Firewall-Configuration on your Nebula Security Gateway (NSG)

In our Nebula Security Gateways (NSG), as in any firewall, you can block specific traffic. In this tutorial, we will guide you through needed steps on the Nebula Control Center (NCC) to block traffic. 

In this example, we want to restrict a client in our LAN1 (192.168.1.100) to access any client in LAN2 (192.168.2.1).

First, please navigate to the Nebula Control Center and go to to: Gateway > Configure > Firewall

Then, add an "outbound rule":
In this example, we are blocking anything from 192.168.1.100 (mostly within the LAN1 subnet range) to 192.168.2.1/24

That's all there is regarding a basic firewall setup.

Things to consider:

• When testing the firewall rule, most likely you will ping (when looking at our example) the LAN2 gateway interface IP and to your shock will find out that you still can ping the gateway! Is this because the interface's own IP is set to a firewall-zone outside of both LAN1 or LAN2, but actually the device itself, also referred to as "ZyWall"
• Using the Security Gateway Services below will allow specific services to be accessible from WAN onto the device ("ZyWall"). If you enter in both fields any e.g., clients from the WAN can both Ping and access the unit on the WAN-port vias HTTPS
  
  
• There are plenty of rules in the background going on. Here a small glimpse of some of the firewall rules as hardcoded into the units configuration:
  
  These are not displayed on the Nebula Control Center and are not changeable.