Zyxel ATP 500: Wi-Fi, Mesh and UTM controller in one package

Zyxel has a great concept for quickly deploying a wireless network on a site, whether it's a country club, a branch office, or a Central office: it's a bundle of Zyxel ATP security gateway and access points clinging to it. The idea looks like this: today, the network does not have a security gateway, except that home users go, and in any case, you will have to use such a device, software or hardware in the company. Since you need support and SLA, you naturally choose a commercial solution with cloud training and automatic updates. And this gateway will manage the access points located below in your wireless network, providing work "from one window".

Zyxel ATP500 - межсетевой экран

It should be noted Here that the WLAN management function itself is quite simple in terms of CPU load, and wireless network controllers are already embedded in access points, output to the cloud, and run on regular computers, although there are purely hardware solutions, which we also wrote about. In General, each of these solutions has its pros and cons in one way or another, and the main advantage of using Zyxel ATP500 is the ability to use simple access points, while below the gateway you install only switches by the number of ports: a minimum of unnecessary devices, a minimum of fuss and a maximum of integration.

ZyXEL ATP500 firewall

So, you have an object where you are building a secure wireless Internet connection. The Zyxel ATP series is the latest generation of security gateways that can analyze uploaded files, including archives, scan them for viruses, send suspicious files to the cloud for analysis, and skip safe and useful files. In addition, it uses multi-level protection based on patterns of existing attacks, application-level protection, Web security, and reputation lists required for massive DDoS attacks.

All ATP gateways in the world communicate with the Central cloud, exchanging data about new types of attacks (Hello, telemetry), which allows the global security system to constantly learn and develop independently. That is, tomorrow your Zyxel ATP will be a little smarter than it was today, and all this is due to the fashionable machine learning today.





Number of ports, 1GBase-T





Number of SFP slots+





Device performance in packet processing, Mbit / s











At the time of the review, there were 4 models in the Zyxel ATP series that differ in the number of ports and performance. The ATP 500 we are considering is second from the top and promises you support for 64 VLANs, 50 SSL tunnels, and a Firewall (SPI) bandwidth of 2600 Mbit/s. Up to 1 million TCP sessions are supported at the same time, so if you have a small public or large corporate cloud behind the gateway, the ATP500's capabilities will be sufficient to support user and application traffic. All devices are assembled in 1U-high metal cases, but with different widths, so you can install them either in a Telecom Cabinet or just on a table, in the spirit of Edge. :)

As for VPN, it supports up to 200 simultaneous IPSec tunnels, 50 SSL tunnels, and support for Microsoft Azure and Amazon VPC. The SSL VPN tunnel connects to the gateway on port 443 to access the private network. You can download the VPN client directly from the gateway itself, or rather from its web interface. The OpenVPN standard is not supported, probably due to low SoC performance.

Interestingly, there is no Firewall in the form of a table with the Accept / Drop / Forward checkboxes, and from my point of view this is a minus, because no matter how much you do everything in the form of services, you should always leave the option for manually prescribing rules via the Web interface.

Of Course, the highlight of the ATP series is all sorts of filters that protect you from:

  • Intrusions into your network from the Internet
  • Network penetration of infected files and Trojans DoS and DDoS attacks
  • Your employees ' visits to questionable sites

All this filtering works transparently for the user, and even the device administrator can only enable / disable a particular filter and configure the categories of unwanted sites from the suggested ones. Of course, for an integrator or intermediary company that needs to quickly deploy network protection and throw all the work of the device to the vendor - this is a gift, but if you are used to thoroughly configure everything, you will be disappointed.

Here, for example, Zyxel ATP500 uses DNSBL technology, black lists of addresses from which malicious traffic is generated. You can't define and configure subscription sources, and if you enable everything with the default settings, even large sites lose their normal appearance.

This is Partly due to ad blocking and trackers. Today, this muck is not blocked except by a lazy person, and I must say-very effectively.

geo module in Zyxel ATP500

With a powerful DDoS attack, you will have no choice but to recapture entire continents and countries, and above all, with a dubious reputation. You can, of course, immediately restrict traffic to only the area you are working for, disabling, for example, Vietnam, all of Africa, or all of Eastern Europe, if necessary. But you will have to do this manually: there is no such useful setting as "1000 responses from Africa - block the entire continent", but this is not a problem for the corporate network.

sandbox Service

Antivirus protection, the so-called "Sandbox" works completely transparently for the user: infected files are cleared by the security gateway (scored with zeros). This feature works both when surfing the web and when scanning email, and to effectively detect threats when surfing the web over the secure HTTPS Protocol, you only need to create an appropriate profile.

