[NEBULA] NSG 300 inbound limit firewall virtual server rules limit

vivrml
vivrml Posts: 16  Freshman Member
First Anniversary Nebula Gratitude First Comment
edited April 2021 in Nebula
The NSG200 only provides 100 inbound virtual server rules which is not sufficient for us, how many are available on the NSG300 as we may need to  purchase one of those instead

All Replies

  • Zyxel_Jonas
    Zyxel_Jonas Posts: 313  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Hi @vivrml,

    About the inquiry for virtual server limitation, both NSG200 & NSG300 maximum are 100 rules.
    I would like to reminder that virtual server service port could configure a range of port by using "-" (dash) symbol and based on our experience this method is the solution when encountering for more than 100 rules.

    If the solution doesn't help, may you shared your scenario/application to us and  provide your org/site name with Zyxel support enabled located at HELP > Support request.

    Thanks.
    Jonas
    Jonas,
  • vivrml
    vivrml Posts: 16  Freshman Member
    First Anniversary Nebula Gratitude First Comment
    Hi
    We have servers running vm guests, each of the guests is accessed by the end users via the rdp software we use.
    ports are mapped to 3389 locally on each guest.So 3389 to 3389 machine 1, 3390 to 3389 machine 2, etc.
    Each guest is a separate organisation and so is provided a unique port for their use.
    Your help in this regard would be much appreciated as we do not wish to give up on Nebula
  • Zyxel_Jonas
    Zyxel_Jonas Posts: 313  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Hi @vivrml,

    Thanks for sharing the scenario.
    According to the description, 100 rules are enough to achieve the goal.
    Or is there any other concern?

    Jonas,
    Jonas,
  • vivrml
    vivrml Posts: 16  Freshman Member
    First Anniversary Nebula Gratitude First Comment
    Hi

    The gigabit link linked to the NSG has the capacity to enable us to link more than 100 clients, unfortunately because of the web gui limitations we cannot use the full capacity of the link. We therefore have users connecting via a USG60 on a FTTP link because we cannot put them through the NSG200.
    I have had conversations with support who told me this is not a limitation of the device but an arbitrary limit place on the website and the answer is to move away from NSG devices and avoid the flex link when that is released. Flex will also nobble the device by limiting the amount of inbound rules.
    So the answer appears to be that we move to the best available local gui managed USG device and only use Nebula for smaller installations
  • Zyxel_Jonas
    Zyxel_Jonas Posts: 313  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Hi @vivrml,

    Thanks for sharing information to us.
    I would like to inform that the NSG were designed with certain commonalities features to USG, and more friendly to configure (not complex).
    Back to the main subject for virtual server,  we had discussion again, and the solution for your scenario is to add a rule one by one. And the "-" (dash) feature might not be the solution for yours, it's for the scenario which only has 1 server for multiple services.

    According to your scenario, I assume that it is a "work from home" scenario, am I right? If yes, I would recommend to use l2tp VPN.

    Additional information for NSGs, as below:
    NSG50:
    Recommend of users: 1 ~ 10
    Maximum TCP concurrent session: 20,000

    NSG100 - 
    Recommend of users: 1 ~ 25
    Maximum TCP concurrent session: 40,000

    NSG200 -
    Recommend of users: 25 ~ 50
    Maximum TCP concurrent session: 80,000
     
    NSG300 -
    Recommend of users: 50 ~ 200
    Maximum TCP concurrent session: 500,000

    Hope it helps,
    Jonas
    Jonas,
  • vivrml
    vivrml Posts: 16  Freshman Member
    First Anniversary Nebula Gratitude First Comment
    Thankyou ever so much for the response
    That is also as support informed us, unfortunately the limit on inbound rules within the web interface  means the Nebula solution is a no go for us, however the local USG route should work fine.
    It is a pity as we had grown to really like the Nebula interface.
    They informed us that the Flex interface will also have the same limitations so it is local management only
    We'll now source a USG box and move forward
  • Zyxel_Jonas
    Zyxel_Jonas Posts: 313  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Hi @vivrml,

    You are very welcome.
    Very appreciate for the suggestion and comment, your insights are incredibly valuable and will help us make sure we serve you and other customer a better experience.  ;)

    I'll also create a post to idea section for this case to monitor comments and likes of this post.

    Jonas
    Jonas,

Nebula Tips & Tricks