New To The Charts: ZyXEL ZyWall USG20 Unified Security Gateway

Photo of author

Tim Higgins

Unified Security Gateway
At a glance
Product Zyxel Unified Security Gateway (ZyWall USG 20) [Website]
Summary Business class router with Gigabit ports, IPsec and SSL gateways, one-to-one NAT, bandwidth management and more
Pros • Gigabit WAN and LAN ports
• Up and downlink bandwidth control
• LAN ports can be reassigned to 2 subnets or DMZ
• One-to-one NAT
Cons • Low # of VPN tunnels
• Very limited 3G USB modem support

Updated 5/20/2011 – The USG20 is the entry-level member of ZyXEL’s third-generation Unified Security Gateway line. It combines an SPI+NAT firewall, IPsec and SSL VPN gateways, anti-spam and content filtering and multi-WAN connectivity including 3G backup into a security gateway aimed at small businesses with 1-5 users.

Unlike its bigger siblings, the USG20 stops short of being a full UTM, because it doesn’t include anti-virus or intrusion detection and prevention (IDP). It does, however, have something many lower-cost business routers don’t have—Gigabit WAN and LAN ports.

The 1-5 user recommendation is based on the USG20’s CPU horsepower. But it also is related to the number of VPN tunnels supported, which are one SSL and two IPsec.

Updated 4/25/2011 All indicators are on the front and all ports are on the back. Those ports are pretty flexible, too and can be assigned to different subnets (each with separate DHCP server), used as alternate WAN ports or assigned as a dedicated DMZ port. The USB port supports only four Huawai USB 3G cards (E220, E270, E169 and E800), though, making this feature essentially useless for U.S. users. This also makes the failover from WAN to WWAN feature also unable to be used by U.S. buyers.

ZyXEL USG20 rear

The board top photo below shows the CPU underneath a fan-cooled heatsink. ZyXEL told us that it’s a Cavium CN5010. It’s a popular processor choice among VPN current VPN routers, also used in Cisco’s RV042v3, RV 120W and RV220W,

The fan runs very quietly, though and you’ll hardly notice it in a quiet home office and would never hear it over the din of a normal office.

Devices with part numbers that can be seen include a Realtek RTL8367R 5+1-port Gigabit Ethernet switch, 256 MB of Samsung RAM, Phison PS2232DB flash controller, SMSC USB2313 USB 2.0 3 port hub and Altera EPM240T MAX II CPLD.

ZyXEL USG20 board top

Flipping the board over reveals two flash devices, 256 MB (Mx 29LV160) and 128 MB (Samsung K9F1G08U0B).

ZyXEL USG20 board bottom

We’ll cover the USG20’s features in a complete review later. But in the meantime, here’s a summary of its key features:

  • DHCP, Static, PPPoE, PPTP WAN types
  • DHCP server with MAC address reservation
  • VLAN support
  • Per host session limiting
  • Multiple WAN support with failover and load balance modes
  • Static and dynamic routing
  • SPI firewall disable, multicast, WAN ping and IDENT filtering and Proxy, Java, ActiveX and Cooking blocking
  • Single port forwarding and Port Range forwarding and triggered ports
  • HTTPS admin access
  • URL keyword blocking
  • Blacklist-based Anti-spam
  • Optional subscription Content Filtering via Blue Coat ($77 / year)
  • Uplink and downlink QoS, priority and bandwidth limit modes
  • Local logging, syslog and emailed alerts
  • 2 IPsec site-to-site / client-to-gateway tunnels
  • 1 SSL client-to-gateway tunnel

Routing Performance

Routing throughput running the latest 2.21 (BDQ.2) firmware and our router test process measured around 58 Mbps WAN to LAN and 42 Mbps LAN to WAN. The IxChariot composite plot below shows upload speed drastically lower than download in the simultaneous routing test.

ZyXEL USG20 throughput plots

The Maximum Simultaneous Connection test and the USG20’s firewall didn’t seem to get along, since I was able to get only 8 simultaneous sessions after multiple tries. Note that ZyXEL specs 6,000 maximum sessions tested using Ixia’s IxLoad test tool.

Updated 5/20/2011Retest of the Maximum Simultaneous Connections with ADP disabled yielded 29,986 sessions.

We last looked at a ZyXEL USG back in 2008, with the first-generation USG100. But a lot has changed since then, so we did a full review. You can also test-drive a USG50’s admin interface, which is very similar to the USG20’s to get a feel for things. You can also compare it to other products using the Router Charts and Router Finder.

Related posts

Netgear FS728TS: Smart Switch for the Masses?

Managed switches have long been a mainstay of corporate networks, but lower prices and Web interfaces are now making them more attractive to SOHO networkers. Tim Higgins looks at a good example of this new breed of switch.

Linksys SLM2008 8-port 10/100/1000 Gigabit Smart Switch Review

If you need 8 ports of "smart" switched gigabit and have around $100, the SLM2008 could be the one for you.

NETGEAR GS510TP ProSafe 8-port 10/100/1000 PoE Smart Switch Reviewed

NETGEAR's GS510TP packs plenty of PoE power to keep its eight Gigabit ports fully supplied.