Get best of the week

We disassemble the NSG200 Nebula Security Gateway router. Inside and outside view

With the introduction of the self-isolation mode, I settled down at home and is waiting for the restrictions on work to be lifted. A rather interesting piece of iron from Zyxel.

With the permission of the owner, today in this article we will look not only at the functionality, but we will also analyze the NSG200 Nebula Security Gateway router .



This is a representative of equipment that is completely geared towards working in a software-defined SDN network , in which the architectural level of control is performed through the portal nebula.zyxel.com

Let's take a closer look at how the NSG200 is controlled and what is under its cover.

Control


By connecting this router to your computer and typing in the browser 192.168.1.1 you will be taken away the web interface. By entering the username and password admin / 123456 it will require you to change to something more reliable.



After changing the password, you get to the main interface, where you will see ... yes, practically nothing:



In fact, you can configure only the Internet connection so that the NSG200 can connect to the Nebula control node.



This is where all the functionality of a full-fledged powerful router with VPN, intrusion detection, context filter, etc. will be available.

Is NSG Useless Without Nebula?


Zyxel Nebula is a proven system for years. A huge number of companies buy equipment with the ability to manage through nebula.zyxel.com .

But if you are paranoid, and the leadership purchased two hundred such devices?



Then a full command line interface (CLI) will come to your aid.



Through it, you can access all the functionality of this device. It seemed to me that through the CLI you can get even more than through Nebula, since you can organize automatic control of routers through Ansible.

But still this device is sharpened for control from a central node. Therefore, I do not see the point of considering CLI features in this article.

Register NSG200 at Nebula.Zyxel.com


First, make sure that the nebula server addresses are accessible from the network that will be used as the WAN on your router.



Then, if you have not already created them, then create an account, organization and sites. Still keep a logical org. structure greatly helps in administration. Then we add our devices to the site.



Register by serial number and poppy address.



I have a question: can they “steal” device control from a nebula? I quickly created another account and tried to add the same router.



Fig you! If the piece of iron is tied to your account, even if it is not installed on the site, then no one will get control over it. If there is a need to transfer to another person, then the router can be untied from the account. Very similar to iCloud.

After binding to the control center, a single password is set on all devices of this installation location and you can see / change it here:



And if the Internet ends?


Someone may ask what to do if you have to urgently change the provider, but the administrator did not give access to the nebula interface? An unlikely situation, but still worth the attention.

I personally see the following solution: reset to factory settings, go to the web interface and configure a new connection.

Having seen the Nebula server, the router will absorb the old settings.

What can be controlled through Nebula.Zyxel.com


Yes, almost all the functionality!



Configure network local area network? Easy!



Tighten the nuts on the firewall? Or limit the operation of specific applications and services? In three clicks, the



well-established context filter is also available: the



NSG200 can also serve as a HotSpot controller.

You can organize a "Captive portal" (authorization page) for any network participants. That is, you can use any hotspot access points for Wi-Fi, but get customer identification.



For example, to land all Wi-Fi points and guest computers in some vlan (for example, vlan 55) and wrap it on the authorization page.

By the way, the Captive portal can be used to force a page (for example, a corporate portal) to be displayed when opening a browser even on a non-domain device!

VPN


To unite offices in a local network it is enough that at least one router has a white static ip address. Its to indicate that it will be a server. It is also easy to change the server vpn router to another. For example, in the case of a problem on a channel in one office, you can transfer the server function to a router in another office with stable Internet.



Choose a local network that has the right to go to remote offices and click save.

To expand a new branch in another city / office is not much easier. To do this, the head of the office in local stores buys any model with Nebula, for example, the NSG50, plugs the provider's cord into the WAN port and sends the administrator a photo of the poppy and the serial number of the router. If the provider does not issue a connection via DHCP (which is rarely the case today), then you need to go to the web interface and configure the connection through a specific provider. Everything else will be done by the system administrator of the central office.

What is inside?


The router, at its core, is the heart of the corporate network. It often carries the role of not only a “dumb NATILK”, but also other important functions of a small organization, such as controlling access to the Internet, firewall, VPN, etc. It can even act as a WiFi point controller.

Quick replacement is often possible only on the same if there is a backup config.
For this reason, the hardware requirements are very high.

Appearance has an unusual design. For installation in a standard rack, the kit includes “ears”.



The body metal is very thick. It seems to me that the strength of the body and “ears” is higher than that of other vendors that I “pawed” in my practice. I think you can put some 1U server on top of it

Other angles





Under the hood, we are met with a very small price to pay massive heatsink



between the CPU and heat sink thermal pad thick



processor



OCTEON II CN6230-1000BG900-AAP

This four-core MIPS64 processor from Marvell. He has a memory controller with a speed of 1600 MHz

. Nanya nt5cc128m16jr-ek chips are used as RAM.



Each chip has 2gb and is designed for a frequency of 1866MHz.

In this model, there are 4 of them, but the memory bandwidth is limited by the processor at 1600 MHz. We can say that it is installed with a safety margin.

An interesting solution to install a NAND-memory on 4Gb from micron as a separate board. Memory





controller from the Taiwanese manufacturer phison ps2251-50-f



I can assume that Zyxel took into account the fact that NAND-memory and its controller are the weakest link (for obvious reasons) in this assembly and made it removable. Thus, the repair of this router in the service center most often will consist in uploading new firmware to this flash drive and inserting it into the connector on the board.

For network interfaces responsible realtek RTL8370MB, in which the specification states that he is able to resolve a 8 + 2-Port Managed Switch.



But the transformer port modules themselves from the American company Bothhand.



Each G2PM109N2 module is designed to serve two ports.

Conclusion


No matter how conservatively-minded admins rested, the development of SDN networks is ongoing, drawing more and more supporters.

Due to the implementation of the Zyxel Nebula campaign, the launch speed in servicing the corporate network is significantly increased.

Moreover, you can significantly save on highly qualified IT personnel, since local admins only need to mount and connect the cables. The rest will be done by the administrator from the head office.

Also of useful goodies - no need to worry about backup configs. They are all stored on Nebula. Lightning struck the router - just threw out the old one, installed it on the wall / cabinet and added a new router to the same platform in Nebula. All!

I leave the quality of components and assemblies for evaluation to you.

But my opinion is that this router is assembled very quality and the manufacturer did not save on components.

Not always, the “cheap and long” approach is needed by modern business. Most often, the speed of opening branches can play a significant role in the entire business.

Therefore, a business should clearly understand for itself what suits it: quickly and reliably, or cheaply and for a long time ...

PS: I invite you to discuss this article and ask other questions about Zyxel equipment in Telegram chat @zyxelru

More articles:


All Articles