VPN Performance
After enabling each VPN tunnel, I tested VPN performance. I tested the ZyWALL 110's VPN performance with iperf using default TCP settings, with a TCP window size of 8 KB and no other options. I ran iperf on two PCs running 64-bit Windows with their software firewall disabled. (Running a simple iperf throughput test between two PCs uses the command iperf -s on one PC and iperf -c (ip) on the other PC.)
ZyXEL rates the ZyWALL 110 as capable of up to 300Mbps IPsec VPN throughput, which is the highest IPsec VPN throughput rating of any VPN router I've tested. Note that ZyXEL's data sheet for the ZyWALL 110 states this VPN rating is based on UDP traffic, which has lower overhead than TCP/IP.
As mentioned, I tested VPN throughput using TCP/IP, which is reflective of common network traffic such as web and email traffic, so I didn't expect to match ZyXEL's 300 Mbps spec. Table 1 shows the measured throughput for each VPN tunnel type.
| Throughput (Mbps) | ||
|---|---|---|
| VPN_Tunnel_Type | Gateway-Client | Client-Gateway |
| IPsec Site-Site | 61.3 | 72.5 |
| IPsec Client | 106.3 | 185 |
| L2TP Client | 89.4 | 63.1 |
| SSL Client | 27.6 | 23.9 |
Table 1: VPN throughput
The ZyWALL 110's IPsec client throughput of 106.3 and 185 Mbps are the fastest VPN throughput numbers I've measured! The previous top performer in my tests was the Cisco ISA550W at 91.6 Mbps for both directions. Further, the ZyWALL 110's throughput numbers for both IPsec and SSL are over four times faster than the previous ZyXEL security device I tested, the ZyXEL USG20, which topped out at 27.8 Mbps for IPsec and 4.78 Mbps for SSL.
The ZyWALL 110 is clearly an advanced VPN router with impressive VPN throughput. I was able to set up and use all VPN tunnel types and I had several of them running simultaneously. Some VPN routers I've tested have limited throughput capability for remote client solutions, such as PPTP, L2TP, or SSL. The ZyXEL 110's throughput for all remote VPN tunnel types exceeds the capacity of many remote Internet connections, providing quite a few options for remote user access.
Firewall
The ZyWALL is a VPN and a firewall device, with the focus on passing desired traffic at high speed. Configuring the firewall for filtering traffic is also a key feature. I found the ZyWALL firewall to have a good bit of capability and quite simple to configure. There is a basic checkbox to enable and disable the stateful packet inspection (SPI) firewall, which comes in handy for troubleshooting.
Firewall rules can be configured using zones, schedule objects, users, source and destination addresses or objects and service objects. I like this object-oriented approach to configuration, I find it more flexible. Each rule, once created, can be individually activated or deactivated.
I set up a simple rule to filter iperf traffic through any interface on the ZyWALL, as shown below. With the rule inactive, I had no problem running iperf tests. Once I activated this rule, I could no longer pass iperf traffic, validating the effectiveness of my rule.
Firewall Rule
In addition to creating firewall rules to filter traffic, the ZyWALL 110 has a session control mechanism that allows you to create a rule to limit the number of sessions a user or specific IP address can generate. This tool provides a form of end-user network control.
Routing Performance
Routing performance for the ZyWALL 110 loaded with V3.10(AAAA.2) firmware and using our standard test method is summarized below. The maximum simultaneous connections result is at the limit of our test process, indicating the ZyWALL can certainly support plenty of user sessions.
| Test Description | ZyWALL 110 |
|---|---|
| WAN - LAN | 662 |
| LAN - WAN | 420 |
| Total Simultaneous | 629 |
| Maximum Simultaneous Connections | 33,652 |
| Firmware Version | V3.10(AAAA.2) |
Table 2: Routing Performance Summary
Throughput results for unidirectional download and upload speeds are shown in the composite IxChariot plot below. The download speed result looks pretty consistent, but there is quite a bit more variation in the upload speed result.
Unidirectional Throughput
Simultaneous up/downlink throughput shows a good bit of variation in both directions as you can see in the below plot. 629 Mbps is a pretty good number, but far from ZyXEL's spec of 1,000 Mbps.
Bidirectional Throughput
Conclusion
I've summarized key performance numbers and price in the below chart for the ZyWALL 110 and a few other multi-WAN VPN routers I've tested.
| Product | Throughput (Mbps) |
Price (Amazon) |
||
|---|---|---|---|---|
| WAN - LAN | LAN - WAN | IPsec (Max.) | ||
| ZyXEL ZyWALL 110 | 662 | 420 | 185 | $339 |
| Cisco ISA550 | 200 | 255 | 92 | $280 |
| Cisco RV042v3 | 89 | 91 | 48 | $141 |
| NETGEAR SRX5308 | 448 | 581 | 43 | $363 |
Table 3: VPN Router Performance Summary
Without a doubt, the ZyWALL 110's maximum IPsec throughput of 185 Mbps is the fastest of any VPN router I've tested. Its routing throughput is also significantly faster than the less expensive Cisco routers. However, the NETGEAR SRX5308, a VPN router I tested several years ago, produces higher upload throughput at 581 Mbps to the ZyWALL's 420 Mbps.
Bottom line, I was impressed with the ZyWALL 110. I liked the simplicity and capability of its firewall. Further, it has all the VPN capability you need to connect to remote offices via site-to-site tunnels, to client PCs with SSL and IPsec and to smart phones and tablets with L2TP. With the ZyWALL 110's IPsec, L2TP, and SSL VPN throughput, your remote users will be able to connect to your network as fast as their Internet connection will let them!
Buy This Product From Amazon
Updated - Our first look at the performance of NETGEAR's RAX80 and ASUS' RT-AX88U shows little benefit functioning as AC routers.
Updated: The first draft 11ax routers are almost here. Take a little time to know what you might be buying into.
Updated - 160 MHz channel bandwidth is an essential feature of 802.11ax. We take a look at whether it means trouble for your 11ac network.
Ever wonder what happens behind the scenes when Wi-Fi devices roam, or more likely don't? We'll show you why the "seamless" roaming Wi-Fi gear makers promise is still as elusive as a Yeti.