[NEBULA] dmz to lan

FrankIversenFrankIversen Member Posts: 86  Ally Member
edited June 2, 2020 4:49PM in Nebula Security Gateway
Hi.
How do we configure a simple dmz-sone and open some ports in to a specific server on Lan1?
Could you provide an easy guide? Are doing this all time in USG but not sure what is the correct way in nsg.

Comments

  • ITProITPro Member Posts: 11  Freshman Member

    Virtual Server can be reached the puepose of port mapping to a specific server on LAN1 through WAN.

    Enter you signature
  • FrankIversenFrankIversen Member Posts: 86  Ally Member
    it is not lan1 we want to. We need a Wan to a DMZ sone.
  • CrazyTacosCrazyTacos Member Posts: 53  Ally Member
    Isn't DMZ just a LAN with a set of strict network policies?
    So why not dedicate LAN2 as a DMZ and use firewall security policies to enfocre your inbound rules?
    If you need access to your web server from the Internet, then ITPro is right. Use Virtual Server under firewall settings.
    Your Virtual server entry would look something like this:
      Uplink:   WAN 1
      Public IP: 39.5.1.1
      Public Port: 55000 
      LAN IP:  172.16.1.100   (your web server IP)
      Local Port: 443   (for HTTPS) 
      Allowed remote IP: any
      Description: Web_service

    So if you need to access your Web server from the Internet, the URL needed would be "https://39.5.1.1:55000"
  • FrankIversenFrankIversen Member Posts: 86  Ally Member
    which rule would you setup to restrict access from lan2 to lan1 for only port 1494?
    that is the port the webserver needs to talk to our internal citrixserver.
  • ITProITPro Member Posts: 11  Freshman Member
    edited January 31, 2018 11:50AM
    Isn't DMZ just a LAN with a set of strict network policies?
    So why not dedicate LAN2 as a DMZ and use firewall security policies to enfocre your inbound rules?
    If you need access to your web server from the Internet, then ITPro is right. Use Virtual Server under firewall settings.
    Your Virtual server entry would look something like this:
      Uplink:   WAN 1
      Public IP: 39.5.1.1
      Public Port: 55000 
      LAN IP:  172.16.1.100   (your web server IP)
      Local Port: 443   (for HTTPS) 
      Allowed remote IP: any
      Description: Web_service

    So if you need to access your Web server from the Internet, the URL needed would be "https://39.5.1.1:55000"

    If it is possible to be LAN2 as DMZ, then set the outbound rule to restrict the traffic from LAN2 to LAN1 to protect with. Virtual server is still set from WAN to LAN. it may be a workaround to realize on NSG.

    Enter you signature
  • Nebula_IreneNebula_Irene Member Posts: 140  mod
    edited February 6, 2018 4:17PM
    Thanks for @CrazyTacos and @ITPro. It seems to be a similar way to realize DMZ on NSG at this stage. 
    However, I have raise a post for DMZ in the Idea section for @FrankIversen and someone who need DMZ on NSG. Link is here, https://businessforum.zyxel.com/discussion/992/dmz#latest   you can hit Like :+1: to support.
  • Nebula_IreneNebula_Irene Member Posts: 140  mod
    edited February 14, 2018 3:46PM

    Hi all Nebula Users,

    DMZ is a feature to create a public zone in your network so that you can put your public servers in that zone for public access. Its typical rule is to allow traffic from WAN & LAN, but disallow traffic from DMZ to LAN. Although currently you can’t find “DMZ” in NSG menu, you still can achieve it by combining the customized Outbound rules and Virtual Server settings. The detail information is as below.


    Demilitarized Zone / DMZ

    The DeMilitarized Zone (DMZ) provides a way for public servers (Web, e-mail, FTP, etc.) to be visible to the outside world (while still being protected from DoS (Denial of Service) attacks such as SYN flooding and Ping of Death). These public servers can also still be accessed from the secure LAN.

    By default,

    1. Traffic between the WAN and the DMZ is allowed (red line).
    2. Traffic from the LAN to the DMZ is allowed (green line).
    3. Traffic from the DMZ to the LAN is denied.

    Internet users can have access to host servers on the DMZ but no access to the LAN, unless special filter rules allowing access were configured by the administrator or the user is an authorized remote user.

    • Topology 

    What should we do on USG?

    [ Steps to realize on USG: set up native DMZ ]

    1.  Create Port Role as DMZ: go to Configuration > Network > Interface > Port Role, and then select port(s) as dmz(DMZ) and click Apply.
    2. Port mapping setting: go to Configuration > Network > NAT


    How to realize DMZ on NSG?

    DMZ is a native feature on USG, and because the firewall rules are set up well by default, there are two steps need to be configured. Although there is not native feature on NSG, we can dedicate LAN/VLAN as a DMZ to realize.

    [ Steps to realize on NSG: set LAN/VLAN as a DMZ ]

    Before Nebula Phase III, we can dedicate a LAN/VLAN as a DMZ.

    1. Create Port Role as DMZ: dedicate/create a LAN/VLAN as a DMZ. (We call it as DMZ LAN.)
    2. Set Outbound Rule: go to GATEWAY > Configure > Firewall > Outbound rules, and then deny the traffic from DMZ LAN to other LAN/VLAN(s). 
    3. Port mapping setting: go to GATEWAY > Configure > Firewall > Virtual Server 


    Result:
    Traffic from DMZ LAN to other LAN/VLAN(s) is denied.
    • Clients under LAN can ping to Server locate under DMZ LAN. 
    • Server locate under DMZ LAN cannot ping to Clients under LAN. 


    After Nebula Phase III, we can dedicate a Guest zone as a DMZ.

    1. Create Port Role as DMZ: enable Guest zone for a LAN/VLAN.
    2. Port mapping setting: go to GATEWAY > Configure > Firewall > Virtual Server  



    By the way, Nebula Phase III will be coming soon, let’s look forward to it. :)
    newtypeDavidNebula_BayardoIwannaquitthegym
  • VolkerVolker Member Posts: 7

    Nebula_Irene,
    Its my first post here and I am new to Nebula. What I want to accomplish is to issulate traffic on LAN2 port(s) from main LAN1. Like a DMZ, open only to the internet.
    Under Port Group Settings I gave LAN2 its own IP Scope
    Under Firewall I added Outbound Rule to denid any LAN1 to LAN2, creating a LAN2-DMZ, just like your item 2. Outbound rule above. 
    • in LAN1 the NSG100 = 192.168.20.1
    • in LAN2 the NSG100 = 192.168.5.1
    When pinging from this LAN2 (DMZ) to the LAN1 all IP addresses are beeing blocked, except the NSG100. In other words I am on a device in the 192.168.5.0/24 range and I can reach 192.168.20.1 by opening the web portal and pinging it, while all the rest of the 192.168.20.0/24 scope is totally blocked. Why is the whole range blocked except 192.168.20.1 ?

    Thanks,
    Volker






  • Nebula_ChrisNebula_Chris Zyxel Official Agent Posts: 287  mod
    Hello @Volker :)
    Welcome to Nebula Community!
    Since the security policy can allow/deny the traffic between the different interface subnet, except the traffic to the device itself, that's why the device still respond the ping and web portal request.
    If you don't want the device respond the ping, you can enable the guest zone on LAN2 at interface addressing, and have security policy to deny the traffic from LAN1 to LAN2, then device would not answer the ping request.
    However in current stage, we cannot restrict device to respond the web portal request, got the little limitation on it since the captive portal.
    Hope it can helps you!
    Chris
Sign In to comment.