We recently tested five dual-WAN routers: The ZyWall 70 from Zyxel Communications; TZ 170 from SonicWall; XC-DPG602 from Xincom; H2WR54G from Hawking Technologies; and FortiGate-60 from Fortinet.
With more than 27.4 million broadband subscribers in the U.S., chances are you have access to multiple WAN connections (DSL, cable, satellite or all three). For small businesses and others who want Internet access redundancy and improved speed, companies are producing dual-WAN routers for combining two broadband connections on your network.
We recently tested five dual-WAN routers - the ZyWall 70 from Zyxel Communications; TZ 170 from SonicWall; XC-DPG602 from Xincom; H2WR54G from Hawking Technologies; and FortiGate-60 from Fortinet - and focused on their ability to control a WAN connection and other features. We also tested the Safe@Office 225 from Check Point, which only offers failover but not concurrent access (see story).
Check Point's Safe@Office 225
The TZ 170 from SonicWall gets the nod for our favorite (Clear Choice Award), for its security, configuration options and additional features (some at extra cost). Budget seekers should rejoice at Hawking's product, which includes wireless support, and the Zyxel ZyWall 70 comes in a close second to SonicWall.
Choosing your features
Many of the routers will support: Outbound load balancing. Inbound load balancing (low-end units have outbound only). QoS. VPN. Demilitarized zone (DMZ). Virus filtering on content (both inbound and outbound) and e-mail (at least inbound). Intrusion detection. Web content filtering.
Routers vary in CPU speeds and amount of RAM, usually reflected by the number of VPN connections supported concurrently. Because connection counts for all these systems start in the thousands of dollars, midsize networks should not feel limited. However, the number of VPN sessions supported often have server restrictions, so check carefully if your network needs to support many VPN clients.
The inbound load-balancing features make the routers useful when combining two of the same high-speed WAN connections, such as two cable modem links. Because cable downstream speeds range from 1.5M to 3M bit/sec and DSL links provide less than 512K bit/sec, a mixed pair of connections offers little speed improvement and can slow access if misconfigured. However, a mixed connection still offers Internet access redundancy.
One warning on every dual-WAN system: You must be able to route all outgoing SMTP traffic to the appropriate WAN link. Most ISPs reject all mail not originating on their own network, so routing an outgoing e-mail to the wrong WAN link results in an error. Using an internal e-mail server, one connected to the DMZ, or sending e-mail through a Web-hosting service rather than an ISP, eliminates this problem.
During our testing, the SonicWall TZ 170 developers plugged a major hole in their feature list by supporting load balancing for incoming traffic with a new firmware revision. But you must purchase the enhanced operating system to get the TZ 170 to support dual-WAN connections. The same small plastic housing supports all the various TZ 170 permutations, so looks don't indicate supported features.
Installation and configuration took some time. Unlike the other units we tested, the TZ 170 does not enable its Dynamic Host Configuration Protocol (DHCP) server by default. You must change your computer address to match the default IP network settings of the TZ 170, then configure the DHCP address range along with other initialization settings through its attractive wizard. But after rebooting and head-scratching, we discovered that setting the DHCP range does not turn on the DHCP server, and we had to turn it on manually. The quick-start guide includes nine pages of dense text, blunting the idea of a "quick" start. Our technical support contact agreed that the DHCP configuration was a bad design decision and he had no explanation.
Because only the tested enhanced version of the TZ 170 includes dual-WAN support, there's no WAN2 plug on the unit (software adds the feature). Using the OPT (optional) Ethernet connector WAN2 isn't a problem because any or all of the five 10/100Base-T Ethernet ports on the unit can be configured for DMZ use. The SonicWall Web-based administration utility includes stacked menus on the left side of the screen, but no tabbed pages on the right. Instead, multiple command icons pop open new, smaller windows for configuration settings or explanation. This sounds clumsier than it is, because drilling down into details works easily. Multiple wizards await for chores such as VPN settings, public server (DMZ) access and initial setup.
