dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
6691
SG79
join:2009-05-27
New York, NY

1 recommendation

SG79

Member

Detailed review of the ZyWall 110 - 10 months in (warning: it's a long read)

This is a long overdue review of the ZyXel ZyWall 110. I've posted a lot of these comments in various threads, but thought I'd consolidate in one massive review (I was bored while writing this). So here it goes:

------

I wanted to love this little router, I really did, but found a host of issues that have yet to be fixed. On paper, the router seems superb – great specs, fast VPN, nice overall design (and look). But after using this router since September 2013, I can safely say that there is much to be desired. Let me start with the things I liked about the router:



POSITIVES:

1) Fairly quick initial setup – I was able to plug the router in, and get up and running in 20 minutes or so. Well, almost. My first unit had a defective gigabit Ethernet port that would revert to 10/100 speeds after 3 hours of usage. This didn’t impact initial connectivity, however, and a replacement unit fixed this issue (see negatives). The VPN setup is also a bit complicated (somewhat unnecessarily, IMHO – 3 disparate screens just to get the VPN configured – not including user management). But ZyXel tech support was very helpful and even remotely logged into my router and set the VPN up for me. Thanks! Which brings me to my next positive:

2) Free telephone tech support – ZyXel’s support staff are based in the US, and their support engineers have been very helpful (to the extent they are able to help - especially given the router's limitations). However, the design engineers are all in Taiwan, while the telephone support staff is in the USA, so I'm not sure how often the two parties communicate.

3) GUI chock full of options – You can configure most (all?) of the router’s features using the GUI interface. This is particularly if you’re not familiar with CLI configuration (not my case, but worth mentioning). There are a lot of options, and I mean a lot. Not for the faint of heart, but spend enough time and even novices would get used to it. While the interface has a lot of features, there definitely could be some more thought put into the layout. I’ve often found myself having to click through various disconnected menu options to perform one simple task. But I’m listing this as a positive, since the options are there, and you can call tech support if you’re really stuck.

4) Good router performance – at least when it works. I’ve test the router using QOS, and it does a good job. Much better load balancing than my previous router. While I haven’t maxed out the router’s throughput, it hasn’t choked on my 75 megabit connection. SmallNetBuilder did test the router, however, and found the router throughput to be ~half the rated speed of 1 Gbps. I don’t have that kind of connection yet, and by the time I do, hopefully the issue will be rectified by a firmware update.

5) Load balancing wan with fallback – while I never tried this feature, it seems like a nice option to have. But honestly, I think the target demographic (SMBs, homes?) would rarely use this feature, if ever. Regardless, +1 for effort

6) Multiple configurable Ethernet ports – for DMZ, VLANs, etc. Again, a feature I’m not currently utilizing, but nice to have. But given that companies are moving their servers to the cloud, and layer 3 switches do a better job with VLANs and intra-office routing, I’m not sure how beneficial these ports will ultimately be.





NEGATIVES:

1) Interface crashes Seriously. Three times in the past 7 months. The router interface froze on me, and locked me out of accessing the VPN, router configuration, or communicating directly with the router in any manner whatsoever. Oddly enough, internet access through the router wasn’t impacted, just access to the router itself. I needed to physically reboot the router to restore access. This can be problematic if you’re at a remote location (my situation). I had to buy a remote reboot switch that periodically pings the router to avoid this from happening. Totally unacceptable, IMHO.

2) Frequent VPN disconnections – I’ve found the router to frequently disconnect me from L2TP VPN connection. This is especially apparent during peak times. I’ve read that these issues aren’t unique to ZyXel, but other router manufacturers have been able to mitigate these problems somehow. The disconnect issue is particularly bothersome as once you’re disconnected, the previous state is locked for a few minutes and you can’t log back in until the router drops the connection. This is incredibly frustrating, especially once it start happening more than two times in an hour.

