Nexapp - Zone and Policies

Zones and Policies

Zones and policies are the foundation of traffic control in NexappOS.

• Zones group one or more network interfaces into trust boundaries (for example: internal networks, internet-facing networks, guest networks).
• Policies and rules determine what traffic is allowed, rejected, or dropped between those zones.

Together, they let you design clean network segmentation and enforce security behavior consistently across your deployment.

---

What Is a Zone?

A zone represents a logical network segment with a specific trust level and behavior.
Typical environments include at least:

• WAN — external / untrusted networks (usually the internet)
• LAN — internal / trusted networks (local users and devices)

Each zone can contain: - physical interfaces (eth ports) - VLAN interfaces - logical interfaces (bridge, bond) - VPN interfaces (as dedicated zones)

---

What Are Policies?

A policy defines the default traffic behavior between zones.
Rules refine that behavior when more control is needed.

Policies answer questions like: - Can LAN devices reach WAN? - Can WAN reach LAN or the unit itself? - Can devices inside the same zone communicate?

Rules are always evaluated top to bottom, and the first match wins.

---

Default Zones Behavior

NexappOS ships with two built-in zones and safe default policies.

Default zones

• WAN (Wide Area Network)
  External / untrusted side.

• LAN (Local Area Network)
  Internal / trusted side.

Accepted traffic by default

• LAN → WAN
  Allows internal users to access the internet.

• LAN → NexappOS unit
  Allows management and services from trusted networks.

• LAN → LAN
  Enables internal device-to-device communication.

Denied traffic by default

• WAN → NexappOS unit
  Blocks unsolicited public access to management/services.

• WAN → WAN
  Prevents direct forward between external networks.

Default zones cannot be deleted, but their policies can be modified, and new zones can be added.

---

Zone Logging

Zone-level logging can be enabled from:

• Firewall → Zones and policies → Logging

When enabled, traffic events are written to logs for auditing and troubleshooting.

Default limit: - 5 log entries per second per zone

To change limits, refer to the Logging limits section under Firewall Rules.

---

Additional Zones (Guest and DMZ)

Beyond default zones, NexappOS can define special purpose zones.
Two common patterns:

• Guest zone (blue)
• DMZ zone (orange)

These help isolate users and services while still allowing required access.

---

Guest Zone (Blue)

The Guest zone is intended for visitors or unmanaged devices.
Typical security intent: - Guests can access the internet (WAN) - Guests cannot access internal LAN resources - Guests cannot manage or reach the unit itself

Create a Guest zone

1. Go to Firewall → Zones and policies
2. Click Add zone
3. Set fields:

• Name: guest
  (the UI highlights this zone in blue)

• Allow forwards to: (leave empty)

• Allow forwards from: lan

• Traffic to WAN: Enabled

• Traffic to firewall: Drop

• Traffic for same zone: Drop

4. Click Save and apply changes.

Note (DNS/DHCP on Guest)
If NexappOS provides DNS/DHCP, add an Input rule allowing: - DNS: 53 TCP/UDP - DHCP: 67 UDP from the Guest zone.
If DNS/DHCP is provided elsewhere, keep these blocked.

---

DMZ Zone (Orange)

The DMZ zone is used for public-facing servers that must be reachable from WAN but isolated from LAN.
Typical security intent: - DMZ hosts can reach WAN (updates, services) - WAN can reach DMZ only via explicit port forwards - DMZ cannot freely access LAN

Create a DMZ zone

1. Go to Firewall → Zones and policies
2. Click Add zone
3. Set fields:

• Name: dmz
  (the UI highlights this zone in orange)

• Allow forwards to: (leave empty)

• Allow forwards from: (leave empty)

• Traffic to WAN: Enabled

• Traffic to firewall: Drop

• Traffic for same zone: Drop

4. Click Save and apply changes.