Zyxel Zywall USG20 Review

claykin

Very Senior Member
Tim

Where did you get info that the USG20 LAN ports can be reassigned to be WAN ports? I am of the understanding that the USG20 is single WAN only. USG50/100 is dual WAN. USG200 is dual WAN with a single LAN port that can be reassigned (thus making the USG200 triple WAN). Am I behind on my Zyxel firmware upgrades?

Thanks for the USG20 preview. Your firewall throughput findings are similar to what Zyxel advertises for this model. I look forward to a full review of the USG20 and hopefully the USG50 which I think may be a gr8 SOHO UTM. The USG50 is almost a mini USG100 with full UTM. Unfortunately with the UTM features on, the USG50 is kinda slow.
 

claykin

Very Senior Member
Tim

I have a USG20 sitting on my desk. Received it yesterday but have not yet exhaustively gone through the firmware options.

It has a single WAN port. 4 x LAN ports can be assigned to either LAN1, LAN2 or DMZ. This is very much like the Zywall 2+.

WAN trunking option is limited to WAN1 and WAN1ppp. There are no options to reassign LAN ports to provide WAN2 capability.

Please check again. I think the Zywall manual for the USG20 may be a blend taken from the USG50 manual.
 

thiggins

Mr. Easy
Staff member
I'm checking with ZyXEL and will post back.
 

claykin

Very Senior Member
Tim

That 900+ page manual for the USG series is daunting to read. My eyes roll back in my head every time I flip through it.

At the end of the day, the USG is just so flexible, reliable and reasonably powerful that I cannot help but like them.
 

thiggins

Mr. Easy
Staff member
That 900+ page manual for the USG series is daunting to read. My eyes roll back in my head every time I flip through it.
I agree. Lots of info. But short on setup examples.
 

thiggins

Mr. Easy
Staff member
You are correct, claykin. Here is ZyXEL's response:
For USG20/20W - Yes, the LAN ports are configurable, but only as LAN1,LAN2 and DMZ. For the WAN load balancing, we can only do between WAN and 3G.

For USG50, we can do load balancing on WAN1/WAN2 with dual WAN ports and 3G.
I'll update the charts and review.
 

hedly

Regular Contributor
great review

This looks like a great device for the home small network. The content filtering price is just about right.

As always, the review is nice and concise...short and sweet.

another great job.
 

claykin

Very Senior Member
This looks like a great device for the home small network. The content filtering price is just about right.

As always, the review is nice and concise...short and sweet.

another great job.
For free content filtering consider setting up an OPENDNS account and enforce their DNS servers on your LAN. The USG20 will allow you to force DNS through OPENDNS.
 

claykin

Very Senior Member
I notice Doug updated the review and added some notes about the EPS (Endpoint Security) feature.

I want to be sure users know that Doug did not experience a failure in EPS, he ran into a known limitation of what it can do.

Zyxel never claimed they can detect AV definition patch level for any AV app. The Zywall manual advises they can detect whether AV is activated with "SOME" AV products, but not all.

Regardless, the current Zywall firmware only supports the following AV products. Enforcing this as part of your EPS plan is likely to cause most admins grief.

Avira 2009
Kaspersky 2009/2010
Microsoft Security Center (I'm not sure if Zyxel means a trip of Security Center built into Windows XP+ or a Microsoft AV tool?)
Norton 360 V3
Norton 2010
TrendMicro 2010

The EPS feature is still very useful in other ways. To check OS service pack level, check for specific updates, check if auto updating is enabled, to check for running processes, etc..
 
Last edited:

thiggins

Mr. Easy
Staff member
I asked Doug to run the test and updated the article. I didn't say EPS failed. But it doesn't really do that much.

Doug didn't even test whether the AV was updated. He shut off the real-time scanning and EPS couldn't detect that.

I just wanted to see how much "protection" the EPS feature really provided.
 

claykin

Very Senior Member
I asked Doug to run the test and updated the article. I didn't say EPS failed. But it doesn't really do that much.

Doug didn't even test whether the AV was updated. He shut off the real-time scanning and EPS couldn't detect that.

I just wanted to see how much "protection" the EPS feature really provided.
Doug wrote that he checked "whether the AV software was up to date...."

See my edited note above regarding Microsoft Security Center. Not sure what Zyxel is intending to target here.

Anyway, I just checked the Zyxel tech notes for the USG20 and found the following EPS limitations:

EPS (Endpoint Security)
1. [SPR: 090805245 ]
[Symptom] PC OS is 64 bits , EPS always fail when checking Firewall, Anti-virus and Windows auto update.
We current not support EPS on Windows 64bit Operation System.
2. [SPR: 100413560 ]
[Symptom] EPS check always fails when checking security patch for IE or Windows Media player.
3. [SPR: 100513795 ]
[Symptom] EPS check can‟t work with MAC OS.

