Like every other website on the planet, SmallNetBuilder uses cookies. Our cookies track login status, but we only allow admins to log in anyway, so those don't apply to you. Any other cookies you pick up during your visit come from advertisers, which we don't control.
If you continue to use the site, you agree to tolerate our use of cookies. Thank you!

Wi-Fi Router Charts

Click for Wi-Fi Router Charts

Mesh System Charts

Click for Wi-Fi Mesh System Charts

VPN Firewall
At a glance
ProductZyxel VPN Firewall (USG20-VPN)   [Website]
SummaryMulti-WAN Gigabit Firewall/Router supporting IPsec, SSL and L2TP VPN and subscription UTM features
Pros• Supports L2TP, SSL, and IPSec VPNs
• Content Filtering and Anti-Spam protection
• Zone-based firewall
• WWAN USB adapter support
Cons• Could not get IPsec client-to-gateway working
• Routing throughput lower than most current generation routers

Typical Price: $0  Buy From Amazon


Update 7/29/16: Client to Site IPsec works

ZyXEL has steadily expanded its security appliance / firewall product lines. But with three different families, buyers can be easily confused.

The "Unified Security Gateways" include the USG20 (reviewed in May 2011) and USG20W. In addition to VPN and Firewall features, the USG20/USG20W also support subscription-based Content Filtering and Anti-Spam UTM (Unified Threat Management) features. The USG20W adds single-band 802.11b/g/n wireless connectivity.

The "Next-Gen Unified Security Gateways" include the USG40 (reviewed in November 2014) and USG40W. In addition to VPN and Firewall features, the USG40/USG40W also support Content Filtering, Anti-Spam, Anti-Virus, and Intrusion Detection/Prevention UTM features. The current USG40 also has an improved multi-core processor. The USG40W adds single-band 802.11b/g/n wireless connectivity.

The "VPN Firewalls" include the USG20-VPN and USG20W-VPN. The USG20-VPN offers many of the same features as the USG20, with improved performance over the USG20. The USG20W-VPN adds dual-band AC1750 802.11aa/b/g/n/ac wireless connectivity.

The key differences between these product lines are summarized in Table 1. Essentially, the USG20-VPN is a faster version of the USG20, with the addition of an SFP port. The USG40 has even higher throughput than the USG20-VPN, an optional RJ45 port that can be used as a second WAN port, plus support for Anti-Virus (AV) and Intrusion Detection and Prevention (IDP).

LAN Ports 4 4 3
WAN Ports 1 1 1
OPT Ports 0 0 1
SFP Ports 0 1 0
USB Ports 1 1 1
Mobile Broadband Y Y Y
Firewall Throughput (Mbps) 175 350 400
VPN Throughput (Mbps) 75 90 100
Max IPsec VPN Tunnels 5 10 10
Max SSL VPN Tunnels 1 15 15
VLAN Support Y Y Y
Anti-Virus N N Y
Intrusion Detection and Prevention N N Y
Anti-Spam Y Y Y
Content Filtering Y Y Y
High Availability N Y Y
Bandwidth Management Y Y Y
Table 1: Model comparison

With that out of the way, let's dig into the USG20-VPN.

The USG20-VPN has the same look as the USG20 and USG40. Its gray metal enclosure with red trim measures 8.5"x5.63"x1.3". It comes with an external power supply and adhesive rubber feet for desktop use. It is passively cooled, so runs silently. The USG20W-VPN is physically the same, with the addition of three external antennas.

The front of the USG20-VPN has a reset button, power, system, SFP and RJ45 status LEDs and USB 2.0 port. The port supports a small selection of WWAN adapters.

Zyxel USG20-VPN Front


The rear of the USG20-VPN has the power connection, on/off button, SFP port, console port, and five 10/100/1000 RJ45 ports that can be assigned different roles. I'll describe this further in the Network section.

