How to customize the Nebula default security policy ?
I've got a USGFLEX 200 connected on 2 different SP's
When I look at the default security, all LAN-interfaces are allowed on both WANs, by default.
I'd like to edit the default security policy imposed by Nebula, in such a way that I will choose which LAN Interface is allowed on each WAN.
Your assistance is much appreciated.
Accepted Solution
-
Hi @Papa_DIOP,
It appears that some policy route rules are missing cause the result doesn't align with your requirements. Could you list the path you want and allow me to provide the recommended configuration? Or you can reference the below to configure:
Below comments are my reply to your questions:
I have setup a policy-route to redirect each interface to the desired WAN. However, the security-policy takes over.
The security policy won't disrupt the policy route rule since they are different features.
Because of the default implicit rules in the security policy, Internet traffic is load-balanced between the two WANs, which creates instabilities over all networks.
The policy route has a higher priority than WAN Load Balancing. Therefore, the traffic should be fine. Won't be disrupted by the WAN Load Balancing.
Isn'it just possible to make the default security policy editable ? Why would Nebula not be flexible to that effect?
The default security policy, like the screenshot below, is for normal users.
If you need some specific rules, you can configure your own security policy rules. The firewall will check these rules first. Priority: Policy 1 > Policy 2 > ……. > Implicit allow rules > Implicit deny rule
Zyxel Melen0
All Replies
-
Hi @Papa_DIOP,
If you want to order any LAN interfaces to which WAN, you can set the policy route in Menu > Site-Wide > Configure > Firewall > Routing page.
Feel free to let me know more details if this is not what you want.
Hope it helps.
Zyxel Melen0 -
Thanks but, that does not prevent the traffic to go through both WANs because of the default security policy that is un-editable and allows it by default.
I have setup a policy-route to redirect each interface to the desired WAN. However, the security-policy takes over.
Isn'it just possible to make the default security policy editable ? Why would Nebula not be flexible to that effect?0 -
A routeing rule forces traffic to the given WAN thats how it works in standalone
0 -
Thank you, Peter.
Relevant traffic is effectively routed through WAN2. That is not the problem.
Because of the default implicit rules in the security policy, Internet traffic is load-balanced between the two WANs, which creates instabilities over all networks.
If those implicit rules were editable, I would just allow the concerned VLAN on WAN2 and deny it on WAN1.
Hope this makes it clearer.0 -
The security policy has nothing to do with load-balanced between the two WANs
On the Flex 200 WAN1 is zone WAN and WAN2 can have another zone other then WAN in standalone not sure what it like in Nebula.
If you route LAN1 to WAN2 the security policy for LAN1 to WAN just allows it dose not use WAN1 to send LAN1 traffic to WAN1 because you told it not to by routing rule
0 -
Hi @Papa_DIOP,
It appears that some policy route rules are missing cause the result doesn't align with your requirements. Could you list the path you want and allow me to provide the recommended configuration? Or you can reference the below to configure:
Below comments are my reply to your questions:
I have setup a policy-route to redirect each interface to the desired WAN. However, the security-policy takes over.
The security policy won't disrupt the policy route rule since they are different features.
Because of the default implicit rules in the security policy, Internet traffic is load-balanced between the two WANs, which creates instabilities over all networks.
The policy route has a higher priority than WAN Load Balancing. Therefore, the traffic should be fine. Won't be disrupted by the WAN Load Balancing.
Isn'it just possible to make the default security policy editable ? Why would Nebula not be flexible to that effect?
The default security policy, like the screenshot below, is for normal users.
If you need some specific rules, you can configure your own security policy rules. The firewall will check these rules first. Priority: Policy 1 > Policy 2 > ……. > Implicit allow rules > Implicit deny rule
Zyxel Melen0 -
Thank you, Melen.
Here's what I got in my routing policies:And, here's what i got on Security policies:
0 -
It seems you have reused and LAN subnet for VPN?
Your VPN have 10.2.0.0/16 and yet you want to route 192168.110.0/25 and 192.168.110.128/25 to 10.2.0.0/16 out WAN2 which will not happen due to direct route
0 -
Thank you, Peter.
10.2.0.0/16 is the Service Provider Network on WAN2
The VPN is established within the 192.168.110.0 subnet which should be the only network granted access to this Service Provider.0 -
You're right, Melen.
I did not set policies for another network than the one concerned by the Service Provider on WAN2 since, I expected the security policy to be enough to allow traffic on WAN1. My fault, sorry.
It would have been so good to have a "show IP route" tag on the Nebula Firewall status menu, though…
Many thanks indeed. Matter closed.0
Categories
- All Categories
- 415 Beta Program
- 2.4K Nebula
- 149 Nebula Ideas
- 96 Nebula Status and Incidents
- 5.7K Security
- 263 USG FLEX H Series
- 271 Security Ideas
- 1.4K Switch
- 74 Switch Ideas
- 1.1K Wireless
- 40 Wireless Ideas
- 6.4K Consumer Product
- 249 Service & License
- 387 News and Release
- 84 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.5K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 85 About Community
- 73 Security Highlight