OK, I'll agree now, -1 for EPS until it matures a bit more....
 

buck6919469

New Around Here
Usg-50

If the processor in the USG-50 is about the same as the Cisco RV220W would you expect better performance over all then USG-20. I currently have the new RV220W it's a fast router but have run into some problems with it. Win 7 64bit SSL client won't install. I've tried across multiple machines with no luck works on Win7 32bit and XP just fine and RV220W lack logging option. I would like to know if the USG-50 will offer better performance the USG-20. Thanks

KC
 

claykin

Very Senior Member
Firewall throughout of the USG20 and USG50 are both 100Mb/s.

USG50 supports dual WAN, UTM capabilities.....

USG50 VPN throughput is about 60% better throughput than USG20 with more simultaneous users....

See spec sheet for all USG's here:
http://us.zyxel.com/upload/download_library/ds_usg_series_092110.pdf

I have a USG50. Its a real nice box. Can be a bit daunting for a newbie to configure, but otherwise its stellar.

Also USG50 is passively cooled and comes in a metal housing with rack mount brackets. USG20 has a fan, plastic case and is designed to sit on a desk.
 

buck6919469

New Around Here
Usg-50

Thanks for the info. Have you run into any issue with Win7 64bit with the SSL VPN? This would be one of the main reason's for this purchase. I can tell you that with RV220W it does not work at least in my testing. I have had and installed many routers and have always liked the Zyxel brand.
 

abignet

Occasional Visitor
SSL Full Tunnel Mode question

I have a question about the SSL Full Tunnel Mode in the USG20. It seems that the term "Full Tunnel" can sometimes be used in different ways. Does Full Tunnel Mode route ALL client internet traffic over the VPN tunnel to the remote USG20 network? In other words, when the client is connected via the SSL VPN Full Tunnel then even things like web browsing and e-mail are routed through the remote USG20, as opposed to over the client's local connection? To put it another way, when connected via Full Tunnel does the client's IP (via something like http://whatismyipaddress.com/) show up as being the IP of the remote USG20 network's public IP?

I'm asking because I'm exploring options for securing my network connection on my laptop when I am connected to an unsecured network (eg, open wifi hotspot, like in a coffee shop), in addition to giving me access to my home network. The USG20 is in the price range I'm wanting, and I actually only need 1 SSL tunnel, so that limitation is fine.

Edit: I just remembered that I also wanted to ask if the ZyWALL IPSec VPN Client software comes withe USG20, and if so, how many licenses are included (or is like Cisco's QuickVPN where the software is free and the number of tunnels is limited by the device)? I haven't been able to find a clear answer online, or where one can download the ZyWALL IPSec VPN Client software.
 
Last edited:

dreid

Regular Contributor
Zyxel's full tunnel does not route all traffic over the tunnel. Full tunnel on the USG20 routes traffic destined for the USG's subnets over the tunnel, but traffic destined for the Internet/other subnets is not routed over the tunnel.

Zyxel includes the IPSec VPN Client software with the USG20. Zyxel's IPSec software is Greenbow's IPSec client, so you download it there, also. The USG20 supports 2 concurrent IPSec connections at one time.

I hope this helps.

Doug
 

dreid

Regular Contributor
Buck - I had no problems with Win7 64bit and the USG20 SSL VPN. The only challenge was configuration on the USG20, which I detailed in the review.
 

abignet

Occasional Visitor
Doug,

Thanks much for that info. That is helpful!
Zyxel's full tunnel does not route all traffic over the tunnel. Full tunnel on the USG20 routes traffic destined for the USG's subnets over the tunnel, but traffic destined for the Internet/other subnets is not routed over the tunnel.
That is too bad. I may e-mail Zyxel and see if they have any recommended methods of configuring the client computer to somehow force all traffic over the SSL VPN connection (even though the VPN software itself is not configured to do that). I've wondered a little if it could be possible to create a "route" or something that would do that, but that is not something I am very familiar with.

Zyxel includes the IPSec VPN Client software with the USG20.
Cool. Good to know.

It looks like the Greenbow client software has a way (http://www.thegreenbow.com/vpn_faq.html#VPN28) in which one can force ALL traffic over the VPN, but I've been reading that Ipsec is often blocked by many open wifi hotspot providers. I've also discovered that the Shrew VPN software may be able to do that as well, but the same constraint of possibly being blocked applies. PPTP has been mentioned to me several times, but it apparently has the same likelihood of being blocked (plus I have concerns about it being secure enough for my needs/wants).
 

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top