Skip to main content

Internet Gateway Networks on Zenconsole

Published on:
.
2 min read

The Internet Gateway Networks defines how mobile endpoint devices access the Internet through a designated Internet Access Gateway within a secure overlay network managed by Zenarmor.

Mobile endpoint devices running the Zenarmor Endpoint Applicationcan join the organization’s secure overlay network. The endpoint application enables device enrollment and establishes connectivity within the defined Internet Gateway Network.

Once enrolled, you are assigned an overlay IP address within the defined network range. Internet-bound traffic from these devices is routed through the configured Internet Access Gateway.

Figure 1. Internet Gateway Networks Page

When an Internet Access Networkis configured:

  • Mobile endpoints connect to the defined overlay network

  • Devices receive an overlay IP address

  • All internet-bound traffic is routed through the selected gateway

  • Security inspection and policy enforcement can be applied centrally by Zenarmor

  • Outbound connections can be monitored and controlled according to defined access policies

The Internet Access Gateway functions as the secure internet egress point for enrolled mobile devices. This allows traffic originating from roaming devices to be routed through an organizational gateway where inspection and policy enforcement take place. As a result, mobile endpoints connecting from external or untrusted environments can maintain consistent security controls and visibility.

By routing traffic through a centrally managed gateway, Zenarmor enables you to maintain control over outbound connections, apply consistent policies across mobile endpoints, and monitor internet usage within the overlay network.

Creating Internet Gateway Networks

You may easily create an Internet Gateway Networks by following these steps.

  1. Login Zenconsole.

  2. Select the organization that you want to manage.

  3. Navigate to Secure Networks → Internet Gateway Networks from the left navigation panel.

  4. Click on the + Create Overlay Network button. This will pop up a dialog box for overlay network settings.

    Figure 2. Creating Overlay Network

  5. Type a descriptive name for the Network Name.

  6. Type a descriptive name for the Network Slug.

  7. Specify the IPv4 Address Range in CIDR format.

    warning

    Please be aware that assigning a private IP address (such as RFC1918) may trigger DNS rebinding protection mechanisms in browsers and network security systems. This can lead to access being blocked or resolution failures occurring. Public DNS servers should not resolve to private IP ranges (for example, 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16).

    If you need to use non-public addresses, there are two recommended approaches:

    1. Utilize CGNAT address space (100.64.0.0/10) instead of RFC1918 ranges. This can help avoid DNS rebinding protection issues while still allowing the use of non-public IPs.

    2. Set up your own private DNS server for internal resolution.

    Figure 3. Create Overlay Network Popup

  8. Enable This is an Internet Gateway Network to designate the network for the internet exit routing of mobile endpoints.

  9. Click the Create button.

  10. After creating the network, you will be redirected to the Internet Gateway Network configuration page, where gateway and mobile endpoint settings are defined.

  11. Under Internet Access Gateway, select the gateway that will handle internet-bound traffic for enrolled mobile endpoints. This gateway will act as the internet egress point for devices connected to this overlay network.

    Figure 4. Selecting Internet Access Gateway

  12. After selecting Internet Access Gateway, a configuration update notification will appear. Click Sync Now to apply configuration changes immediately across all connected instances.

    Figure 5. Configuration Updated - Sync Now

note

Only OPNsense gateways are supported as Internet Exit Gateways.

To configure an Internet Exit Gateway, an active OPNsense gateway must be connected to your organization. Other gateway types cannot be selected for Internet exit routing.

You may create multiple Internet Gateway Networks within your organization. You'll find a complete list of all your private networks conveniently displayed on the left side of the Internet Gateway Networks page, making management effortless and efficient.

Managing Peers

Zenconsole allows you to manage mobile endpoint devices connected to an Internet Gateway Network.

These devices are listed as peers and can be added, removed, viewed, or updated as needed.

Adding Mobile Endpoint Peers

You may add enrolled mobile endpoint devices to an Internet Gateway Network by following the steps below.

  1. Navigate to the Secure Networks → Internet Gateway Networks page of an organization on Zenconsole.

  2. Select the Internet Gateway Network to which you want to add a mobile endpoint.

  3. Locate the Peers section on the network configuration page.

  4. Click the + Add Mobile Endpoint button. This will display a list of available enrolled mobile devices in your organization. Use the Search field to quickly find a specific device if needed.

    Figure 6. Adding Mobile Endpoint

  5. Select the mobile endpoint you want to add.

  6. You may add as many multiple endpoints as you want. All added mobile endpoints will appear in the Peers pane. A message box will appear at the bottom right of the page for configuration updates.

  7. After adding peers, a configuration update notification will appear. Click Sync Now to apply configuration changes immediately across all connected instances.

    Figure 7. Configuration Updated - Sync Now Popup

Removing Peers

Mobile endpoint peers can be removed from an Internet Gateway Network at any time.

  1. Navigate to the Secure Networks → Internet Gateway Networks page of an organization on Zenconsole.

  2. Select the relevant network from which you want to remove a peer.

  3. Locate the peer that you want to remove. You may use the search toolbox to find a peer.

  4. Click the Actions menu with the 3-dot icon. This will open a drop-down menu.

  5. Click the Remove button to delete the selected peer from the Internet Gateway Network. This will display a confirmation notification window.

    Figure 8. Removing Mobile Endpoint

  6. Click Remove to approve the peer deletion. A message box will appear at the bottom right of the page for configuration updates.

