[NEBULA] Best Practice for NSG behind router

On one of our sites we currently have a configuration like
internet <-> external router (192.168.2.1/24) <-> NSG100 (WAN:DHCP-Client on external router, LAN1 192.168.10.1/24) <-> NSW (DHCP-Client on LAN1 of NSG) <-> NAP
The additional router is responsible for the internet uplink and acts as voip gateway. It has a static route over the reserved DHCP address of the NSG to 192.168.10.0/24. Furthermore there are a few more systems in subnet 192.168.2.0/24 that need to be accessible from clients on the NAP WiFi and vice versa. Unfortunatelay we could not find any firewall options / routing policies in Nebula to allow access from WAN-Subnet IPs in 192.168.2.0/24 to LAN1 IPs in 192.168.10.0/24, neither in NAT mode, nor in Router mode of the NSG.
So, what would be the best practice to set up this setting?
internet <-> external router (192.168.2.1/24) <-> NSG100 (WAN:DHCP-Client on external router, LAN1 192.168.10.1/24) <-> NSW (DHCP-Client on LAN1 of NSG) <-> NAP
The additional router is responsible for the internet uplink and acts as voip gateway. It has a static route over the reserved DHCP address of the NSG to 192.168.10.0/24. Furthermore there are a few more systems in subnet 192.168.2.0/24 that need to be accessible from clients on the NAP WiFi and vice versa. Unfortunatelay we could not find any firewall options / routing policies in Nebula to allow access from WAN-Subnet IPs in 192.168.2.0/24 to LAN1 IPs in 192.168.10.0/24, neither in NAT mode, nor in Router mode of the NSG.
So, what would be the best practice to set up this setting?
0
Sign In to comment.
13
Who's Online
13 Guests
All Replies
What actual problem do you encounter?
I think the packet routing from 192.168.2.0/24 to 192.168.10.0/24 should need static route.
As far as I can see (and as you mentioned above) this setting should be a really simple configuration option for EVERY router, right? Or are we too stupid to find it, @Nebula_Dean, @Nebula_Bayardo, @Nebula_CSO, @Nebula_Irene, @Nebula_Chris?
Nevertheless, we hopefully found a solution: Till now, we were always looking for a way to set a kind of "inbound rules", but as it seems the NSG needs an "outbound rule" allowing traffic from 192.168.2.0/24 to 192.168.10.0/24 on "any" port to enable the routing described above. Maybe then the respective inbound rule is set somehow automatically in NCC?
Although our issue seems to be solved for the moment, we would be quite happe if someone from Zyxel could finally give a statement here, if this way REALLY is the "best practive" for the described scenario (e.g. @Zyxel_Charlie, @Zyxel_Stanley, @Zyxel_Emily, @Zyxel_Cooldia, @Zyxel_Jason) ...
Chris
I think to allow to add inbound firewall rules is better to fit for pure routing scenario.
Hope this could be consider in the further release.
As far as I can see, 1:1 NAT (as the name already says) only alows the mapping of one public IP to one private IP. At least we weren't able to use something like 192.168.2.0/24 as Public or LAN IP.
So, my question again: is using the "Outbound rules" with
Allow - Any - 192.168.2.0/24 - 192.168.10.0/24 - any - Always
really (!) the best practice for our scenario?
If so, I would agree with @lan31, that the currently somehow automatic generated Inbound rules in NCC would be much more intuitive to set. Especially the note "Inbound traffic will be restricted to this service in NAT settings" instead of configurable Inbound rules is not very helpful for the described scenario ...
192.168.2.0/24 and 192.168.10.0/24 are both part of the device so that's why you use outbound rules. Inbound rules will have to be used for internet or networks not configured in the device.
I guess the external router is doing NAT already, if so I would use "Router" mode on the NSG.