[NEBULA] Best Practice for NSG behind router
Options
flottmedia
Posts: 56 
Ally Member
Ally Member
On one of our sites we currently have a configuration like
internet <-> external router (192.168.2.1/24) <-> NSG100 (WAN:DHCP-Client on external router, LAN1 192.168.10.1/24) <-> NSW (DHCP-Client on LAN1 of NSG) <-> NAP
The additional router is responsible for the internet uplink and acts as voip gateway. It has a static route over the reserved DHCP address of the NSG to 192.168.10.0/24. Furthermore there are a few more systems in subnet 192.168.2.0/24 that need to be accessible from clients on the NAP WiFi and vice versa. Unfortunatelay we could not find any firewall options / routing policies in Nebula to allow access from WAN-Subnet IPs in 192.168.2.0/24 to LAN1 IPs in 192.168.10.0/24, neither in NAT mode, nor in Router mode of the NSG.
So, what would be the best practice to set up this setting?
internet <-> external router (192.168.2.1/24) <-> NSG100 (WAN:DHCP-Client on external router, LAN1 192.168.10.1/24) <-> NSW (DHCP-Client on LAN1 of NSG) <-> NAP
The additional router is responsible for the internet uplink and acts as voip gateway. It has a static route over the reserved DHCP address of the NSG to 192.168.10.0/24. Furthermore there are a few more systems in subnet 192.168.2.0/24 that need to be accessible from clients on the NAP WiFi and vice versa. Unfortunatelay we could not find any firewall options / routing policies in Nebula to allow access from WAN-Subnet IPs in 192.168.2.0/24 to LAN1 IPs in 192.168.10.0/24, neither in NAT mode, nor in Router mode of the NSG.
So, what would be the best practice to set up this setting?
0
All Replies
-
From your description, it seems your topology is simple and there should be no issue when you set all things up.
What actual problem do you encounter?0 -
Thanks for your reply!From your description, it seems your topology is simple and there should be no issue when you set all things up.That's also what we assumed ...
What actual problem do you encounter?We couldn' find a way to set up firewall rules allowing incoming traffic to subnet 192.168.10.0/24 on LAN1 from subnet 192.168.2.0/24 on WAN1 - the other way works (of course). What we need would be a bi-directional routing between those two subnets over the NSG, but there doesn't seem to be an option for configuring that in nebula ...?0 -
Did you configure the static route on the uplink router?
I think the packet routing from 192.168.2.0/24 to 192.168.10.0/24 should need static route.0 -
Sure. There isn't any issue with requests coming from 10.0/24 and going to the Internet. As answers from Internet > external Router > NSG > NSW > NAP > Client work fine, I assume the static route in the uplink router does its job. It's simply that there isn't any place in NCC where we can set a firewall rule allowing all packets from 2.0/24 on WAN1 of the NSG to pass to 10.0/24 on LAN1. Because of that e.g. the NSW web interface behind the NSG is not reachable from a client in 2.0/24.
As far as I can see (and as you mentioned above) this setting should be a really simple configuration option for EVERY router, right? Or are we too stupid to find it, @Nebula_Dean, @Nebula_Bayardo, @Nebula_CSO, @Nebula_Irene, @Nebula_Chris?
0 -
It's looks like you need setup the virtual server then can access from WAN to LAN's NSW web GUI.Assume you are using NAT mode and the initioator from WAN to LAN, LAN IP assign the NSW IP.You can find it in Gateway>fiewall>NAT
0 -
Thanks for the reply, @ivers! We (of course) tried that before this post. Unfortunately neither the 1:1 NAT, nor the Virtual Server settings seem to allow "any" IPs or whole subnets with all ports as mappings. We simply need all traffic (including e.g. pings over ICMP) to pass from 192.168.2.0/24 on WAN1 to 192.168.10.0/24 on LAN1 while traffic from the Internet originating from the external router (= all other non internal subnets / addresses) is still blocked / filtered for 192.168.10.0/24.
Nevertheless, we hopefully found a solution: Till now, we were always looking for a way to set a kind of "inbound rules", but as it seems the NSG needs an "outbound rule" allowing traffic from 192.168.2.0/24 to 192.168.10.0/24 on "any" port to enable the routing described above. Maybe then the respective inbound rule is set somehow automatically in NCC?
Although our issue seems to be solved for the moment, we would be quite happe if someone from Zyxel could finally give a statement here, if this way REALLY is the "best practive" for the described scenario (e.g. @Zyxel_Charlie, @Zyxel_Stanley, @Zyxel_Emily, @Zyxel_Cooldia, @Zyxel_Jason) ...
0 -
Please correct me if I'm wrong, you just need to allow the internal subnet from WAN to access LAN and you also need the service which incloud ICMP, if it is the case then 1:1 NAT may fit you.You can specify the paticular IP on "allowed remote IP" in your case is 192.168.2.0/24BTW, you mentioned that virtual server allow any ports as mapping which is not possible, may I know have you upgrade the NSG firmware to the latest version?/Chris
0 -
Hi,
I think to allow to add inbound firewall rules is better to fit for pure routing scenario.
Hope this could be consider in the further release.
0 -
Thanks for the replay, @Nebula_Chris. What we want, is a simple routing of the subnets 192.168.2.0/24 on WAN1 and 192.168.10.0/24 on LAN1 (and only those two subnets) without any firewall interference.
As far as I can see, 1:1 NAT (as the name already says) only alows the mapping of one public IP to one private IP. At least we weren't able to use something like 192.168.2.0/24 as Public or LAN IP.BTW, you mentioned that virtual server allow any ports as mapping which is not possible, may I know have you upgrade the NSG firmware to the latest version?Where exactly did you get that from? Anyhow, the firmware of all devices is up to date, and I can confirm that "Public port" and "Local port" don't (!) allow "any". Furthermore the LAN IP doesn't allow something like 192.168.10.0/24.
So, my question again: is using the "Outbound rules" with
Allow - Any - 192.168.2.0/24 - 192.168.10.0/24 - any - Always
really (!) the best practice for our scenario?
If so, I would agree with @lan31, that the currently somehow automatic generated Inbound rules in NCC would be much more intuitive to set. Especially the note "Inbound traffic will be restricted to this service in NAT settings" instead of configurable Inbound rules is not very helpful for the described scenario ...0 -
I think the answer is yes! Basically what you need is to open the WAN to LAN networks access which by default should be normally blocked.flottmedia said:
So, my question again: is using the "Outbound rules" with
Allow - Any - 192.168.2.0/24 - 192.168.10.0/24 - any - Always
really (!) the best practice for our scenario?
192.168.2.0/24 and 192.168.10.0/24 are both part of the device so that's why you use outbound rules. Inbound rules will have to be used for internet or networks not configured in the device.
I guess the external router is doing NAT already, if so I would use "Router" mode on the NSG."You will never walk along"0
Freshman Member
Zyxel Employee
Master Member
Categories
- All Categories
- 435 Beta Program
- 2.7K Nebula
- 176 Nebula Ideas
- 118 Nebula Status and Incidents
- 6.1K Security
- 428 USG FLEX H Series
- 298 Security Ideas
- 1.6K Switch
- 79 Switch Ideas
- 1.2K Wireless
- 44 Wireless Ideas
- 6.7K Consumer Product
- 274 Service & License
- 422 News and Release
- 88 Security Advisories
- 31 Education Center
- 10 [Campaign] Zyxel Network Detective
- 4.2K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 83 About Community
- 89 Security Highlight
