Firewall Zone configurations?

kim.halavakoski · April 17, 2025, 11:13am

Hello!
Have some questions regarding the Firewall Zone configurations.
I have multiple zones: wan, lan, mgt, guest, srv, dmz.

The dmz zone has public IP-addresses so does not need to be NATed or MASQUERADED to the WAN/Internet. All the other zones are RFC1918 networks and need to be NATed if allowed to go out on the WAN interface. For any internal intra-zone traffic(lan,mgt,srv,guest,dmz) the traffic should NOT be NATed between the zones.

Traffic between lan,mgt,srv,guest, dmz should NOT be NATed
The traffic from lan,mgt,srv,guest to WAN should be NATed
The traffic from dmz to WAN should NOT be NATed

Currently any hosts on dmz gets NATed to the WAN interface when going to the Internet, most likely due to the " wan ⇒ Reject" that has MASQUERADE enabled.

I have difficulties to setup zone rules that accomplish this, was there can not be 2 zone rules with the covered networks=dmz, one with intra zone enabled without NAT and one with dmz->wan with masquerading enabled.

Any tips on how to understand the zone rules better and accomplish the desired setup described above?

Regs,
Kim

flebourse · April 17, 2025, 4:52pm

Beware, the previous post contains a promotional link to <redacted>
@Daumantas please delete it.

Daumantas · April 17, 2025, 5:25pm

@flebourse deleted, thank you.

Martynas · June 12, 2025, 8:56am

Hello,

Apologies for the delay. I just wanted to follow up and ask whether your initial inquiry regarding NAT and firewall zone configurations was resolved or if you’re still in need of assistance?

In brief, the NAT/masquerading behavior you described can be achieved through advanced settings in each firewall zone configuration. Specifically, you can use the “Restrict Masquerading to given source/destination subnets” option to selectively apply masquerading only to specific traffic flows, e.g., only NAT traffic from RFC1918 subnets going out via WAN, while leaving DMZ public IP traffic un-NATed.

Best regards,