Zyxel USG20-VPN Rear



The USG20-VPN runs on an 800MHz Cavium Octeon III CN7010 CPU with 2 GB of RAM and 4 GB of Flash. The Ethernet chipset is a Qualcomm QCA8337 Gigabit switch. Below is a shot of the main board; the CPU is hidden under the large heat sink.

Zyxel USG20-VPN Main Board

ZyXEL USG20-VPN Main Board


The feature list below was compiled from ZyXEL's data sheet and website. It's pretty similar to what we found in the USG20 and USG40.

  • (5) 10/100/1000 RJ45 ports
  • (1) SFP port
  • (1) USB port
  • Fanless
Performance Ratings
  • 350 Mbps Firewall throughput
  • 90 Mbps VPN throughput
  • 20,000 max sessions
  • 802.1Q VLAN support
  • WAN connection failover via 3G and 4G USB modems
  • PPPoE
  • Static routing
  • Dynamic routing (RIPv1/v2 and OSPF)
  • Policy-based routing
  • Policy-based NAT (SNAT)
  • Dynamic DNS support
  • Per host session limit
  • Guaranteed and max bandwidth controls
  • Priority-bandwidth utilization
  • Bandwidth limits per user and IP
  • Dual stack
  • IPv4 tunneling (6rd and 6to4)
  • DHCPv6
  • IPv6 support for DNS, VLAN, PPPoE, Routing, Session Control, Firewall, IPsec VPN, Content Filtering and Anti-Spam
IPsec and L2TP VPN
  • Encryption: AES (256-bit), 3DES and DES
  • Authentication: SHA-2 (512-bit), SHA-1 and MD5
  • Simple Wizard Configuration
  • VPN High Availability (HA): load-balancing and failover
  • L2TP over IPsec
  • GRE and GRE over IPsec
  • NAT over IPsec
  • ZyXEL VPN client provisioning
  • Supports Windows and Mac OS X
  • Full tunnel mode
  • 2-step authentication
  • Customizable user portal
  • Stateful packet inspection
  • User-aware policy enforcement
  • SIP/H.323 NAT traversal
  • ALG support
  • Protocol anomaly detection and protection
  • Traffic anomaly detection and protection
  • Flooding detection and protection
  • DoS/DDoS protection
  • Anti-Spam protection
  • Content Filtering
  • Transparent mail interception via SMTP and POP3 protocols
  • Configurable POP3 and SMTP ports
  • Sender-based IP reputation filter
  • Recurrent Pattern Detection (RPD) technology
  • Zero-hour virus outbreak protection
  • X-Header support
  • Blacklist and whitelist support
  • Supports DNSBL checking
  • Spam tag support
  • Statistics report
Content Filtering
  • Social media filtering
  • Malicious Website filtering
  • URL blocking and keyword blocking
  • Blacklist and whitelist support
  • Blocks java applets, cookies and ActiveX
  • Dynamic, cloud-based URL filtering database
  • Unlimited user license support
  • Customizable warning messages and redirection URL
  • Built-in user database
  • Microsoft Windows Active Directory integration
  • External LDAP/RADIUS user database
  • XAUTH, IKEv2 with EAP VPN authentication
  • Web-based authentication
  • Forced user authentication (transparent authentication)
  • IP-MAC address binding
  • SSO (Single Sign-On) support
System Management
  • Role-based administration
  • Multiple administrator logins
  • Multi-lingual Web GUI (HTTPS and HTTP)
  • Command line interface (console, Web console, SSH and TELNET)
  • SNMP v1, v2c, v3
  • System configuration rollback
  • Firmware upgrade via FTP, FTP-TLS and Web GUI
  • Dual firmware images
Logging and Monitoring
  • Comprehensive Local logging
  • Syslog (to up to 4 servers)
  • Email alerts (to up to 2 servers)
  • Real-time traffic monitoring
  • System status monitoring
  • Built-in daily report
  • Advanced reporting (Vantage Report)

Support Us!

If you like what we do and want to thank us, just buy something on Amazon. We'll get a small commission on anything you buy. Thanks!

Don't Miss These

  • 1
  • 2