    Figure 9. Removing Mobile Endpoint Warning

  7. After removing peers, a configuration update notification will appear. Click Sync Now to apply configuration changes immediately across all connected instances.

    Figure 10. Configuration Updated - Sync Now

After removal, the device will no longer be part of the overlay network, and its traffic will not be routed through the configured Internet Exit Gateway.

Viewing Peers

All mobile endpoints added to an Internet Gateway Network can be viewed from the Peers section of the network configuration page.

Figure 11. Viewing Peers

The following details are displayed for each peer:

  • Device name

  • Slug

  • Overlay IP address

  • Actions menu

Peers can be sorted by device name or overlay IP address by clicking the relevant column header.

tip

You can sort peers by their names and IP addresses. Click on the Peers or Overlay IP column to arrange the peers in either ascending or descending order.

Updating Peer Settings

You can modify certain settings for peers within the network.

To update peer settings by following the steps below.

  1. Navigate to the Secure Networks → Internet Gateway Networks page of an organization on Zenconsole.

  2. Select the relevant network from which you want to update peer settings.

  3. Locate the peer in the Peers list.

  4. Click the Actions menu with the 3-dot icon. This will open a drop-down menu.

  5. Click Settings. From the settings panel, you can modify the assigned overlay IP address.

    Figure 12. Peer Settings

    Figure 13. Peer Settings - 2

  6. After making changes, a configuration update notification will appear. Click Sync Now to apply configuration changes immediately across all connected instances.

Searching Peers

The search field within the Peers section allows you to quickly locate a device.

Figure 14. Searching Mobile Endpoint

You can search by following the next steps.

  • Device name

  • User email

  • Overlay IP address

The peers list will automatically filter based on the search input.

Managing User and Group Access

The Overlay Network Membership section allows you to control which users and groups are authorized to use this Internet Gateway Network.

By assigning users or groups to the network, you define whose enrolled mobile endpoint devices are permitted to route internet traffic through the configured Internet Exit Gateway.

Figure 15. Overlay Network Membership

When a user or group is added:

  • All enrolled mobile endpoint devices associated with that user are automatically authorized

  • Any future devices enrolled by that user are included automatically

This approach ensures consistent internet exit routing control without requiring manual device assignment.

Adding Users to an Overlay Network

To add users to an overlay network, you may follow the next steps.

  1. Navigate to the Secure Networks → Internet Gateway Networks page of an organization on Zenconsole.

  2. Select the Internet Gateway Network to which you want to add a user.

  3. Scroll down the page to reach the Overlay Network Membership section and locate the Users pane.

  4. Click the + Add User button. This will display available users in your organization. You may use the Search tool to find a specific user quickly.

    Figure 16. Adding User

  5. Select the user you want to add.

  6. Repeat these steps to add additional users. All added users are displayed in the Users pane.

    Figure 17. Approved Private Network Users

Removing Users from an Overlay Network

To remove a user from an overlay network, follow the steps below.

  1. Navigate to the Secure Networks → Internet Gateway Networks page of an organization on Zenconsole.

  2. Select the Internet Gateway Network from which you want to remove a user.

  3. In the Users pane under Overlay Network Membership, locate the user you want to remove.

  4. Click the X icon next to the user. This will display a confirmation notification window.

  5. Click Remove to delete the user from the overlay network.

    Figure 18. Delete User from Overlay Network

Adding Groups

To add groups to an overlay network, you may follow the next steps.

  1. Navigate to the Secure Networks → Internet Gateway Networks page of an organization on Zenconsole.

  2. Select the Internet Gateway Network from which you want to add a group.

  3. Scroll down the page to reach the Overlay Network Membership section and locate the Groups pane.

  4. Click the + Add Group button. This will display available groups in your organization. You may use the Search tool to find a specific group quickly.

  5. Select the group you want to add.

    Figure 19. Add Group to Overlay

  6. You may add as many groups as you want. All added groups will appear in the Groups pane.

Removing Groups

To remove a group from an overlay network, follow the steps below.

  1. Navigate to the Secure Networks → Internet Gateway Networks page of an organization on Zenconsole.

  2. Select the Internet Gateway Network from which you want to delete a group.

  3. In the Groups pane under Overlay Network Membership, locate the group you want to remove.

  4. Click the X icon next to the group. This will display a confirmation notification window.

  5. Click Remove to delete the group from the overlay network.

    Figure 20. Delete Group from Overlay

Deleting Internet Gateway Networks

To remove an Internet Gateway Network from your organization, follow the steps below.

  1. Navigate to the Secure Networks → Internet Gateway Networks page of an organization on Zenconsole.

  2. Select the private network that you want to delete.

  3. Scroll down to the Delete Overlay Network pane.

  4. Click the Delete Overlay Network button. This will display a confirmation dialog box.

    Figure 21. Delete Overlay-Network

  5. Type the network name to approve the removal of the private network.

    Figure 22. Delete Overlay Network Confirmation

  6. Click the Delete Overlay Network button. A message box will appear at the bottom right of the page for configuration updates.

  7. After deleting the overlay network, a configuration update notification will appear. Click Sync Now to apply configuration changes immediately across all connected instances.

    tip

    Deleting a Internet Gateway Network from your organization will also remove all users, groups, and peers from this overlay network.

Last updated on by Zenarmor