The good news: SonicWall provides great flexibility in configuring its firewall. The bad news: There is almost too much to learn and handle for most small-business users who will require help from their reseller. Where the ZyWall had 44 services configured in the drop-down menu, the TZ 170 has 140. SonicWall uses Zones for networks, including several screens of a matrix describing the relationship of zones (WAN-to-LAN, for example) and which firewall, routing or network address translation rules apply to that particular connection. You even can have five different classes of users, from Everyone to Limited Administrators, and include any class in a rule. Few small to midsize businesses will be able to configure this without help, but getting help will provide them with excellent protection.
Handling the dual-WAN connection worked well on the TZ 170. Unlike all other units we tested, the TZ 170 picked up and continued to stream audio files when we disconnected the cable modem and forced the unit to switch to the DSl connection. It also switched to the faster service when we re-connected, again without interruption.
Security options abound, but order them carefully. For example, you can purchase network anti-virus and server anti-virus, but not have e-mail anti-virus filtering. Nodes/users are counted by active IP addresses on the network rather than concurrent users through the router, so you might need more licenses than you think.
SMTP routing to the proper WAN port took only a few mouse clicks. Five drop-down menus led us through choosing the source (LAN), the destination (any), service (SMTP send e-mail), gateway (WAN Primary IP), and interface (WAN). Once we got over the surprise at all the choices available, making rules wasn't difficult, and we could tweak settings the way we wanted them.
Although a bit aggravating to get the right options purchased and DHCP figured out, once running, the SonicWall offered a wealth of pre-defined firewall settings and choice, and the only failover that kept up a continuous audio stream.
Zyxel ZyWall 70
Called an Internet security appliance to emphasize features beyond routing, the ZyWall 70 is one of 11 routers that Zyxel calls an appliance or a gateway. Installation involved booting clients to accept IP address information from the ZyWall 70 box to start configuration. Screens are clear and well laid out, with a menu down the left side and page tabs shown clearly on the active page. The electronic manual is long (713 pages), but includes hundreds of pages devoted to the console connection and old-fashioned (and somewhat painful) terminal command interface and command syntax.
You can set up a DMZ, but there is no separate Ethernet port for it. IP addresses separate traffic for each DMZ system. While this works, a specific port is always appreciated to avoid confusion and limit port-specific configuration chores. Default traffic rules allow connections between the DMZ and the WANs in both directions, and only allows outbound traffic from the LAN to the DMZ. Traffic from the DMZ to the LAN is blocked unless rules are added to allow access, which is the security configuration we expected.
Managing the ZyWall 70 is simple because of its clear Web management application interface. The Home page shows that status for each type of connection (LAN, WAN, wireless LAN and DMZ) with buttons the display statistics, DHCP table or VPN status with one click.
Security controls include the firewall, certificate controls (trusted certificate authorities and trusted remote hosts), RADIUS support and a complete content filter option. The firewall uses stateful packet inspection with denial-of-service protection. Firewall rules are easy to create, with check boxes and 44 services predefined for easy control. Time-of-day controls for firewall rules also are included, providing a fairly complete and workable security control situation.
The ZyWall 70 let us specify the WAN1 port for all outgoing SMTP traffic but required the use of console commands outside the regular management interface.
Bandwidth management includes options to define classes and provide extra bandwidth to certain classes, such as VoIP or video. Engaging the priority-based scheduler allocates extra bandwidth to configured services, such as VoIP, while the fairness-based scheduler tries to keep things even between the service classes, and adjusts easily with a mouse click. This approach also makes it easy to configure symmetrical or asymmetrical WAN links. The ZyWall 70 installed easily, provided great port flexibility with four DMZ ports, included plenty of firewall detail and supports an optional wireless PC Card. But forcing traffic, such as SMTP, to a particular WAN port required console commands via telnet.
The fourth in a five-member family of dual-WAN routers, the XC-DPG602 lacks VPN support, but does have inbound load balancing (as does the 603, but no others). Scaling up from the low-end 402, the Xincom Twin WAN line also includes the 502, 503 and 603 (in addition to the 602 that we tested).
