Disclaimer: This information is posted as-is and the content should be referenced at your own risk
The post provides a simple guide for configuring firewall rule and NAT for LAN-to-WAN, LAN-to-VPN, and WAN-to-DMZ traffic.
More technical details can be found at
internal computers --- Port1 [XG] Port2 --- Internet
XG firewall LAN interface Port1 connects to internal computers, and WAN interface Port2 connects to Internet.
To allow internal computers access Internet:
1. create a firewall rule to allow LAN to WAN traffic
2. create NAT rule to apply Masquerading on LAN to WAN traffic
When there are multiple WAN interfaces, we can use SD-WAN policy routing to speicify primary gateway for LAN to WAN traffic.
Note: Primary/Backup gateway is removed from firewall rule in v18.0.
Assume XG firewall has 2 WAN interfaces, Port2 and Port4, we need to specifiy Port2 as primary gateway for LAN to WAN traffic.
Go to XG webadmin > Routing > SD-WAN policy routing, add a new IPv4 SD-WAN policy route
Detail of those gateways can be checked on XG webadmin > Routing > Gateways
With above SD-WAN policy route is configured on XG firewall,
internal computers --- Port1 [XG] Port2 --- IPsec VPN --- [remote VPN gateway] --- remote VPN network
To allow internal computers access remote VPN network, just create a LAN to VPN firewall
You might need to create another firewall rule for VPN to LAN traffic.Please make sure there is no NAT rule applied to LAN to VPN traffic, unless NAT is necessary for local VPN network to reach remote VPN network.
external users --- Internet --- Port2 [XG] Port1 --- internal Exchange server (in DMZ zone)
External users need to access HTTPS service on internal Exchange server by visiting XG firewall public IP.
XG firewall WAN interface Port2 connects to Internet, and DMZ interface Port1 connects to internal Exchange server.
To allow the DNAT access:
1. create a firewall rule to allow WAN to internal Exchange server traffic
2. create a DNAT rule
2021-02-12, added section "specify primary gateway"
2021-01-22, added Interface matching criteria in section "WAN-to-DMZ traffic".
2020-12-23, added "It is recommended to move the LAN to WAN NAT rule to bottom, otherwise, it can be applied on other traffic, and cause unexpected result" to section "LAN-to-WAN traffic".
2020-08-19, changed title, and removed it from top of list.
2020-07-22, first version.