Zyxel ZyWall VPN2S and NWA1123-ACv2: VPN router for small office

Go back to the days when the VPN gateway was a large metal piece of hardware that could only be configured by a specially trained system administrator. Today dictates new conditions: more and more employees work remotely, continuing to work hard even during vacations. And when in such a modern and creative company there is a simple task to make access to the local network for employees from anywhere in the world, there is a dilemma: use the cloud or set up a reliable VPN in the old-fashioned way.

Just make a special VPN gateway for such purposes, which has an interface like Twitter, settings with a simple wizard - and you will get a creative audience that can actually sell a router without Wi-Fi for the price of a router with Wi-Fi, and they will also buy an access point. Zyxel has a well-established brand ZyWALL, under which it produces firewalls / VPN gateways for banks, pharmaceutical companies and other commercial structures. The Zywall VPN2S model is a bold experiment: will the creative class fall for a brand that has been proven for years?

Key features

The most basic that we put at the top of the list is support for two or more Internet service providers (Multi-Wan load balancing function). First, it increases the network's fault tolerance, and secondly, it helps to distribute traffic over several channels, and the latter is what distinguishes Zywall VPN2S from conventional routers, which, although they support several providers, but only in active standby mode, switching between them when communication fails. Traffic balancing is a feature that allows video communication to work even if someone is actively downloading torrents in the office.

The second is support for 3G/4G modems, which is a Must Have for such a device, because you can use them both as a dedicated backup channel and as the main channel if you are providing work for any outdoor event.

The Third is an increasingly popular feature for content filtering and providing security at the login level of your network. In General, this feature has always been in such gateways, but only in the last few years it has become more important than installing antivirus software on office computers. Why is this? Yes, everything is very simple: it is useless to scan an infected computer for viruses, any exploit will first disable the existing protection, and some devices can not be installed software at all according to the requirements of it security specialists. A centralized security gateway is another line of defense that will protect you from botnets looking for vulnerabilities in your devices, spam, various malware and intrusions. Of course, you need to understand that all this cannot be implemented in the entry-level model, and in Zywall VPN2S only implements the content filtering model for office protection. But this is quite enough.

Judge for yourself: the gateway can block access to 64 different categories of threats, including anonymizers, phishing and fraudulent sites, and social networks. networks and porn sites. We'll check how it works during testing.

Exterior and interior

By design, let's face it: this is a completely uninteresting model, inconspicuous and inconspicuous. Zyxel Zywall VPN2S is easily lost on your desktop or on a nightstand in the utility room, and this is exactly what is required from such a device to forget where it is installed.

The Gateway does not have a fan, and judging by the design of the case, it does not have any cooling requirements at all, so you can put it wherever you want.

Interface and settings

You won't just have to get used to the interface - you'll have to learn it, even if you're familiar with security gateways. For example, we are already used to the fact that even in home routers, LAN/WAN differentiation is no longer available, and each port can both access the Internet and pass traffic inside the home network. This is not the case here: VPN2S has one WAN, three LANs, and one optional port, which can be either LAN or WAN.

In accordance with modern fashion, almost all settings use profiles, although for this class of devices this is an unnecessary complication that is not necessary. Creative managers need to set up a VPN in one or two clicks, and not link the L2TP profile to the IPSec profile, wondering why it doesn't work. This problem is partly solved by the configuration wizard, which will enable PPTP, but will forget to add the corresponding rule to the Firewall. At the same time, some installations, such as DoS Protection, do not have any settings at all.

In general, I think that this device is too complex for the main audience that Zyxel VPN2S is designed for.

Firewall and security

The table is limited to 500 entries, and this number does not include services running on the gateway itself - they have a separate tab. In addition to ports and protocols, you can only specify the rate for each record in the rule settings. This will not surprise anyone today, and all this was in home routers many years ago.

The highlight of Zyxel VPN2S is the ability to disable access to different types of sites for different categories of users. Set up access to social networks for managers.so that they can sell your product to people in the store, give technical specialists access to sites with documentation and reviews, remove all restrictions from your office guests, and prohibit your superiors from reading the news. Moreover, you only specify the category of media and not websites. How does Zyxel know which site belongs to which category? This is what you pay for when you subscribe to signatures. By the way, be careful: even if content filtering is available to you via the management interface, you still need to purchase a license to activate this service.