3) No support for multiple remote IPSEC VPN clients behind a single public IP address. To be fair, this issue also isn’t unique to ZyXel (something to do with the encrypted connection), but other manufacturers have been able to mitigate this limitation as well. In addition, if a remote user is logged into the VPN, another remote user with the same IP address as the VPN user is completely locked out from accessing the router services – VPN, configuration, etc. This is especially frustrating if you need to remotely modify router settings, and another user from your local LAN (assuming you’re sharing public IPs) is logged into the VPN. Here’s what I mean:


•Imagine two remote users behind the same public IP address, and the ZyWall 110 at a different location, with both IPSec VPN and router configuration access enabled over the WAN side. One remote user decides to log into the ZyWall 110 using the IPSec VPN. All is good. Then, the second user, using a different computer, decides to access the ZyWall 110 configuration page through the public IP address (not VPN). Denied! Even though the web interface uses a different port (SSL - 443) than the IPSec VPN, the ZyWall can’t differentiate the traffic. Same thing happens if two users behind the same IP address try to use the VPN simultaneously.


4) Proprietary 2-step verification - You'll need to use ZyXel’s silly offering – no support for 3rd party tools such as Google Authenticator. Really? Come on ZyXel. Other router manufacturers are on top of this, why aren’t you? ZyXel’s solution is pricey (you need a dongle) and cumbersome, given that Google’s app is free and runs on most smartphones. The free price range also probably best fits the target market of ZyXel’s customers – SMBs with limited budgets. I mean, if I wanted faux-enterprise security with a silly little dongle, I’d call Cisco and RSA (Or is that the NSA?).

5) No support for OpenVPN, GRE routing, multicast tunnel, etc. It’s not as though the router and it’s fast processor couldn’t handle these tasks. OpenVPN is great since it’s highly secure and you can specify a port (unlike IPSEC). Certain WiFi hotspots block most ports aside from 80 and a few others, and only OpenVPN allows for custom port numbers to sidestep this limitation. Multicast routing and GRE tunnels have been available on other ZyXel routers in the past, but not with the 110. It’s a guessing game when (if?) these features will ever make it to the 110. Ubiquiti Edge Router is only $100, and seems to support these aforementioned features –, why can't ZyXel?

6) Infrequent firmware updates – I can’t fathom this – especially since the router has some serious bugs. The latest router firmware (as of this writing) was dated in June 2014. Prior to that, it was Sept. 2013. Seriously, almost a year between firmware updates? Come on! It may be because ZyXel’s design engineers are in Taiwan and they might not be reading the forums, or have infrequent communication with the tech support staff based in the USA. Whatever the case, one year is too long of a wait.

7) Weird IP address sorting scheme - IE if you click on Sort Ascending (or vice versa), you'll see x.x.x.1, x.x.x.101, x.x.x.2, etc. WTF? since when did 101 come before 2? So silly. Who came up with that logic?

8) No mounting holes underneath case - The manual indicates there are wall mounting holes (one of the reasons I initially bought the router), but that was a pipe dream. There are no mounting holes. At least for my unit (manufactured July 2013). Just a solid back. I guess somebody forgot to tell the factory. Silly factory.

9) Fan Noise - Okay it's not as loud as a laser printer, but it’s still loud. Mind you, I have the router in a fairly quiet bedroom where you can actually hear the noise. What I can’t figure out is why the fan was needed in the first place: The unit runs fairly cool (at least for the apps I run), and given the ridiculously spacious housing (you could cut off the left 1/3 of the router – it’s just air), I’m sure lowering the fan speed, or ditching the fan altogether wouldn’t be much of an issue.

10) Faulty Gigabit Ethernet port – I bought my unit in September 2013, and several times my gigabit connection would drop to 10/100 speeds. I tried various cables to no avail. This may have been a manufacturing issue. I replaced my unit and the problem went away, but there are reports of other people having the same issue. Caveat emptor.

11) Power brick – As I mentioned before - the router has a lot of empty space. So why ZyXel didn’t incorporate the external power supply inside the unit is beyond me – but it certainly wasn’t for a lack of space. Now, I have to keep track of yet another power brick (especially frustrating when moving), and since my unit is rack mounted –I now also need to find a place to mount the brick - the dinky 2.5mm connector won’t support the brick’s weight.

12) Abysmal Logs and Reporting Statistics – A serious item of contention for me – especially since other SMB router manufacturers (along with DD-WRT, Tomato, etc) have much better graphical offerings. I found ZyWall’s traffic reports to be confusing, and mostly unusable. Let me elaborate:

Limited traffic statistic visibility - You can only see a limited subset of current traffic going through the router (20 biggest, or last 20), yet there is a drop down menu that shows 50, 100, 200, as selectable options. I had to read through the fine print of the manual to realize that 20 is the limit. WTF? Why even present a drop down option then?

