We recently tested five dual-WAN routers: The ZyWall 70 from Zyxel Communications; TZ 170 from SonicWall; XC-DPG602 from Xincom; H2WR54G from Hawking Technologies; and FortiGate-60 from Fortinet.
With more than 27.4 million broadband subscribers in the U.S., chances are you have access to multiple WAN connections (DSL, cable, satellite or all three). For small businesses and others who want Internet access redundancy and improved speed, companies are producing dual-WAN routers for combining two broadband connections on your network.
We recently tested five dual-WAN routers - the ZyWall 70 from Zyxel Communications; TZ 170 from SonicWall; XC-DPG602 from Xincom; H2WR54G from Hawking Technologies; and FortiGate-60 from Fortinet - and focused on their ability to control a WAN connection and other features. We also tested the Safe@Office 225 from Check Point, which only offers failover but not concurrent access (see story).
Check Point's Safe@Office 225
The TZ 170 from SonicWall gets the nod for our favorite (Clear Choice Award), for its security, configuration options and additional features (some at extra cost). Budget seekers should rejoice at Hawking's product, which includes wireless support, and the Zyxel ZyWall 70 comes in a close second to SonicWall.
Choosing your features
Many of the routers will support: Outbound load balancing. Inbound load balancing (low-end units have outbound only). QoS. VPN. Demilitarized zone (DMZ). Virus filtering on content (both inbound and outbound) and e-mail (at least inbound). Intrusion detection. Web content filtering.
Routers vary in CPU speeds and amount of RAM, usually reflected by the number of VPN connections supported concurrently. Because connection counts for all these systems start in the thousands of dollars, midsize networks should not feel limited. However, the number of VPN sessions supported often have server restrictions, so check carefully if your network needs to support many VPN clients.
The inbound load-balancing features make the routers useful when combining two of the same high-speed WAN connections, such as two cable modem links. Because cable downstream speeds range from 1.5M to 3M bit/sec and DSL links provide less than 512K bit/sec, a mixed pair of connections offers little speed improvement and can slow access if misconfigured. However, a mixed connection still offers Internet access redundancy.
One warning on every dual-WAN system: You must be able to route all outgoing SMTP traffic to the appropriate WAN link. Most ISPs reject all mail not originating on their own network, so routing an outgoing e-mail to the wrong WAN link results in an error. Using an internal e-mail server, one connected to the DMZ, or sending e-mail through a Web-hosting service rather than an ISP, eliminates this problem.
During our testing, the SonicWall TZ 170 developers plugged a major hole in their feature list by supporting load balancing for incoming traffic with a new firmware revision. But you must purchase the enhanced operating system to get the TZ 170 to support dual-WAN connections. The same small plastic housing supports all the various TZ 170 permutations, so looks don't indicate supported features.
Installation and configuration took some time. Unlike the other units we tested, the TZ 170 does not enable its Dynamic Host Configuration Protocol (DHCP) server by default. You must change your computer address to match the default IP network settings of the TZ 170, then configure the DHCP address range along with other initialization settings through its attractive wizard. But after rebooting and head-scratching, we discovered that setting the DHCP range does not turn on the DHCP server, and we had to turn it on manually. The quick-start guide includes nine pages of dense text, blunting the idea of a "quick" start. Our technical support contact agreed that the DHCP configuration was a bad design decision and he had no explanation.
Because only the tested enhanced version of the TZ 170 includes dual-WAN support, there's no WAN2 plug on the unit (software adds the feature). Using the OPT (optional) Ethernet connector WAN2 isn't a problem because any or all of the five 10/100Base-T Ethernet ports on the unit can be configured for DMZ use. The SonicWall Web-based administration utility includes stacked menus on the left side of the screen, but no tabbed pages on the right. Instead, multiple command icons pop open new, smaller windows for configuration settings or explanation. This sounds clumsier than it is, because drilling down into details works easily. Multiple wizards await for chores such as VPN settings, public server (DMZ) access and initial setup.
The good news: SonicWall provides great flexibility in configuring its firewall. The bad news: There is almost too much to learn and handle for most small-business users who will require help from their reseller. Where the ZyWall had 44 services configured in the drop-down menu, the TZ 170 has 140. SonicWall uses Zones for networks, including several screens of a matrix describing the relationship of zones (WAN-to-LAN, for example) and which firewall, routing or network address translation rules apply to that particular connection. You even can have five different classes of users, from Everyone to Limited Administrators, and include any class in a rule. Few small to midsize businesses will be able to configure this without help, but getting help will provide them with excellent protection.
Handling the dual-WAN connection worked well on the TZ 170. Unlike all other units we tested, the TZ 170 picked up and continued to stream audio files when we disconnected the cable modem and forced the unit to switch to the DSl connection. It also switched to the faster service when we re-connected, again without interruption.
Security options abound, but order them carefully. For example, you can purchase network anti-virus and server anti-virus, but not have e-mail anti-virus filtering. Nodes/users are counted by active IP addresses on the network rather than concurrent users through the router, so you might need more licenses than you think.
SMTP routing to the proper WAN port took only a few mouse clicks. Five drop-down menus led us through choosing the source (LAN), the destination (any), service (SMTP send e-mail), gateway (WAN Primary IP), and interface (WAN). Once we got over the surprise at all the choices available, making rules wasn't difficult, and we could tweak settings the way we wanted them.
Although a bit aggravating to get the right options purchased and DHCP figured out, once running, the SonicWall offered a wealth of pre-defined firewall settings and choice, and the only failover that kept up a continuous audio stream.
