USG FLEX 50H Auto VPN Limit (5 tunnels) – How to connect only selected sites in a 13-site Nebula net
Freshman MemberWe are currently using the Nebula platform to manage many of our sites. Some of these sites are still running OPNsense firewalls. Our long-term plan is to migrate all non-Zyxel firewall devices to Zyxel devices. For this reason, we recently purchased additional Zyxel devices for our organization.
For smaller sites, we plan to deploy the USG FLEX 50H with the Gold Security Bundle.
At the moment, our VPN environment consists of 13 different locations connected via site-to-site VPN in Auto mode. All VPN connections are currently managed through the Nebula platform, although some of the sites are still using OPNsense devices.
The challenge we are facing is related to the VPN connection limit of the new USG FLEX 50H series. These devices support a maximum of 5 VPN connections. However, our current network includes 13 locations. When we configure Auto VPN, the device attempts to establish connections to all available sites one by one. In practice, this is not necessary for our network design.
In our case, it would be sufficient if certain sites could connect only to specific locations instead of establishing connections with every site in the network.
Therefore, we would like to ask the following questions:
- Is it possible to add new USG FLEX 50H devices to our existing VPN environment without changing the current VPN topology?
- Within the Auto VPN configuration, is it possible to control which sites connect to each other? In other words, instead of each device automatically creating VPN connections to all 13 locations, can we configure the USG FLEX 50H to establish VPN connections only with selected sites?
Ideally, we would like to integrate these new devices into our Nebula-managed network while limiting their VPN connections only to the required locations.
We would appreciate your guidance on whether this type of configuration is supported and what the recommended approach would be.
All Replies
-
Hi @issac
I noticed you also open a ticket to us.
About the questions here:
Question 1: Adding USG FLEX 50H Without Changing Current Topology
This presents a challenge. Your current Auto VPN (Mesh) topology automatically attempts to establish connections to all sites in the network. Since the USG FLEX 50H supports a maximum of 5 VPN tunnels, adding it directly into a 13-site mesh environment would cause the device to exceed its tunnel limit, as it would attempt to connect to all available sites.
Therefore, adding the FLEX 50H to the existing Auto VPN mesh without any topology changes is not recommended, as it would likely result in unstable or incomplete VPN connectivity for those devices. The USG FLEX 100H support up to 50 VPN tunnels. This includes Nebula, non-Nebula Site-to-Site VPNs, and IKEv2 Remote Access Client VPNs, which is more suitable for your scenario.
Question 2: Controlling Which Sites Connect to Each Other in Auto VPN
In the standard Auto VPN configuration, it is not possible to selectively limit which sites connect to each other — the mesh is established automatically across all participating sites. For instead, you need to choose the VPN topology to Hub-and-spoke. Under Hub & Spoke, each site (spoke) only establishes a tunnel to the hub, not to every other site. But please note that, the limitation is the model of the hub site firewall.
Hope this helps.
Zyxel Melen0
Zyxel Employee
Categories
- All Categories
- 442 Beta Program
- 3K Nebula
- 222 Nebula Ideas
- 129 Nebula Status and Incidents
- 6.5K Security
- 619 USG FLEX H Series
- 349 Security Ideas
- 1.7K Switch
- 84 Switch Ideas
- 1.4K Wireless
- 53 Wireless Ideas
- 7K Consumer Product
- 298 Service & License
- 486 News and Release
- 92 Security Advisories
- 31 Education Center
- 10 [Campaign] Zyxel Network Detective
- 4.8K FAQ
- 34 Documents
- 88 About Community
- 105 Security Highlight