The quick-start guide is exactly that, covering all necessary details on both sides of a 5- by 7-inch paper. The manual is clear but very short (50 pages) for a complicated router. The router only supports Microsoft Internet Explorer browser (which the guide doesn't mention), but the DHCP server works correctly, and the box grabbed network setup details from the cable modem quickly and accurately. In fact, this box resets and reboots faster than any we tested.
Configuration for both WAN ports occurs on the same page of the admin utility (side by side), which is a nice touch. The WAN ports can be configured as backup or be load balanced, and load balancing has its own configuration page. You can set balancing by bytes, packets or sessions established, and then set the load percentage on WAN1. We put the cable modem on WAN1 and set it to carry 90% of the load. When we unplugged the cable modem, the streaming music almost always continued without missing a beat over the DSl link. Unfortunately, the Xincom couldn't always reset the DSl connection when it was unplugged, and we had to reconnect the link manually.
Multiple DMZs can be established, using one or more of the four 10/100Base-T Ethernet ports on the unit (there is no dedicated DMZ port). There is no easy way to filter traffic from the LAN to the DMZ or back (as the ZyWall 70 and SonicWall units do), but individual DMZ session links can be controlled through the Advanced Setup page. The Advanced Setup menu also includes Advanced Features, which has a handy checkbox to tie SMTP traffic to one of the two WAN ports, ensuring outgoing e-mail goes through the proper network.
A firewall with SPI is included, although the left-side menu says "Security Management" rather than "firewall." Various service ports can be blocked easily, but drop-down menus only provide six types of services, compared with the huge number from SonicWall. Blocking or opening ports in the firewall requires manually filling out some forms.
QoS support doesn't provide much management flexibility, but is included in all others except the Hawking. You can view online a data-dump system log, but Xincom provides room to configure three separate syslog servers to handle the parsing for you.
WAN status and traffic totals are available on several screens, but updates requires clicking a button.
The easy installation, clean administrative interface and good WAN failover results make it possible to almost excuse the limited and non-intuitive security and firewall settings. Oddly, this was the only unit that demanded Internet Explorer and balked at Mozilla.
The H2WR54G from Hawking packs a bunch of features into a small device. Not only does the router support dual-WAN links, it includes an 802.11g wireless LAN (WLAN) module and basic firewall security. The H2WR54G is the most expensive of the three dual-WAN routers Hawking sells, even though it was the least-expensive unit in our test.
If only there weren't so many shortcomings: The quick-installation guide (25 pocket-book pages with tiny print) said we must provide the IP address of a timeserver during installation of the H2WR54G, but didn't say progress stops until a timeserver IP address is in place and the system verifies it. Then the guide suggested we look up timeservers on the Web, forgetting that we have no router to the Internet until we fill in a timeserver IP address in the setup screens. That's as good a Catch-22 as ever seen in a setup guide. We plugged in another router and checked its timeserver setting for a valid IP address, but we have no idea how a typical small-business owner would handle this snafu. Any of the four 10/100Base-T Ethernet ports can be used for DMZ by providing the IP address of the device to be seen on the Internet. There is no QoS support.
Choosing the PC's IP address and selecting one or more of the 16 standard services displayed can create firewall rules. There's no way to block all users from using, for instance, MSN Messenger, only individual devices. This level of protection fits a consumer device or very small business, but not one serious about security. At least the firewall is enabled by default, as is the denial-of-service protection. There is no enterprise authentication support, such as RADIUS or even Lightweight Directory Access Protocol.
The minimal browser-based management application uses the left menu template, but none of the pages are long or detailed enough to need tabs for drilling down. Two logs are available, one system and one security, but no parsing or explanations are offered, and there's no way to send the logs via e-mail or to a Syslog server as with the other units. A well-illustrated electronic manual of just under 100 pages is included.
The second shortcoming appeared when we tried to steer outgoing e-mail to the WAN1 link using the cable connection. We couldn't figure out where on the administration screens to configure SMTP routing, so we sent an e-mail to technical support. The good news: They answered by the next morning. The bad news: There is no way to route SMTP traffic to one WAN link. This seems odd because the target audience seems to be entry-level home, home-office and small-business customers, and they are the types most likely to rely on e-mail from a service provider. Users of this router must either have their own e-mail servers or be able to send outgoing mail through a hosting service because you can't reliably send e-mail if both WAN ports are active.
