[NEBULA] Add extra external IP and map service
Hi,
I configured a NSG100 with a static public IP, it connects to the internet, everything fine.
Is it possible for me to add three additional public IP's to the WAN1 interface? And, on top of that, map some ports on these 'extra' IPs to internal hosts?
Ex:
WAN1 IP: 1.1.1.1/29
WAN1 IP2: 1.1.1.2:80 to 192.168.1.10:80
WAN1 IP3: 1.1.1.3:443 to 192.168.1.20:443
Many thanks!
Regards,
J
I configured a NSG100 with a static public IP, it connects to the internet, everything fine.
Is it possible for me to add three additional public IP's to the WAN1 interface? And, on top of that, map some ports on these 'extra' IPs to internal hosts?
Ex:
WAN1 IP: 1.1.1.1/29
WAN1 IP2: 1.1.1.2:80 to 192.168.1.10:80
WAN1 IP3: 1.1.1.3:443 to 192.168.1.20:443
Many thanks!
Regards,
J
0
Comments
-
Hi @JorisK
Welcome to Nebula Forum!
I have seen you created a ticket regarding this question through our technical support channel, I will reply you through ticket. After the case is clarified I'll update once more here in the post
Irene
0 -
Hi @JorisK
I am glad to hear from you that it works on your side, and there is update for all Nebula users here!
The requirement can be reached with the following setting,
Have a great new year!
0 -
Hi @Nebula_Irene
I have been configuring my NSG this way, having 3 public IPs for my servers. Inbound access works fine but I am having the issue that for any outbound traffic, it does not use the public IP of the Virtual server but rather the public IP of the NSG.
This causes issues with an email server where the MX record does not match the public IP of the mail server, hence outbound emails are considered spam and not delivered. I could help myself with an SPF record that included the public IP of the NSG.
Nonetheless, I was wondering how I could make it working without configuring 1-1 NAT, where this can be solved but at the price of having no security policies protecting my servers behind the NSG.
Being an "ex USG" user, I must admit that the NSG is still very confusing for me. I am missing the possibilities of 1-1 NAT and firewall rules to restrict inbound traffic. Could it be that I do not understand how to setup my NSG properly? Is there any documentation with examples for above scenario? Appreciate your help.
Regards
Walter
0 -
Hello @blechkiste
Our virtual server current design does not support it but can use 1-1 NAT for the workaround, on the other hand you can still set the security policy to block the inbound traffic as your request, for instance to block the source IP 10.214.30.131 RDP to the 1-1 NAT server 192.168.25.33.
Hope it can help.
/Chris1 -
Hi @Nebula_Chris
thanks for your help. I've set it up and it works fine.
I've also figured out that you can add several destination addresses, separating them by a comma and also several ports into the same rule. This comes closer to the "objects" definitions with the USG.
Nonethless, one thing that I do not understand is why for the above configuration, the GUI section of Security Policy refers to "Outbound rules", which they are not when I seem to configure inbound rules.
For inbound rules, it states "Inbound traffic will be restricted to this service in NAT settings".
This is the reason why I did not even consider using the security policies for my scenario.
Is there any "reference" manual of the UI that explains every configuration in more details? Together with a couple of examples, this would be very useful for many users.
Kind regards
Walter
0 -
Hi @blechkiste
The NSG is the stateful firewall which means all traffic from WAN to LAN will be block, the application of inbound traffic rule is related to the NAT service in usual case. (That's why we put this note.)
However, we still have the flexibility on this part if the user has the request to configure the inbound traffic rule, like this case.
BTW, the 1-1 NAT and virtual server can edit the white list (allowed remote IP) which do not need to add the additional security policy if you need this feature. (Currently support syntax "," for specify and CIDR)
/Chris0
Categories
- All Categories
- 415 Beta Program
- 2.4K Nebula
- 147 Nebula Ideas
- 96 Nebula Status and Incidents
- 5.7K Security
- 262 USG FLEX H Series
- 271 Security Ideas
- 1.4K Switch
- 74 Switch Ideas
- 1.1K Wireless
- 40 Wireless Ideas
- 6.4K Consumer Product
- 249 Service & License
- 387 News and Release
- 84 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.5K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 85 About Community
- 73 Security Highlight