detects the traffic by "initializing direction".
    If the traffic come from Home subnet, it still could get reply from Guest subnet.
    If the traffic come from Guest subnet, it is unable to get reply fomr Home subnet.
  • FelixSchneider
    FelixSchneider Posts: 49  Freshman Member
    First Anniversary 10 Comments Friend Collector
    Hi, @Zyxel_Stanley
    the last part is exactly the problem, without any extra rules and Guest Toggle enabled, Clients on Guest can access Home.
    I had to deny the acces explicitly.
    Is this a bug ?
  • Zyxel_Stanley
    Zyxel_Stanley Posts: 1,361  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Hi @FelixSchneider
    You may enable "Support request" function to us, then we may have further check current status on your device. (Help > Support requst > enable Zyxel Support Access)
    And also provide your Organization and Site name by private message to me.

Nebula Tips & Tricks