WAN failover and reconnection worked, although streaming audio sessions had to be restarted. When set to backup rather than load balancing, the switch-over time from cable to DSl took about 20 seconds. Load balancing can be turned on, but the only control option is a percentage based on data transfer sessions. Feature-packed but detail-light, the Hawking's low price should make it popular with small businesses, but the minimal security settings and management control will limit its usefulness.
Another metal box with the standard four ports of 10/100Base-T for local connections, two WAN ports and even a DMZ port, the FortiGate-60 offers a wide contrast of good and aggravating points. This was the only box we tested with USB ports for USB modem backups, even though the ZyWall includes a serial port for dial backup.
The quick-start guide is a 11- by 17-inch sheet of paper filled front and back with data, defusing the quick portion of the name. The guide demands Internet Explorer, but Mozilla's Firefox browser worked (except for a few display oddities) but you must use HTTPS for a secure link.
Management screens use the left menus with submenus and tabbed pages. After initial configuration, we discovered that although instructed to gather DNS details from the ISPs and pass them along to the clients, the FortiGate-60 didn't do that reliably, meaning clients couldn't resolve Internet addresses properly. Only by loading DNS addresses deep in the configuration (System>DHCP>Server >Scope Wizard>Modify) could we guarantee that every client learned the proper DNS addresses necessary to reach sites on the Internet.
The management screen gave no clue about the performance of the WAN links because there are no statistics available. You can see if the links are connected, but you can only tell which broadband connection carries the load by watching lights flash on the front of the box. Worse, traffic won't leave the internal network out to the Internet using the second WAN link unless you make a specific firewall policy addition. Until you take this extra step (not required by other products), there's no failover support.
After going through the firewall policy steps and configuring the Distance parameter to tell the system which route is preferred, failover started working reliably and quickly.
Although the manual doesn't say it, the failover route (in our case WAN2) must be set higher than the default route's number 1, such as 10. This tells the system to use WAN2 when WAN1 dies. If the distance numbers are the same, both WAN links will be used concurrently, but there is no load balancing as such. When configured, the FortiGate-60 failed over quickly and reconnected back to WAN1 quickly (about 5 seconds). The only indication on the administrative program is on a Routing Monitor page that shows WAN2 as the static, default route. The Status page still showed WAN1 as connected, but Fortinet says that's by design and represents the administrative setting. We expected actual WAN link status on the Status page.
The feature list for the FortiGate-60 is impressive, including expected VPNs, a firewall with 50 services predefined in the drop-down menu, and virus checking for files and e-mail (with the services enabled and updated from Fortinet). But you probably will need more help than the manual provides (we did). A roller coaster of enticing, frustrating, then well performing sums up the FortiGate-60. Once you fight through the setup and purchase the optional features you want, things work fairly well.
Security or access?
Based on the number of inexpensive routers for small business flooding the market, we hoped to find several dual-WAN routers that focused on Internet access redundancy. Instead, we found Internet security appliances with dual-WAN connections added as an afterthought.
We hope the market takes a hint from the Hawking's aggressive pricing and begins to offer flexible routing products for redundancy and failover while keeping advanced management and security features.
Now that so many homes and businesses have access to megabits of bandwidth for relatively inexpensively, the market seems ready for ways to utilize the available broadband connections.
Google executive explains how the company attempts to avoid downtime using an innovative method.
A look at some of the coolest bits of Chrome experimentation out there, in honor of Google’s 1000th...
You can use the CuBox-i4Pro as an Android machine, a general purpose Linux host with or without...
Sponsored by AT&T
Sponsored by Brocade
Plans call for moveable lightweight structures and translucent canopies
University of Cambridge's recent data center consolidation aims to reduce the university's carbon...
Trying out Windows 10 and want to get more out of it? Try out these top five tips and secrets for the...
Google executive explains how the company attempts to avoid downtime using an innovative method.