There are seven 10/100/1000 Ethernet ports on the ZyWALL 110. Two of the ports are labeled and dedicated as WAN ports. One of the ports is labeled OPT. This port can be configured as an external, i.e.WAN port, or as an internal port with any of the internal interface types, i.e. LAN1, LAN2, WLAN, or DMZ. The other four ports are internal ports and can be configured with any of the internal interface types. There is a different firewall zone for each of the port types and a different subnet for each of the internal port types.
There are two dedicated WAN ports on the ZyWALL 110. Failover between WAN ports worked automatically. With both WAN ports enabled, I ran a continuous ping to google.com and deactivated one of the WAN ports. The router dropped one ping packet before it failed over to the backup WAN port and resumed connectivity. Re-activating the down WAN port was seemless and a traceroute confirmed traffic resumed using the primary interface.
As mentioned, failover is automatic. Surprisingly, there didn't appear to be a simple option to designate which WAN port was primary or secondary. It's possible I could have set that up with the ZyWALL 110's policy routing feature. But that seems to be a bit complicated for such a simple task.
There are two USB ports on the front of the device. They can be used to connect a 3G USB card as WWAN interface, which is a great idea for further network redundancy. ZyXEL lists 27 supported 3G USB cards on the 3G Card Support section of this page, most of which are made by Huawei, with a few Sierra cards thrown in.
The USB ports can also be used to connect a storage device to save system logs or device diagnostic information. The USB ports cannot be used for network file sharing. I connected several USB thumb drives and all were detected and available to save log files, an example shown below.
802.1q VLAN interfaces can be setup on the physical interfaces, along with a DHCP server per VLAN. I successfully setup one of the LAN ports with two VLANs, connected it to a trunk port on a switch, and was able to receive an IP address from each VLAN's DHCP server.
Bandwidth utilization can be controlled on the through the ZyWALL's interfaces by creating bandwidth policies. Below, I've created a simple policy to limit iperf traffic to only 128 Kbps as it travels through any interface on the ZyWALL. Before I applied the policy, I ran an iperf test between two PCs at 382 Mbps. Once I applied the policy, my iperf test between my two PCs was 123 Kbps, validating the ZyWALL's bandwidth capability.
As you can see from the options in the criteria section above, more advanced bandwidth policies can be created. Policies can be created to control bandwidth by user, schedule, interface, source or destination address, DSCP value, and/or service type.
The ZyWALL 110 supports IPsec site-to-site VPN tunnels and IPsec, L2TP, and SSL remote VPN tunnels. Up to 100 concurrent IPsec tunnels and 25 concurrent SSL tunnels are supported. L2TP tunnels, which use IPsec encryption, count as part of the 100 concurrent IPsec tunnel limit.
I found configuring a VPN solution on the ZyWALL 110 was a multi-step process for all VPN types. There are Quick Setup menus (aka configuration wizards) for WAN Interfaces and VPNs. I used the regular menu instead of the Quick Setup for my configurations so I could explore all the options.
To start, I set up a site-to-site IPsec tunnel between the ZyWALL 110 and a Cisco ISA550W. The ZyWALL 110 supports DES, 3DES and AES encryption, as well as MD5 and SHA1 authentication. The ZyWALL's VPN throughput ratings are based on AES encryption, so I used AES-256 encryption and SHA1 authentication for both Phase 1 and 2.
One of the challenging aspects of IPsec VPN configuration is getting all the parameters to match on both sides of a tunnel. Although IPsec is a standard technology, vendors use different terms referencing IPsec configurations. On the ZyWALL 110, you first configure a VPN Gateway, which is also referred to as Phase 1 or IKE on other VPN routers.
Second, you configure a VPN Connection, which is also referred to as Phase 2 or IPsec on other VPN routers. Once I applied my configurations, the VPN tunnel between the ZyWALL and Cisco came right up.
The ZyWALL 110 has a Monitor menu that allows you to see all active VPN connections. As shown below, I have an active IPsec VPN connection from the ZyWALL 110 to a Cisco ISA550W.
ZyXEL's IPsec client software is based on TheGreenBow's VPN Client. IPsec VPN software licenses are not included with the ZyWALL, but can be purchased for 1, 5, 25, or 100 users. I set up a remote IPsec connection using the free Shrew Soft VPN client on a Windows 7 PC. Setting up the remote IPsec connection involved many of the same steps for a site to site connection, discussed above. Shrew Soft has a useful configuration guide for the Shrew Soft client and ZyXEL routers, which I used to successfully set up a remote IPsec tunnel.