[NEBULA] Best Practice for NSG behind router

2»

All Replies

  • Zyxel_Chris
    Zyxel_Chris Posts: 727  Zyxel Employee
    Zyxel Certified Network Administrator - WLAN Zyxel Certified Network Administrator - Nebula Zyxel Certified Sales Associate 50 Answers
    The outbound rule which you mentioned should be work and thanks for your opinion we should consider to improve the firewall rule more clear on inbound/outbound setting, anyway will put this request on our idea section after the discussion. 

  • flottmedia
    flottmedia Posts: 56  Ally Member
    First Answer First Comment Friend Collector Nebula Gratitude
    Regarding the setting discussed above: is there meanwhile a way to completely disable the firewall between specific subnets on LAN and WAN on a NSG100 (e.g. in the setting described above 192.168.2.0/24 on WAN and 192.168.10.0/24 on LAN) in order to gain more speed for network transfers? Although the WAN interface of the NSG100 seems to theoretically support 1Gbit/s the max. transfer rates through the firewall seem to be restricted around 100 MBit/s due to the firewall inspection, even if there are rules to allow all traffic between the specific two subnets.
  • Zyxel_Chris
    Zyxel_Chris Posts: 727  Zyxel Employee
    Zyxel Certified Network Administrator - WLAN Zyxel Certified Network Administrator - Nebula Zyxel Certified Sales Associate 50 Answers
    Hello @flottmedia
    According to our datasheet the NSG100 can reach to 450Mbps (UDP) not 1Gbs and about TCP throughput I have using the speedtest (enable App patrol, IDP detection (not active prevention), Anti-virus ) can reach to 160Mbps as same in datasheet, how is current setting on NSS filtering?

    https://www.zyxel.com/support/DownloadLandingSR.shtml?c=gb&l=en&kbid=M-02505&md=NSG100

    Regards,
    Chris
  • flottmedia
    flottmedia Posts: 56  Ally Member
    First Answer First Comment Friend Collector Nebula Gratitude
    Thanks for clarification @Nebula_Chris. We thought this speed limitation stated in the datasheet was only based on the additional firewall processing. As the pysical WAN-NIC should (according to the datasheet) have a GbE connection (=1 Gbps?). So, do I get the datasheet right, that there isn't currently any NSG product that is able to do 1Gbps from LAN <> WAN when (full) firewall processing is enabled? And regarding my original question: is there a way to selectively disable the packet inspection from traffic from / to specific subnets in order to at least reach the 450 Mbps?

  • Zyxel_Chris
    Zyxel_Chris Posts: 727  Zyxel Employee
    Zyxel Certified Network Administrator - WLAN Zyxel Certified Network Administrator - Nebula Zyxel Certified Sales Associate 50 Answers
    Hello @flottmedia,
    Yes your are right, the hardware spec. is 1Gb, but in real world application still need to consider about testing approach or traffic protocol. On the other hand when enable the NSS service the device need analyze the packet it will affect the throughput.
    NSG300 can reach to 950Mb (TCP) with IDP and firewall rule on.
    For your latest question, in current stage we cannot apply the IDP or Anti-Virus to the specific subnet, for this request I can help to move to idea section and because of the hardware limitation If you want the throughput can reach to 450Mbps will recommend to use NSG200 or 300 which has higher performance.

    /Chris

Nebula Tips & Tricks