Limited charts or statistics data – looking for charts to identify biggest bandwidth users, sites most frequently visited, traffic by interface, period, etc? Ha! Good luck. The only solution I found was to upload the data to a syslog server and use that software to analyze your traffic.

Limitations on DHCP IP address bindings – Want to see what addresses have been assigned through DHCP, or which static IP addresses are active on the LAN side? Well, you can only do that if you enable IP address binding, which will block any devices with static IP addresses (unless you manually add them to the MAC table). Even then you won’t see which devices are transmitting using static IPs on the LAN. Why this silly limitation? I have no clue. ZyXel, care to comment?

Log File format – While you can upload a plethora of data to a syslog server, but you need additional software to parse through the log(s), which only come in CIF or a proprietary VRPT format. These packages cost money, and most off the shelf CIF packages I encountered didn’t support the ZyXel. ZyXel makes its own report analyzer, but that’s another piece of software to buy just to get some basic summary data. Plus, it’s overkill for most users. Come on ZyXel!






CONCLUSION:

All in all, the router has good performance when it works, but given all these limitations, there’s a lot to be desired. I paid $360 for this router, but considering its limitations and the issues I encountered, I feel its overpriced. This is especially true when you consider offerings from the competition, particularly Ubiquiti's Edge Router which sells for $100.

Granted, the Edge Router lacks the multiple Ethernet ports, load balancing capability, and the GUI configurability, but its CLI configuration gives it options and flexibility that the ZyWall 110 can't match. The Ubiquiti router seems to mitigate a bulk of my issues above, and it has better performance (firewall throughput, VPN) to boot (according to Small Net Builder)!

If there are any workarounds for the issues I mentioned above, I'd love to get any of your thoughts. I'm by no means an expert with the router and would love to hear other people's input on what I'm doing wrong.

I'll give an update once I spend a few months playing around with the Ubiquiti router. Hope you enjoyed the read. It's just my $0.02. For whatever it's worth.

Cheers!
Kirby Smith
join:2001-01-26
Derry, NH

Kirby Smith

Member

Thank you for the extended review.

I recall reading somewhere that the Ubiquiti routers now have limited dual WAN capability with at least one load balancing algorithm.

kirby

Hank
Searching for a new Frontier
Premium Member
join:2002-05-21
Burlington, WV

Hank to SG79

Premium Member

to SG79
The Ubiquiti router you have is it the ERL?
SG79
join:2009-05-27
New York, NY

SG79

Member

Hank - I should have clarified - I indeed have the ERL, which has only 3 ports. I didn't see the need for additional ports, but I suppose the ER8 (which also goes for ~$360) would be a better direct competitor to the ZyWall 110.

Kirby - good to hear that Ubnt is adding some new functionality to the ERL. My big fear, however, is that Ubnt's reliance on Vyatta's open source code might hurt down the road, given that Vyatta has moved away from open source since being acquired by Brocade in 2012.

There's supposedly an open source fork project (VyOS) to continue where Vyatta/Brocade left off, but that may take a while to ramp up (if ever). And only Ubnt knows when/if it will move over to the forked platform.

But for now, the ERL seems like a solid performer and beats the ZyWall in firewall throughput and performance.

Hank
Searching for a new Frontier
Premium Member
join:2002-05-21
Burlington, WV

Hank

Premium Member

I have been using load balancing on the ERPOE5 for the past month without any surprises. Very happy with the Ubiquiti equipment.
Kirby Smith
join:2001-01-26
Derry, NH

Kirby Smith to SG79

Member

to SG79
As far as I can see, much of the basic functionality of a router and firewall is already in Linux, including various bandwidth sharing schemes for ports; the more complex functions and a user-friendly GUI would seem to be the issue for development. But even then there seems to be lots of open source router projects that the various players should be able to borrow from each other.

What Edge seems to be bringing to the table is fast performance at low cost due to some processing hardware choices, and so long as they leave the malware filtering to others they should be able to succeed in the niche they are in -- limited only by the cost of getting the capabilities possible through the CLI matched by those of the GUI.

But I understand that YMMV when on the one hand a residential application may have very limited requirements for bells and whistles, while a commercial application may need Bonjour, LAGs, GRE and other stuff I have to look up to discover what it does.

In my case, to go there with even a slight hint of practicality would require that Fairpoint fix their congestion problems and significantly increase my bandwidth at modestly low added cost.

kirby