But how many times have you met on forums shouting sysadmins: "Help block Youtube on Mikrotik?» Here the answer is as simple as a white day: you have all the sites in the world divided into categories, and the lists are regularly updated and are part of the Zyxel service. You can block all types of sites, such as pornographic or entertainment content, and add Youtube as a separate line to the blacklist so that the enemy does not get through your barrier.

Interface Setup

Interestingly, filtering is used for different interfaces, so you can set up some rules for a VPN, and other rules for GE/2, and thus apply separation of powers within your organization.


Zyxel ATP 500 allows you to create up to 64 VLANs by linking them to physical or logical ports. From the standard functions of the router, port forwarding and NAT are available to you.

The access point Controller logically combines hotspots into groups, allowing you to create different WLAN networks on the site. Supports IEEE 802.11 g/r seamless roaming, suspicious access point detection, and automatic calibration of the radio module. When capturing access points, their own management interface is disabled, so you don't have to worry about the security of hotspots.

The Mesh function uses Zyxel, a proprietary ZyMesh Protocol that differs from the traditional Mesh network. The thing is that in a normal Mesh space, the entire network is peer-to - peer, and access points are equivalent. A large network may not even notice the loss of a single access point, and the connection between hotspots runs both over Wi-Fi and over a wire. In the case of ZyMesh, you set the roles of root hotspots and repeaters. The first ones connect to the Internet only via cable, and for the backhaul channel, both of them reserve one of the radio modules (2.4 GHz or 5 GHz). In relation to root hotspots, repeaters can be organized in a chain or star. here, a kind of STP analog is also used to find the fastest route, but communication between repeaters is carried out only via the radio channel.

zymesh Schema

In general, ZyMesh was first described back in 2015 at the first stage of the transition from WDS to peer-to-peer networks, but today, at the end of 2019, I can't give you a single reason why Zymesh is better than the usual Mesh, implemented for example in Zyxel Multy X ,which we reviewed earlier. However, if the number of hops you are scaling the wireless network to is small, say 2-3, then the topology is not so important, and even at the edge of such a network, clients will have speeds of about 70-80 Mbit/s.

ZyXEL NWA5123AC-HD and WAC-6103D access points

If you decide to use the ZyMesh network, you may need to install 2 or more root access points, and on the one hand run the Backhaul channel at 2.4 GHz, and on the other - at 5 GHz. Not every ZyXEL access point will allow you to switch your 5-gigahertz radio module to Root AP mode. Of the models we are considering, NWA5123AC-HD has this function.

This model has 2 radio modules: one in 2x2 MIMO format for 2.4 GHz, and the second in 3x3 SU/MU-MIMO format for 5 GHz. The second generation of beamforming signal direction technology and nebula cloud management are supported (this service is described in detail in for the ZyXEL gs1920-8HP switch). As is customary for ZyXEL access points, the antenna unit itself is placed on a separate metal plate to reduce interference with electronics. On the motherboard of the access point, the RF modules have their own shielding, and in addition to this, the housing of the hotspot is made of aluminum. In total, this helps to concentrate the direction of the radio signal in one direction, and reduce radiation in the direction of electronics and overlaps, so as not to interfere with other access points.

The wac6103d-I access point is a familiar NWA1123AC-Pro, which has 3x3 antenna groups for both the 2.4 GHz and 5 GHz bands. This model is interesting because it has a hardware switch for the installation mode: on the ceiling / on the wall.

The shielding here is still the same harsh Zyxel-EV approach, but the back wall of the case is plastic. Both access points have two 1-Gigabit ports. The total bandwidth of the NWA5123AC-HD is 1.6 Gbit/s, while the WAC6103D-I has 1.75 Gbit/s.

Recommendations when ordering

The Zyxel ATP Series should be considered not as a piece of hardware, but as a service that you purchase from a developer company, and the hardware is given to you as a load. First of all, of course, we are talking about the security of the serviced object, which is configured here in just two or three mouse clicks. Of course, you have access to a beautiful control panel that updates every minute the number of attacks reflected by your network gateway. In the field of protection against DDoS, botnets and harmful sites, including Youtube, and antivirus protection, this device is just what you need. Of course, many things are missing here, such as: OpenVPN, a full-fledged Firewall with a user-friendly interface, the ability to add your own subscriptions, well, at least the same Emergint Threats, and in the field of Wi-Fi, the question remains open with Band Steering.

With all this, the considered solution is a kind of constructor that can be sent to a remote object in a ready-made form, configured in just a couple of hours,and then serviced remotely via the cloud, leaving the network security issue to Zyxel.

Mikhail Degtyarev (aka LIKE OFF)

Read also: