How to customize the Nebula default security policy ?

Papa_DIOP
Papa_DIOP Posts: 17  Freshman Member
First Comment Sixth Anniversary

I've got a USGFLEX 200 connected on 2 different SP's

When I look at the default security, all LAN-interfaces are allowed on both WANs, by default.

I'd like to edit the default security policy imposed by Nebula, in such a way that I will choose which LAN Interface is allowed on each WAN.

Your assistance is much appreciated.

Accepted Solution

  • Zyxel_Melen
    Zyxel_Melen Posts: 2,584  Zyxel Employee
    Zyxel Certified Network Engineer Level 1 - Switch Zyxel Certified Network Administrator - Switch Zyxel Certified Network Administrator - Nebula Zyxel Certified Sales Associate
    Answer ✓

    Hi @Papa_DIOP,

    It appears that some policy route rules are missing cause the result doesn't align with your requirements. Could you list the path you want and allow me to provide the recommended configuration? Or you can reference the below to configure:

    Below comments are my reply to your questions:

    I have setup a policy-route to redirect each interface to the desired WAN. However, the security-policy takes over.

    The security policy won't disrupt the policy route rule since they are different features.

    Because of the default implicit rules in the security policy, Internet traffic is load-balanced between the two WANs, which creates instabilities over all networks.

    The policy route has a higher priority than WAN Load Balancing. Therefore, the traffic should be fine. Won't be disrupted by the WAN Load Balancing.

    Isn'it just possible to make the default security policy editable ? Why would Nebula not be flexible to that effect?

    The default security policy, like the screenshot below, is for normal users.

    If you need some specific rules, you can configure your own security policy rules. The firewall will check these rules first. Priority: Policy 1 > Policy 2 > ……. > Implicit allow rules > Implicit deny rule

    Zyxel Melen


All Replies

  • Zyxel_Melen
    Zyxel_Melen Posts: 2,584  Zyxel Employee
    Zyxel Certified Network Engineer Level 1 - Switch Zyxel Certified Network Administrator - Switch Zyxel Certified Network Administrator - Nebula Zyxel Certified Sales Associate

    Hi @Papa_DIOP,

    If you want to order any LAN interfaces to which WAN, you can set the policy route in Menu > Site-Wide > Configure > Firewall > Routing page.

    Feel free to let me know more details if this is not what you want.

    Hope it helps.

    Zyxel Melen


  • Papa_DIOP
    Papa_DIOP Posts: 17  Freshman Member
    First Comment Sixth Anniversary
    edited August 5

    Thanks but, that does not prevent the traffic to go through both WANs because of the default security policy that is un-editable and allows it by default.

    I have setup a policy-route to redirect each interface to the desired WAN. However, the security-policy takes over.

    Isn'it just possible to make the default security policy editable ? Why would Nebula not be flexible to that effect?

  • PeterUK
    PeterUK Posts: 3,461  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary
    edited August 5

    A routeing rule forces traffic to the given WAN thats how it works in standalone

  • Papa_DIOP
    Papa_DIOP Posts: 17  Freshman Member
    First Comment Sixth Anniversary

    Thank you, Peter.

    Relevant traffic is effectively routed through WAN2. That is not the problem.

    Because of the default implicit rules in the security policy, Internet traffic is load-balanced between the two WANs, which creates instabilities over all networks.

    If those implicit rules were editable, I would just allow the concerned VLAN on WAN2 and deny it on WAN1.

    Hope this makes it clearer.

  • PeterUK
    PeterUK Posts: 3,461  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary
    edited August 6

    The security policy has nothing to do with load-balanced between the two WANs

    On the Flex 200 WAN1 is zone WAN and WAN2 can have another zone other then WAN in standalone not sure what it like in Nebula.

    If you route LAN1 to WAN2 the security policy for LAN1 to WAN just allows it dose not use WAN1 to send LAN1 traffic to WAN1 because you told it not to by routing rule

  • Zyxel_Melen
    Zyxel_Melen Posts: 2,584  Zyxel Employee
    Zyxel Certified Network Engineer Level 1 - Switch Zyxel Certified Network Administrator - Switch Zyxel Certified Network Administrator - Nebula Zyxel Certified Sales Associate
    Answer ✓

    Hi @Papa_DIOP,

    It appears that some policy route rules are missing cause the result doesn't align with your requirements. Could you list the path you want and allow me to provide the recommended configuration? Or you can reference the below to configure:

    Below comments are my reply to your questions:

    I have setup a policy-route to redirect each interface to the desired WAN. However, the security-policy takes over.

    The security policy won't disrupt the policy route rule since they are different features.

    Because of the default implicit rules in the security policy, Internet traffic is load-balanced between the two WANs, which creates instabilities over all networks.

    The policy route has a higher priority than WAN Load Balancing. Therefore, the traffic should be fine. Won't be disrupted by the WAN Load Balancing.

    Isn'it just possible to make the default security policy editable ? Why would Nebula not be flexible to that effect?

    The default security policy, like the screenshot below, is for normal users.

    If you need some specific rules, you can configure your own security policy rules. The firewall will check these rules first. Priority: Policy 1 > Policy 2 > ……. > Implicit allow rules > Implicit deny rule

    Zyxel Melen


  • Papa_DIOP
    Papa_DIOP Posts: 17  Freshman Member
    First Comment Sixth Anniversary

    Thank you, Melen.

    Here's what I got in my routing policies:

    And, here's what i got on Security policies:

  • PeterUK
    PeterUK Posts: 3,461  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary
    edited August 6

    It seems you have reused and LAN subnet for VPN?

    Your VPN have 10.2.0.0/16 and yet you want to route 192168.110.0/25 and 192.168.110.128/25 to 10.2.0.0/16 out WAN2 which will not happen due to direct route

  • Papa_DIOP
    Papa_DIOP Posts: 17  Freshman Member
    First Comment Sixth Anniversary

    Thank you, Peter.

    10.2.0.0/16 is the Service Provider Network on WAN2

    The VPN is established within the 192.168.110.0 subnet which should be the only network granted access to this Service Provider.

  • Papa_DIOP
    Papa_DIOP Posts: 17  Freshman Member
    First Comment Sixth Anniversary
    edited August 6

    You're right, Melen.

    I did not set policies for another network than the one concerned by the Service Provider on WAN2 since, I expected the security policy to be enough to allow traffic on WAN1. My fault, sorry.

    It would have been so good to have a "show IP route" tag on the Nebula Firewall status menu, though…

    Many thanks indeed. Matter closed.

Nebula Tips & Tricks