This is really a very cool feature that can raise the working rhythm in your company, not allowing you to be distracted by all sorts of YouTube, especially if your office is underground, where 4G does not catch.

But what about Wi-Fi?

Security Gateways are most often installed in telecommunications cabinets under the ceiling. Zyxel Zywall VPN2S even has holes for brackets for these purposes, so no matter how you look at it, you will have to buy and install access points separately. Considering that a good hot spot for indoor installation costs$ 60-80, this is a small expense. Today, any integrator will tell you that three companies make high-quality access points: Cisco, Zyxel, and Ubiquiti. we didn't have the ciski In our hands, but we managed to compare Ubiquiti UAP-AC Pro (1750 Mbps) and Zyxel NWA1123-ACv2.

Visually, Ubiquiti looks larger, although It has a lower profile, and when mounted on the ceiling, it does not take up space as much as Zyxel. A higher speed of 1750 Mbps when connected with 1 cable at a speed of 1 Gbit / s is an irrelevant advantage for small rooms for a dozen people.

"Under the hood" these two hotspots represent two completely different ideologies, from two worlds. At Zyxel, this is a component circuit in which the antennas are placed outside the motherboard and shielded with a thick metal sheet, which is clearly visible in the photo. Apparently, the guys from Zyxel had a lot of aluminum in their warehouses, so between the access point motherboard and the radio module there is a massive aluminum heat sink that acts as a screen. The Ubiquiti access point, of course, does not have this.

As for antennas, Zyxel has 4 of them (2 for the 2.4 GHz band + 2 for 5 GHz), and Ubiquiti has only 3 dual-band antennas, each of which works in both bands, which is more typical for home routers. Of course, single-band antennas will always work better than universal ones. Another thing is that you won't always be able to see these differences in practice.

Configuring the Ubiquiti UAP-AC-Pro access point is a pain. First, you need to understand that this is professional equipment that is produced for those who install and maintain dozens of them, so it is configured only through a software server that is written in Java, which is not installed on Windows the first time and rolls out critical security updates twice a day. Yes, if there are hundreds of access points, this minus turns into a plus. But if something goes wrong with your local Java server or if you need 2-3 access points in the office, then Zyxel Nebula is more convenient and practical: you can access the cloud service from any browser, add an infinite number of hotspots to your network, without worrying about how the management system itself functions.


Test stand:

  • Intel Xeon E5-2603 V4
  • Motherboard ASRock Rack EPC612D4U-2T8R
  • Memory: Transcend DDR4-2400 ECC RDIMM
  • Hard drive: Seagate Exos 10E2400
  • Network card Intel X550-T2 (PCI-E Passthrough to the Guest VM)
  • Hypervisor: VMWare ESXi 6.7
  • Guest OS: Windows 10 x64 1809
For testing, we will use a network card Intel X550-T2 running at 1 Gbit / s. Let's start with the speed of the local switch on the LAN ports.

Zyxel does not say what the buffer size of the built-in network gateway switch is, but our tests show that if you have an active traffic exchange inside the network, for example, through file servers or hotspots, it is better to buy a good switch, such as Zyxel GS-1920, the review of which we published on our site. But for the gateway, LAN - WAN performance is much more important.

TCP traffic LAN-WAN, Mbps

Here, the speed is at the level of network connectivity.

UDP traffic, LAN-WAN, Mbps

Please note that UDP LAN-WAN traffic is faster than over a local network.

VPN speed, Mbps

PPTP VPN Performance is excellent, but L2TP is at the level of middle-class home routers.


The Main reason to buy this model is content filtering implemented by a list of website signatures, a VPN server, and support for two or more Internet lines. This gateway is positioned as a starting solution for a small office, and although I expected something more, looking at the price, I realized that I was mistaken. In fact, Zyxel-I have this beautiful database of sites that allows you to restrict access entirely to categories of media sources, and the manufacturer just Packed it in a box, like a good home router, adding a VPN server and a simple Firewall.

As a solution for those who are too lazy to configure Mikrotik or dig into OpenWRT, this is quite a viable option, especially with the ability to block half of the Internet for their employees, and include in the form of a reward based on quarterly or annual indicators. Let them work for access to auto.ru, instagram, or wherever they hang out during business hours.

Mikhail Degtyarev (aka LIKE OFF)

Read also: