| At a glance | |
|---|---|
| Product | Zyxel VPN Firewall (ZyWALL 110) [Website] |
| Summary | Fast, multi-WAN VPN firewall / router with Gigabit ports and IPsec, L2TP and SSL tunnels. |
| Pros | • High VPN throughput • IPsec, L2TP and SSL VPN • USB WWAN support • Easy to use firewall |
| Cons | • Manual lacks configuration examples |
Typical Price: $0 Buy From Amazon
Introduction
Updated 1/22/14: Windows 8 SSL works
ZyXEL’s ZyWALL VPN Firewalls are focused, “business-grade” devices designed for high throughput VPN and secure network connectivity. Many network security devices provide multiple security features in addition to VPN tunnels and firewall such as anti virus, Intrusion Prevention/Detection, content filtering, and so on. The ZyWALL’s primary function is to be VPN router and a firewall, with lots of speed! Toward that end, ZyXEL has equipped them multi-core CPUs and fine-tuned the firewall for “uncompromising performance”.
The three models of the ZyWALL VPN Firewall are the 110, 310 and 1100. The 110 supports up to 100 IPsec VPN tunnels, 25 SSL VPN tunnels and is rated for firewall throughput of 1,000 Mbps. The 310 supports up to 200 IPsec VPN tunnels, 50 SSL VPN tunnels, and is rated for firewall throughput of 2,000 Mbps. The 1100 supports up to 1,000 IPsec VPN tunnels, 250 SSL VPN tunnels, and is rated for firewall throughput of 8,000 Mbps. In this review, I’m going to take a look at the ZyWALL 110.
The ZyWALL 110 measures 11.81″W x 7″D x1.73″H and is enclosed in a metal case. Brackets for rack mounting and adhesive rubber feet for desk mounting are included. The power supply on the 110 is external. There is an internal cooling fan, so it is not silent, although the fan noise isn’t that loud. The front of the 110 is where you’ll find all the Ethernet ports, the USB ports, and the indicator lights, as shown below.
Front View
On the rear of the 110 is the console port, a compact flash card slot, the exhaust fan vent, the power connector, and a Kensington locking port, shown below.
Rear View
Inside
Looking at the main board inside the 110, shown below, you can see the case could be made smaller, as the main board only fills just over half of the case bottom. Underneath the large heatsink is a Cavium CN6230 quad-core 1GHz CPU, supported by 512 MB Flash and 1 GB RAM. The Ethernet component is a Realtek RTL8370M Gigabit Ethernet chip.
Main Board
Features
Below are key features on the ZyWALL 110 as listed on ZyXEL’s VPN Firewall product page.
Physical
- (7) 10/100/1000 RJ-45 ports – 2 WAN, 1 OPT, 4 LAN/DMZ
- (2) USB ports
Firewall
- Throughput rating = 1000Mbps
- Max concurrent session rating = 60,000
- SPI and Zone based firewall
- SIP/H.323 NAT Traversal
- Customizable ALG
- Unlimited user licenses
- User-aware policy controls
VPN
- Throughput rating = 300Mbps
- Max concurrent IPsec VPN tunnels = 100
- Max concurrent SSL VPN users = 25
- IPsec, SSL, L2TP VPN capability
- AES, 3DES, DES VPN encryption
- SHA2, SHA1, MD5 authentication
Networking
- Multi-WAN
- Virtual Interfaces
- IPv6 support
- 802.1q VLAN (tagging)
- Policy-based Routing and NAT
- Supports RIPv1/v2, OSPF
- Session and Bandwidth controls/prioritization
- Local, LDAP and RADIUS authentication
- 3G WWAN Card support
- Device High Availability
Menu/Configuration
The ZyWALL 110 GUI provides four main tabs on the left for a dashboard, monitor options, configurations, and maintenance. Below is a screen shot of the main dashboard that displays device info, system status, system resource, interface status, firewall rules, logs and USB status.
A neat feature in the Dashboard is you can hover over the image of each port on the router and you’ll get a pop up window with the status, speed, and IP address on each active interface. Also of note, you can see in the screenshot in the “Latest Alert Logs” pane, someone from 101.64.235.75 is trying to hack into my ZyWALL (and failing) and it is issuing a log message of “Failed login attempt…”.
Dashboard
The Configuration tab is obviously where configurations are applied. Inside the configuration tab, there are nine configuration menus, each with one or more sub-menus, each with one or more tabs to display various options. In the table below, I’ve listed the nine configuration menus and their sub-menus.
ZyWALL 110 Menu Tree
For example, in the configuration for Objects, under User/Group, there are three tabs for User, Group, and Setting as shown below.
User Menu
There is certainly a tremendous amount of configuration options in the ZyWALL 110. Clicking help will bring up searchable information about each configuration option. There is also a 562 page manual that can be downloaded from ZyXEL’s website. It would be nice if there were more configuration examples in the manual, specifically for VPN configuration. In my opinion, the ZyWALL 110, even with all of its options, isn’t that difficult to configure. But it might be a bit intimidating if you haven’t worked on a small business router / firewall before.
Networking
There are seven 10/100/1000 Ethernet ports on the ZyWALL 110. Two of the ports are labeled and dedicated as WAN ports. One of the ports is labeled OPT. This port can be configured as an external, i.e.WAN port, or as an internal port with any of the internal interface types, i.e. LAN1, LAN2, WLAN, or DMZ. The other four ports are internal ports and can be configured with any of the internal interface types. There is a different firewall zone for each of the port types and a different subnet for each of the internal port types.
There are two dedicated WAN ports on the ZyWALL 110. Failover between WAN ports worked automatically. With both WAN ports enabled, I ran a continuous ping to google.com and deactivated one of the WAN ports. The router dropped one ping packet before it failed over to the backup WAN port and resumed connectivity. Re-activating the down WAN port was seemless and a traceroute confirmed traffic resumed using the primary interface.
As mentioned, failover is automatic. Surprisingly, there didn’t appear to be a simple option to designate which WAN port was primary or secondary. It’s possible I could have set that up with the ZyWALL 110’s policy routing feature. But that seems to be a bit complicated for such a simple task.
There are two USB ports on the front of the device. They can be used to connect a 3G USB card as WWAN interface, which is a great idea for further network redundancy. ZyXEL lists 27 supported 3G USB cards on the 3G Card Support section of this page, most of which are made by Huawei, with a few Sierra cards thrown in.
The USB ports can also be used to connect a storage device to save system logs or device diagnostic information. The USB ports cannot be used for network file sharing. I connected several USB thumb drives and all were detected and available to save log files, an example shown below.
USB
802.1q VLAN interfaces can be setup on the physical interfaces, along with a DHCP server per VLAN. I successfully setup one of the LAN ports with two VLANs, connected it to a trunk port on a switch, and was able to receive an IP address from each VLAN’s DHCP server.
VLAN
Bandwidth utilization can be controlled on the through the ZyWALL’s interfaces by creating bandwidth policies. Below, I’ve created a simple policy to limit iperf traffic to only 128 Kbps as it travels through any interface on the ZyWALL. Before I applied the policy, I ran an iperf test between two PCs at 382 Mbps. Once I applied the policy, my iperf test between my two PCs was 123 Kbps, validating the ZyWALL’s bandwidth capability.
Iperf Policy
As you can see from the options in the criteria section above, more advanced bandwidth policies can be created. Policies can be created to control bandwidth by user, schedule, interface, source or destination address, DSCP value, and/or service type.
VPN
The ZyWALL 110 supports IPsec site-to-site VPN tunnels and IPsec, L2TP, and SSL remote VPN tunnels. Up to 100 concurrent IPsec tunnels and 25 concurrent SSL tunnels are supported. L2TP tunnels, which use IPsec encryption, count as part of the 100 concurrent IPsec tunnel limit.
I found configuring a VPN solution on the ZyWALL 110 was a multi-step process for all VPN types. There are Quick Setup menus (aka configuration wizards) for WAN Interfaces and VPNs. I used the regular menu instead of the Quick Setup for my configurations so I could explore all the options.
To start, I set up a site-to-site IPsec tunnel between the ZyWALL 110 and a Cisco ISA550W. The ZyWALL 110 supports DES, 3DES and AES encryption, as well as MD5 and SHA1 authentication. The ZyWALL’s VPN throughput ratings are based on AES encryption, so I used AES-256 encryption and SHA1 authentication for both Phase 1 and 2.
One of the challenging aspects of IPsec VPN configuration is getting all the parameters to match on both sides of a tunnel. Although IPsec is a standard technology, vendors use different terms referencing IPsec configurations. On the ZyWALL 110, you first configure a VPN Gateway, which is also referred to as Phase 1 or IKE on other VPN routers.
IPsec Gateway
Second, you configure a VPN Connection, which is also referred to as Phase 2 or IPsec on other VPN routers. Once I applied my configurations, the VPN tunnel between the ZyWALL and Cisco came right up.
IPsec Connection
The ZyWALL 110 has a Monitor menu that allows you to see all active VPN connections. As shown below, I have an active IPsec VPN connection from the ZyWALL 110 to a Cisco ISA550W.
IPsec Status
ZyXEL’s IPsec client software is based on TheGreenBow’s VPN Client. IPsec VPN software licenses are not included with the ZyWALL, but can be purchased for 1, 5, 25, or 100 users. I set up a remote IPsec connection using the free Shrew Soft VPN client on a Windows 7 PC. Setting up the remote IPsec connection involved many of the same steps for a site to site connection, discussed above. Shrew Soft has a useful configuration guide for the Shrew Soft client and ZyXEL routers, which I used to successfully set up a remote IPsec tunnel.
VPN – more
With site to site and remote IPsec successfully tested, I tested L2TP. The neat thing about L2TP VPNs is client software is included in many devices, including smart phones, tablets, Windows and Apple PCs. I successfully tested L2TP connections to the ZyWALL 110 from an iPhone 4 and a Windows 8 PC.
I struggled a bit with the ZyWALL manual on how to configure L2TP, so I poked around on the web and found this forum entry that helped me out. Essentially, you configure user names, establish an L2TP address pool for remote clients, create VPN Gateway and VPN Connection settings, then enable the L2TP server on the ZyWALL and create appropriate Firewall rules. Below are screenshots of my ZyWALL L2TP Gateway, Connection, and L2TP server configuration pages.
L2TP Gateway
L2TP Connection
L2TP Server
L2TP is a good solution for remote access, but I prefer SSL VPN connections for PCs. With SSL VPNs, remote clients use a browser to establish a remote VPN connection. Software and configurations are applied to the PC automatically once the end user authenticates through the browser.
I found configuring SSL access on the ZyWALL 110 easier than IPsec and L2TP. SSL VPN configurations only require creating user names, setting up an SSL VPN address pool for remote clients, establishing an SSL VPN access policy, and entering Firewall rules. Below are screenshots of my ZyWALL SSL address pool and access policy.
SSL Address Pool
SSL Access Policy
The SSL VPN software installed on the PC is ZyWALL’s SecuExtender. The ZyWALL 110 manual states SSL VPN is only supported on Windows 7, Vista, 2003, and XP. I had no problem establishing an SSL VPN connection from a Windows 7 PC to the ZyWALL 110. Below is a screenshot of the window that pops up on your PC once your SSL VPN connection is established. However, I tried setting up an SSL VPN connection on a Windows 8 PC and got a message that SecuExtender isn’t supported on this version of Windows.
Updated 1/22/14: Windows 8 SSL works
ZyXEL has released SecuExtender 3.0, which I confirmed works with Windows 8.1. Download the installer and instructions from ZyXEL’s French FTP site.
SSL SecuExtender
VPN Performance
After enabling each VPN tunnel, I tested VPN performance. I tested the ZyWALL 110’s VPN performance with iperf using default TCP settings, with a TCP window size of 8 KB and no other options. I ran iperf on two PCs running 64-bit Windows with their software firewall disabled. (Running a simple iperf throughput test between two PCs uses the command iperf -s on one PC and iperf -c (ip) on the other PC.)
ZyXEL rates the ZyWALL 110 as capable of up to 300Mbps IPsec VPN throughput, which is the highest IPsec VPN throughput rating of any VPN router I’ve tested. Note that ZyXEL’s data sheet for the ZyWALL 110 states this VPN rating is based on UDP traffic, which has lower overhead than TCP/IP.
As mentioned, I tested VPN throughput using TCP/IP, which is reflective of common network traffic such as web and email traffic, so I didn’t expect to match ZyXEL’s 300 Mbps spec. Table 1 shows the measured throughput for each VPN tunnel type.
| Throughput (Mbps) | ||
|---|---|---|
| VPN_Tunnel_Type | Gateway-Client | Client-Gateway |
| IPsec Site-Site | 61.3 | 72.5 |
| IPsec Client | 106.3 | 185 |
| L2TP Client | 89.4 | 63.1 |
| SSL Client | 27.6 | 23.9 |
Table 1: VPN throughput
The ZyWALL 110’s IPsec client throughput of 106.3 and 185 Mbps are the fastest VPN throughput numbers I’ve measured! The previous top performer in my tests was the Cisco ISA550W at 91.6 Mbps for both directions. Further, the ZyWALL 110’s throughput numbers for both IPsec and SSL are over four times faster than the previous ZyXEL security device I tested, the ZyXEL USG20, which topped out at 27.8 Mbps for IPsec and 4.78 Mbps for SSL.
The ZyWALL 110 is clearly an advanced VPN router with impressive VPN throughput. I was able to set up and use all VPN tunnel types and I had several of them running simultaneously. Some VPN routers I’ve tested have limited throughput capability for remote client solutions, such as PPTP, L2TP, or SSL. The ZyXEL 110’s throughput for all remote VPN tunnel types exceeds the capacity of many remote Internet connections, providing quite a few options for remote user access.
Firewall
The ZyWALL is a VPN and a firewall device, with the focus on passing desired traffic at high speed. Configuring the firewall for filtering traffic is also a key feature. I found the ZyWALL firewall to have a good bit of capability and quite simple to configure. There is a basic checkbox to enable and disable the stateful packet inspection (SPI) firewall, which comes in handy for troubleshooting.
Firewall rules can be configured using zones, schedule objects, users, source and destination addresses or objects and service objects. I like this object-oriented approach to configuration, I find it more flexible. Each rule, once created, can be individually activated or deactivated.
I set up a simple rule to filter iperf traffic through any interface on the ZyWALL, as shown below. With the rule inactive, I had no problem running iperf tests. Once I activated this rule, I could no longer pass iperf traffic, validating the effectiveness of my rule.
Firewall Rule
In addition to creating firewall rules to filter traffic, the ZyWALL 110 has a session control mechanism that allows you to create a rule to limit the number of sessions a user or specific IP address can generate. This tool provides a form of end-user network control.
Routing Performance
Routing performance for the ZyWALL 110 loaded with V3.10(AAAA.2) firmware and using our standard test method is summarized below. The maximum simultaneous connections result is at the limit of our test process, indicating the ZyWALL can certainly support plenty of user sessions.
| Test Description | ZyWALL 110 |
|---|---|
| WAN – LAN | 662 |
| LAN – WAN | 420 |
| Total Simultaneous | 629 |
| Maximum Simultaneous Connections | 33,652 |
| Firmware Version | V3.10(AAAA.2) |
Table 2: Routing Performance Summary
Throughput results for unidirectional download and upload speeds are shown in the composite IxChariot plot below. The download speed result looks pretty consistent, but there is quite a bit more variation in the upload speed result.
Unidirectional Throughput
Simultaneous up/downlink throughput shows a good bit of variation in both directions as you can see in the below plot. 629 Mbps is a pretty good number, but far from ZyXEL’s spec of 1,000 Mbps.
Bidirectional Throughput
Conclusion
I’ve summarized key performance numbers and price in the below chart for the ZyWALL 110 and a few other multi-WAN VPN routers I’ve tested.
| Product | Throughput (Mbps) |
Price (Amazon) |
||
|---|---|---|---|---|
| WAN – LAN | LAN – WAN | IPsec (Max.) | ||
| ZyXEL ZyWALL 110 | 662 | 420 | 185 | $339 |
| Cisco ISA550 | 200 | 255 | 92 | $280 |
| Cisco RV042v3 | 89 | 91 | 48 | $141 |
| NETGEAR SRX5308 | 448 | 581 | 43 | $363 |
Table 3: VPN Router Performance Summary
Without a doubt, the ZyWALL 110’s maximum IPsec throughput of 185 Mbps is the fastest of any VPN router I’ve tested. Its routing throughput is also significantly faster than the less expensive Cisco routers. However, the NETGEAR SRX5308, a VPN router I tested several years ago, produces higher upload throughput at 581 Mbps to the ZyWALL’s 420 Mbps.
Bottom line, I was impressed with the ZyWALL 110. I liked the simplicity and capability of its firewall. Further, it has all the VPN capability you need to connect to remote offices via site-to-site tunnels, to client PCs with SSL and IPsec and to smart phones and tablets with L2TP. With the ZyWALL 110’s IPsec, L2TP, and SSL VPN throughput, your remote users will be able to connect to your network as fast as their Internet connection will let them!