Basic Gateway Configuration - Just to make sure

NethServer Version: NethServer release 7.3.1611 (Final)

Installed NS for the first time and so far looks great.
What I need is a firewall/gateway that will enable me to monitor client internet traffic and locate bandwidth hogs.
So I read and found NS with ntop.
So far installed and understood the red/blue/green terminology.
I have a server with 2 NIC:

I want to configure NS as a gateway so what I did is made the gateway of green NIC be the IP address of the red NIC.
Is that the right way to go?
Also when I want to open ports should I use the firewall rules or port forwarding or both?


To allow traffic from LAN to WAN or between zones.

To allow traffic from WAN to LAN.

Of course, it depends of your needs.


Thank you for the quick reply.
So I did something right :slight_smile:

Regrading the ports.
I want to open them from WAN to LAN so some systems like CCTV camera can be access from the internet.
So I need to open the port in the port forwarding and open a generic rule like this:

Instead of just asking I just did something but I don’t understand the result.
I connected a PC with webserver to the green zone.
Then I created the firewall rule to accept any connection from red to green enabled it and save the settings.
Then I opened port 5656 and redirected it to port 80 on my PC.
And it worked 0 I was able to get to the web server from the internet.

What I did next is to delete the firewall rule and save change and yet I can still get to the webserver.
So what is the relation between port forwarding and firewall.
The rules that I have at the moment are:

Hi, normally when You go internet > local You reach Your firewall (services page, to configure FW acces), once the port forwarding is made the firewall forwards packets to internal machine eg. ssh server behind firewall. So no additional rule is needed while forward is making a small hole in firewall. @GG_jr gave You more complex answer. Cheers

Thank you for the explanation.
One thing I noticed is that once clients know the ip address if the outer
router the can just manually put its ip as the gateway and skip the NS
Do I need to prevent access to the Internet router with a FW rule?

Unless I miss something, if You have just one path to internet client>nethserver>nextrouter>internet there is no problem with bypassing nethserver as it always can filter the traffic. It would be important if there are to ways to internet “above” nethserver but still you’re able to filter traffic. But:
-not for all systems gateway outside network will work (AFAIK)
-in Your scenario (assume one way to internet) You can think about block just DNS other than nethserver). Maybe Someone can give us other tip? Cheers.