[NEBULA] NSG 300 inbound limit firewall virtual server rules limit

vivrml

The NSG200 only provides 100 inbound virtual server rules which is not sufficient for us, how many are available on the NSG300 as we may need to  purchase one of those instead

Zyxel_Jonas

Hi @vivrml,

About the inquiry for virtual server limitation, both NSG200 & NSG300 maximum are 100 rules.
I would like to reminder that virtual server service port could configure a range of port by using "-" (dash) symbol and based on our experience this method is the solution when encountering for more than 100 rules.

If the solution doesn't help, may you shared your scenario/application to us and  provide your org/site name with Zyxel support enabled located at HELP > Support request.

Thanks.
Jonas

vivrml

Hi
We have servers running vm guests, each of the guests is accessed by the end users via the rdp software we use.
ports are mapped to 3389 locally on each guest.So 3389 to 3389 machine 1, 3390 to 3389 machine 2, etc.
Each guest is a separate organisation and so is provided a unique port for their use.
Your help in this regard would be much appreciated as we do not wish to give up on Nebula

Zyxel_Jonas

Hi @vivrml,

Thanks for sharing the scenario.
According to the description, 100 rules are enough to achieve the goal.
Or is there any other concern?

Jonas,

vivrml

Hi

The gigabit link linked to the NSG has the capacity to enable us to link more than 100 clients, unfortunately because of the web gui limitations we cannot use the full capacity of the link. We therefore have users connecting via a USG60 on a FTTP link because we cannot put them through the NSG200.
I have had conversations with support who told me this is not a limitation of the device but an arbitrary limit place on the website and the answer is to move away from NSG devices and avoid the flex link when that is released. Flex will also nobble the device by limiting the amount of inbound rules.
So the answer appears to be that we move to the best available local gui managed USG device and only use Nebula for smaller installations

Zyxel_Jonas

Hi @vivrml,

Thanks for sharing information to us.
I would like to inform that the NSG were designed with certain commonalities features to USG, and more friendly to configure (not complex).
Back to the main subject for virtual server,  we had discussion again, and the solution for your scenario is to add a rule one by one. And the "-" (dash) feature might not be the solution for yours, it's for the scenario which only has 1 server for multiple services.

According to your scenario, I assume that it is a "work from home" scenario, am I right? If yes, I would recommend to use l2tp VPN.

Additional information for NSGs, as below:
NSG50:
Recommend of users: 1 ~ 10
Maximum TCP concurrent session: 20,000

NSG100 - 
Recommend of users: 1 ~ 25
Maximum TCP concurrent session: 40,000

NSG200 -
Recommend of users: 25 ~ 50
Maximum TCP concurrent session: 80,000
 
NSG300 -
Recommend of users: 50 ~ 200
Maximum TCP concurrent session: 500,000

Hope it helps,
Jonas

vivrml

Thankyou ever so much for the response
That is also as support informed us, unfortunately the limit on inbound rules within the web interface  means the Nebula solution is a no go for us, however the local USG route should work fine.
It is a pity as we had grown to really like the Nebula interface.
They informed us that the Flex interface will also have the same limitations so it is local management only
We'll now source a USG box and move forward

Zyxel_Jonas

Hi @vivrml,

You are very welcome.
Very appreciate for the suggestion and comment, your insights are incredibly valuable and will help us make sure we serve you and other customer a better experience. 

I'll also create a post to idea section for this case to monitor comments and likes of this post.

Jonas