The VFG has three groups of routing features. First, traffic can be filtered based on rules or MAC address. Second, web traffic can be controlled via Open DNS and keyword filtering. Third, the VFG supports standard firewall functionality such as a DMZ, Port Forwarding, and permitting specific traffic types such as RTSP, MMS, H.323, IPsec, PPTP and UPnP. Within this third group, the VFG also has menu options to enable/disable the firewall, as well as enable/disable DoS and ICMP protection.
Firewall rules on the VFG are constructed based on exit interface (WAN or WWAN), source and destination IP range, layer 4 protocol (TCP or UDP), and destination port range. Traffic matching a rule can be either allowed or denied. Below is a simple rule I created to block all web traffic.
Figure 11: Block all traffic firewall rule
The rule worked, I could not surf the web with it enabled. However, the VFG doesn't present an error message telling users why their traffic is being blocked. It would be better if a simple message was presented on blocked traffic, such as “This traffic is blocked, please contact your network administrator.”
Integrating Open DNS into the VFG is quite useful. Open DNS filters web traffic by preventing resolution of web sites that are objectionable to your network. Open DNS offers both basic free accounts and subscription-based home and business level accounts, depending on the features you need. I tested the VFG with a free account by simply adding my Open DNS user name and password into the VFG. Once enabled and saved, I was presented with the message below, indicating Open DNS was enabled.
Figure 12: OpenDNS enabled
I like Open DNS as a web filtering service. It enables routers to perform effective web filtering without negatively impacting throughput. With Open DNS enabled on the VFG, I was presented with the web page in Figure 13 when trying to browse to xxx.com.
Figure 13: OpenDNS block message
Below the block message shown above, there were a few advertisements, which is how Open DNS is able to offer free web filtering. Nevertheless, seeing a few ads is a small price to pay for the value that Open DNS delivers.
To augment the VFG's web filtering, keyword filtering can also be applied if you wish to block specific content or websites. Below, I created a keyword filter to block access to facebook.com. This rule worked in the same manner as my simple rule to block all web traffic, but again did not present an error message telling the user why their desired web page was blocked.
Figure 14: Keyword filter
Overall, the VFG's firewall is functional and easy to use. Support for Open DNS is a nice touch. Other than that, the VFG's firewall is pretty standard.
The VFG offers some interesting features that help it stand out from other VPN firewall routers. First, it supports 3G WWAN adapters via a USB 2.0 port. Second, the VFG has multiple options for enhancing or limiting bandwidth utilization.
The VFG doesn't have the kind of 3G WWAN support you'd find in a Cradlepoint router. But it does support adapters from major providers of North American 3G WWAN services. Figure 15 shows a list of supported 3G adapters from ZyXEL's product page.
Figure 15: Supported 3G modems
In my experience, the last thing a busy network can tolerate is having its Internet connection go down. 3G WWAN connections provide a high degree of Internet redundancy due to their independence from physical wires. Thus, even the wires going to your house or building are cut, the 3G WWAN service will still be available.
Failover can be enabled from the WAN to WWAN interface so the 3G connection will only be used in the event of your primary Internet connection going down. Further, rules for the firewall, Open DNS, DMZ, Port Forwarding, and 1-1 NAT can all be configured differently for the WAN and WWAN interfaces. Note that only failover is supported for WWAN; bandwidth aggregation and bonding is not.
A second interesting feature of the VFG is its multiple bandwidth management options. The VFG offers Dynamic Bandwidth Management (DBM), a Throughput Optimizer, Hardware Accelerator and a Session Manager.
DBM configurations can be applied dynamically or statically. Dynamically, bandwidth utilization can be controlled on both the WAN and WWAN interfaces. I measured my Internet service (using speedtest.net) at 12 Mbps download and .65 Mbps upload, and then created a DBM rule on the WAN interface to limit my speed to 10 Mbps download and .384 Mbps upload. After enabling this new rule, I measured my Internet service at 9.94 Mbps download and .37 Mbps upload, closely matching my rule and validating bandwidth functionality on the VFG.
Static bandwidth utilization rules can be applied to specific hosts on your network, preventing a host or end user from consuming too much bandwidth or slowing the network. Below is an example of a rule to limit bandwidth use for a host at 192.168.10.20 to 3 Mbps download and .3 Mbps upload. Note that service port range can also be specified.
Figure 16: Bandwidth control
With the above static rule applied, I ran another speed test and got the results in Figure 17, validating the accuracy of the VFG's static bandwidth controls.
Figure 17: Speed test result with bandwidth control
The Throughput Optimizer on the VFG enables prioritizing TCP, ICMP, DNS, SSH, and Telnet traffic, allowing any of these traffic types priority over other traffic on your network. Missing is an option to prioritize UDP traffic for VoIP.
The Hardware Accelerator is an interesting feature on the VFG. When enabled, it increases WAN throughput significantly, which I'll cover at the end of this review. The downside is the Hardware Accelerator must be disabled to use keyword filtering, DBM, or PPTP. This is disappointing. It is nice to have the higher performance with the Accelerator enabled, but the tradeoff of disabling PPTP takes away one of the router's key features.
The VFG has a Session Manager feature, with options for fast (recommended), regular, and slow. ZyXEL indicates this feature can improve the VFG's P2P performance by recycling connections faster. ZyXEL rates the VFG as capable of up to 60,000 NAT sessions.
Finally, here are a few other things to note about the VFG's routing features:
- Port forwarding supports separate external and internal ports
- 1-to-1 NAT (allows mapping an external Public IP address to an internal LAN IP address; useful if you have multiple WAN IP addresses from your ISP)
- HTTPs administration is not supported
- Remote admin can be enabled and port set, but can't limit access by IP
- DHCP server - can set least time, but can't reserve addresses
- MAC address ACL is supported
- Dynamic DNS for DynDNS.org, TZO.com, ZoneEdit.com
- Schedules are not supported for any firewall features
- Triggered port forwarding is not supported