[NEBULA] Best Practice for NSG behind router

2»

All Replies

  • Nebula_ChrisNebula_Chris Zyxel Official Agent Posts: 287  mod
    The outbound rule which you mentioned should be work and thanks for your opinion we should consider to improve the firewall rule more clear on inbound/outbound setting, anyway will put this request on our idea section after the discussion. 

    Chris
    flottmedia
  • flottmediaflottmedia Member Posts: 54  Ally Member
    Regarding the setting discussed above: is there meanwhile a way to completely disable the firewall between specific subnets on LAN and WAN on a NSG100 (e.g. in the setting described above 192.168.2.0/24 on WAN and 192.168.10.0/24 on LAN) in order to gain more speed for network transfers? Although the WAN interface of the NSG100 seems to theoretically support 1Gbit/s the max. transfer rates through the firewall seem to be restricted around 100 MBit/s due to the firewall inspection, even if there are rules to allow all traffic between the specific two subnets.
  • Nebula_ChrisNebula_Chris Zyxel Official Agent Posts: 287  mod
    Hello @flottmedia
    According to our datasheet the NSG100 can reach to 450Mbps (UDP) not 1Gbs and about TCP throughput I have using the speedtest (enable App patrol, IDP detection (not active prevention), Anti-virus ) can reach to 160Mbps as same in datasheet, how is current setting on NSS filtering?

    https://www.zyxel.com/support/DownloadLandingSR.shtml?c=gb&l=en&kbid=M-02505&md=NSG100

    Regards,
    Chris
    Chris
  • flottmediaflottmedia Member Posts: 54  Ally Member
    Thanks for clarification @Nebula_Chris. We thought this speed limitation stated in the datasheet was only based on the additional firewall processing. As the pysical WAN-NIC should (according to the datasheet) have a GbE connection (=1 Gbps?). So, do I get the datasheet right, that there isn't currently any NSG product that is able to do 1Gbps from LAN <> WAN when (full) firewall processing is enabled? And regarding my original question: is there a way to selectively disable the packet inspection from traffic from / to specific subnets in order to at least reach the 450 Mbps?

  • Nebula_ChrisNebula_Chris Zyxel Official Agent Posts: 287  mod
    Hello @flottmedia,
    Yes your are right, the hardware spec. is 1Gb, but in real world application still need to consider about testing approach or traffic protocol. On the other hand when enable the NSS service the device need analyze the packet it will affect the throughput.
    NSG300 can reach to 950Mb (TCP) with IDP and firewall rule on.
    For your latest question, in current stage we cannot apply the IDP or Anti-Virus to the specific subnet, for this request I can help to move to idea section and because of the hardware limitation If you want the throughput can reach to 450Mbps will recommend to use NSG200 or 300 which has higher performance.

    /Chris
    Chris
    flottmedia
Sign In to comment.