Zyxel ZyWall 70
Called an Internet security appliance to emphasize features beyond routing, the ZyWall 70 is one of 11 routers that Zyxel calls an appliance or a gateway. Installation involved booting clients to accept IP address information from the ZyWall 70 box to start configuration. Screens are clear and well laid out, with a menu down the left side and page tabs shown clearly on the active page. The electronic manual is long (713 pages), but includes hundreds of pages devoted to the console connection and old-fashioned (and somewhat painful) terminal command interface and command syntax.
You can set up a DMZ, but there is no separate Ethernet port for it. IP addresses separate traffic for each DMZ system. While this works, a specific port is always appreciated to avoid confusion and limit port-specific configuration chores. Default traffic rules allow connections between the DMZ and the WANs in both directions, and only allows outbound traffic from the LAN to the DMZ. Traffic from the DMZ to the LAN is blocked unless rules are added to allow access, which is the security configuration we expected.
Managing the ZyWall 70 is simple because of its clear Web management application interface. The Home page shows that status for each type of connection (LAN, WAN, wireless LAN and DMZ) with buttons the display statistics, DHCP table or VPN status with one click.
Security controls include the firewall, certificate controls (trusted certificate authorities and trusted remote hosts), RADIUS support and a complete content filter option. The firewall uses stateful packet inspection with denial-of-service protection. Firewall rules are easy to create, with check boxes and 44 services predefined for easy control. Time-of-day controls for firewall rules also are included, providing a fairly complete and workable security control situation.
The ZyWall 70 let us specify the WAN1 port for all outgoing SMTP traffic but required the use of console commands outside the regular management interface.
Bandwidth management includes options to define classes and provide extra bandwidth to certain classes, such as VoIP or video. Engaging the priority-based scheduler allocates extra bandwidth to configured services, such as VoIP, while the fairness-based scheduler tries to keep things even between the service classes, and adjusts easily with a mouse click. This approach also makes it easy to configure symmetrical or asymmetrical WAN links. The ZyWall 70 installed easily, provided great port flexibility with four DMZ ports, included plenty of firewall detail and supports an optional wireless PC Card. But forcing traffic, such as SMTP, to a particular WAN port required console commands via telnet.
The fourth in a five-member family of dual-WAN routers, the XC-DPG602 lacks VPN support, but does have inbound load balancing (as does the 603, but no others). Scaling up from the low-end 402, the Xincom Twin WAN line also includes the 502, 503 and 603 (in addition to the 602 that we tested).
The quick-start guide is exactly that, covering all necessary details on both sides of a 5- by 7-inch paper. The manual is clear but very short (50 pages) for a complicated router. The router only supports Microsoft Internet Explorer browser (which the guide doesn't mention), but the DHCP server works correctly, and the box grabbed network setup details from the cable modem quickly and accurately. In fact, this box resets and reboots faster than any we tested.
Configuration for both WAN ports occurs on the same page of the admin utility (side by side), which is a nice touch. The WAN ports can be configured as backup or be load balanced, and load balancing has its own configuration page. You can set balancing by bytes, packets or sessions established, and then set the load percentage on WAN1. We put the cable modem on WAN1 and set it to carry 90% of the load. When we unplugged the cable modem, the streaming music almost always continued without missing a beat over the DSl link. Unfortunately, the Xincom couldn't always reset the DSl connection when it was unplugged, and we had to reconnect the link manually.
Multiple DMZs can be established, using one or more of the four 10/100Base-T Ethernet ports on the unit (there is no dedicated DMZ port). There is no easy way to filter traffic from the LAN to the DMZ or back (as the ZyWall 70 and SonicWall units do), but individual DMZ session links can be controlled through the Advanced Setup page. The Advanced Setup menu also includes Advanced Features, which has a handy checkbox to tie SMTP traffic to one of the two WAN ports, ensuring outgoing e-mail goes through the proper network.
A firewall with SPI is included, although the left-side menu says "Security Management" rather than "firewall." Various service ports can be blocked easily, but drop-down menus only provide six types of services, compared with the huge number from SonicWall. Blocking or opening ports in the firewall requires manually filling out some forms.
QoS support doesn't provide much management flexibility, but is included in all others except the Hawking. You can view online a data-dump system log, but Xincom provides room to configure three separate syslog servers to handle the parsing for you.
WAN status and traffic totals are available on several screens, but updates requires clicking a button.
The easy installation, clean administrative interface and good WAN failover results make it possible to almost excuse the limited and non-intuitive security and firewall settings. Oddly, this was the only unit that demanded Internet Explorer and balked at Mozilla.
The H2WR54G from Hawking packs a bunch of features into a small device. Not only does the router support dual-WAN links, it includes an 802.11g wireless LAN (WLAN) module and basic firewall security. The H2WR54G is the most expensive of the three dual-WAN routers Hawking sells, even though it was the least-expensive unit in our test.
A study shows that if the U.S. mandates backdoors to decrypt secret messages, there are hundreds of...
KDE's recently announced Linux distro, KDE Neon, seems like a questionable move that has the potential...
A prominent Linux kernel developer announced today in a blog post that she would step down from her...
As enterprises struggle to keep up with their internal demand for mobile apps, more are turning to more...
Amazon does a great job with infrastructure, but securing your cloud applications and environment is up...
Not quite 2:1 adoption rate for ACI like last fall, but close
When it comes to gripes about IT, CIOs need to go back to basics to address the needs of their most...