Review of the solution for small office from Zyxel: ZyWall VPN gateway VPN2S and the access point NWA1123-ACv2

Those times when the VPN gateway represented a big metal piece of steel which could be configured only by the specially trained system administrator leave in the past. Today dictates new conditions: more and more employees work on the remote, continuing to work hard even during vacations. And when in such a modern and creative company there is a simple task to make access to the local network for employees from anywhere in the world, there is a dilemma: to use the cloud or the old fashioned way to set up a reliable VPN.

ZyXEL has a long-established brand ZyWALL, under which it produces firewalls / VPN gateways for banks, pharmaceutical companies and other commercial structures. Model Zywall VPN2S is a bold experiment: bite if the creative class on its time-tested brand?

Key Features

The fist of all thing that we bring to the top of the list is the support of two or more Internet providers (multi-Wan load balancing function). Firstly, it increases the network resiliency, and secondly it helps to distribute traffic over several channels, and the latter distinguishes Zywall VPN2S from conventional routers, which, although they support several providers, but only in active-standby mode, switching between them when communication fails. Traffic balancing is a feature thanks to which video communication will work even if someone hard downloads torrents in the office.

The second is the support of 3G/4G modems, which for such a device is just a Must Have, because both as a dedicated backup channel they can be used, and as the main one, if you provide the operation of any outdoor event.

The third is the increasingly popular content filtering and security feature at the login level of your network. In General, this function has always been in such gateways, but only in the last few years it has become more important than installing anti-virus on office computers. Why? Yes, everything is very simple: an infected computer is useless to scan for viruses, any exploit will first turn off the existing protection, and some devices can not be put software on the requirements of it security. The centralized security gateway is another line of defense that will protect against botnets looking for vulnerabilities in your devices, spam, various malware and intrusions. Of course, you need to understand that all this can not be implemented in the entry-level model, and in Zywall VPN2S implements only the content filtering model to protect the office. But this is enough.

Think for yourself: the gateway can block access to 64 different categories of threats, including anonymizers, phishing and fraudulent sites, to social. networks and porn sites. We will check how it works during testing.


By design, let’s face it: this is a completely uninteresting model, inconspicuous and inconspicuous. Zyxel Zywall VPN2S is easy to get lost on your desktop or on the nightstand in the utility room, namely this from such a device and is required to forget where it is installed.

The gateway does not have a fan, and judging by the design of the body, does not impose any requirements for cooling, so you can put it where you want.

The interface will not just have to get used to - it will have to learn, even if you are familiar with security gateways. For example, we are already used to the fact that even in home routers the LAN/WAN separation is no longer available, and each port can both access the Internet and pass traffic inside the home network. Here it is not: vpn2s has one WAN, three LAN and one optional port, which can be both LAN and WAN.

In accordance with modern fashion, almost all settings use profiles, although for this class of devices it is an unnecessary complication that is not necessary. Creative managers need to configure VPN in one or two clicks, and not bind L2TP profile to IPSec profile, wondering why it does not work. This problem is partly solved by the configuration wizard, which will enable PPTP, but will forget to add the corresponding rule to the Firewall. At the same time, some settings, well, for example, DoS Protection, do not have any settings.

In General, I think that for the main audience, which is designed Zyxel VPN2S, this device is too complicated.

Firewall and Security

The access table is limited to 500 records, and this number does not include services running on the gateway itself - they have a separate tab. In addition to ports and protocols, you can only specify the rate for each entry in the rules settings. This is no surprise today, and it was all in the home routers many years ago.

But the highlight of Zyxel VPN2S is the ability to disable access to different types of sites for different categories of users. Set up managers with access to social services.networks, so they can sell your product, stuffing people into friends, give technicians access to sites with documentation and reviews, remove all restrictions from the guests of your office, and forbid the authorities to read the news. Moreover, you specify only the category of media, not sites. How does Zyxel know which site belongs to which category? That’s what you pay for when you subscribe to signatures. And by the way, be careful: even if you have content filtering available through the management interface, you still need to purchase a license to activate this service.

This is really a very cool feature that is able to raise the rhythm of work in your company, not allowing to be distracted by all sorts of YouTube, especially if your office is underground, where 4G does not catch.

What about Wi-Fi?

Security gateways are most often installed in telecommunication cabinets under the ceiling. At Zyxel Zywall VPN2S for these purposes, there are even holes for the brackets, so anyway, but the access point will have to buy and install separately. Given that a good hot spot for an internal installation costs $ 60-80, this is a small waste. Today, any integrator will tell you that three companies do quality access points: Cisco, Zyxel and Ubiquiti. “Cisco” in our hands was not, but it turned out to compare Ubiquiti UAP-Pro AC (1750 Mbps) Zyxel NWA1123-ACv2.

Visually Ubiquiti looks larger, although it has a lower profile, and when mounted on the ceiling, does not take up space as Zyxel. A higher speed of 1750 Mbps when connected with 1 cable at a speed of 1 Gbit/s is an irrelevant advantage for small rooms for a dozen people.

“Under the hood” these two hotspots represent two completely different ideologies, from two worlds. The Zyxel is a component circuit in which the antennas are placed outside the motherboard and shielded with a thick metal sheet, which is clearly seen in the photo. Apparently, the guys from Zyxel had a lot of aluminum in the warehouses, so between the motherboard of the access point and the radio module there is a massive aluminum heat sink that acts as a screen. The ubiquiti access point, of course, does not have this.

As for the antennas, ZyXEL has 4 of them (2 for 2.4 GHz + 2 for 5 GHz), and Ubiquiti has only 3 dual-band antennas, each of which works in both bands, which is more typical for home routers. Of course, single-band antennas will always work better than universal ones. Another thing is that you will not always be able to see these differences in practice.

Setting up a Ubiquiti UAP-AC-Pro access point is a pain. First, we must understand that this is a professional equipment produced for those who install and maintain dozens of them, so it is configured only through a software server that is written in Java, which is not the first time installed under Windows and rolls out critical security updates twice a day. Yes, if there are hundreds of access points - there this minus translates into a plus. But if something goes wrong with your local server in Java or if you need 2-3 access points in the office, then Zyxel Nebula is more convenient and practical: you can enter the cloud service from any browser, add an infinite number of hot spots to your network without worrying about how the management system itself functions.

Test Bench:

Let’s start with the speed of the local switch on the LAN ports.

Zyxel does not say what the buffer size of the built-in network gateway switch is, but our tests show that if you have an active traffic exchange inside the network, for example through file servers or hot spots, it is better to buy a good switch, such as Zyxel GS-1920

review of whitch we published on our website. But the performance of LAN - WAN is much more important for the gateway.

PPTP VPN performance is excellent, but L2TP - at the level of home routers of the middle class.


The main thing for which it is worth buying this model is content filtering, implemented by a list of signatures of websites, VPN server and support for two or more Internet lines. This gateway is positioned as a starting solution for a small office, and although I was waiting for something more, looking at the price, I realized that I was wrong. In fact, Zyxel-I have this great database of sites that allows you to limit access entirely to the categories of media sources, and the manufacturer just Packed it in a box price as a good home router, adding a VPN server and a simple Firewall.

As a solution for those who are too lazy to set up Mikrotik or dig into OpenWRT, this is quite a viable option, especially with the ability to block your employees half of the Internet, and include in the form of awards for quarterly or annual performance. Let them work for access to, instagram or wherever they hang out during business hours.