[NEBULA] Best Practice for NSG behind router
All Replies
-
The outbound rule which you mentioned should be work and thanks for your opinion we should consider to improve the firewall rule more clear on inbound/outbound setting, anyway will put this request on our idea section after the discussion.
1 -
Regarding the setting discussed above: is there meanwhile a way to completely disable the firewall between specific subnets on LAN and WAN on a NSG100 (e.g. in the setting described above 192.168.2.0/24 on WAN and 192.168.10.0/24 on LAN) in order to gain more speed for network transfers? Although the WAN interface of the NSG100 seems to theoretically support 1Gbit/s the max. transfer rates through the firewall seem to be restricted around 100 MBit/s due to the firewall inspection, even if there are rules to allow all traffic between the specific two subnets.0
-
Hello @flottmedia
According to our datasheet the NSG100 can reach to 450Mbps (UDP) not 1Gbs and about TCP throughput I have using the speedtest (enable App patrol, IDP detection (not active prevention), Anti-virus ) can reach to 160Mbps as same in datasheet, how is current setting on NSS filtering?
https://www.zyxel.com/support/DownloadLandingSR.shtml?c=gb&l=en&kbid=M-02505&md=NSG100
Regards,
Chris0 -
Thanks for clarification @Nebula_Chris. We thought this speed limitation stated in the datasheet was only based on the additional firewall processing. As the pysical WAN-NIC should (according to the datasheet) have a GbE connection (=1 Gbps?). So, do I get the datasheet right, that there isn't currently any NSG product that is able to do 1Gbps from LAN <> WAN when (full) firewall processing is enabled? And regarding my original question: is there a way to selectively disable the packet inspection from traffic from / to specific subnets in order to at least reach the 450 Mbps?
0 -
Hello @flottmedia,
Yes your are right, the hardware spec. is 1Gb, but in real world application still need to consider about testing approach or traffic protocol. On the other hand when enable the NSS service the device need analyze the packet it will affect the throughput.
NSG300 can reach to 950Mb (TCP) with IDP and firewall rule on.
For your latest question, in current stage we cannot apply the IDP or Anti-Virus to the specific subnet, for this request I can help to move to idea section and because of the hardware limitation If you want the throughput can reach to 450Mbps will recommend to use NSG200 or 300 which has higher performance.
/Chris1
Categories
- All Categories
- 415 Beta Program
- 2.4K Nebula
- 147 Nebula Ideas
- 96 Nebula Status and Incidents
- 5.7K Security
- 262 USG FLEX H Series
- 271 Security Ideas
- 1.4K Switch
- 74 Switch Ideas
- 1.1K Wireless
- 40 Wireless Ideas
- 6.4K Consumer Product
- 249 Service & License
- 387 News and Release
- 84 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.5K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 85 About Community
- 73 Security Highlight