Using NVR1750 Directly to the Internet

[dgarcia]

Hi,
I have a NVR1750 that has an interface directly connected to the internet via a Network cable given by the ISP Via Gpon. No Router or firewall before me.

Im now seeing a lot of port scanning on the vpn router, and more often than not, i'm experiencing resources starvation. Using the nortel vpn router calculator, i got that the maximum number of connections i can set w/o consume all my ram is 20,000 connections, and often the NVR is claiming that has run out of tcp/ip connections, the ram gets to 90% used and i can't reach the DNS from my VPN Router due to resources starvation.
Is there any mechanish that can help me here? i even have setted up malicious scan detection, but that doesn't seems to help much.

Do i need to set another device in front of the VPN Router, or it's just the wrong equipment to handle my network traffic?

Thanks!

Dan.-

[Michael McNamara]

Hi Dan,

How many users are accessing the Internet and how heavy is the traffic flow?

That box should be able to service quite a few users unless your users are abusing the network with a lot of P2P type applications which can quickly starve a perimeter device.

Cheers!

[dgarcia]

Well, let's see.
It's a hotel implementation, where there are about 20-30 staff people using internet, and the same equipment will server internet to the guests. It's an start-up hotel, so they have maybe 10-15 guests. Still, this is happening very random.
I've tried to see the logs, but have to admit that the logs on the nvr are pretty confusing, specially if you log much and with much detail. Any pointers in that area?

Dan.-

[Michael McNamara]

I won't disagree with you in saying yes the logs can be confusing and cryptic.

While the product can do what your asking it was primarily designed as a VPN end-point. When you say that you have problems can you describe those better? Are you unable to ping your next-hop (the Internet Service Provider)? Or are you having DNS issues which can look like a connectivity problem.

I wouldn't advise using the built-in DNS server for anything more than a few devices. I would suggest that you either deploy your own internal DNS provider or just configure your clients (DHCP) to point to your Internet Service Provider's DNS servers. That should help the memory utilization on your VPN router. Now I'm guessing that if your doing NAT (Network Address Translation) you're probably going to run out of NAT address table space before you run out of 20,000 TCP connections.

What version of software is the NVR running?

Good Luck!

[dgarcia]

Ok, let's see... much stuff happened since I last wrote about this:

1. We decided to take DHCP and DNS Proxy Roles out of the NVR. Still the problem persisted

2. We then decided, to enable VLAN routing on the 5530 for each vlan, put the NVR on a different vlan, and make it the default gw of the ERS5530, so only the internet traffic would actually hit the NVR. No luck yet
That was yesterday (Wed) and at 9am the VPN Router gives an alarm of "Max Connection Reached". When that happens, all the things the vpn has to contact (DNS Servers, SNMP Traps, etc) gives also an alarm (which seems kind of logical).

3. I decided to lower a bit the number of connections to 15,000 to avoid the "above 75% of memory used" alarm, which worked fine. Still getting the "Max Connection Reached" alarm. When that happens, Internet traffic gets very very choppy. You have to try serveral times for a link to connect. When it connects, no problem. You can even download at full speed.

4. We finally decided to install a Demo of Nortel VPFM and run it to see what's going on. Today was a local holiday, and i didn't see a problem there (i vpn'ed in). Let's see how it behave/detect tomorrow, a working day.