|At a glance
|TP-LINK SafeStream Gigabit Broadband VPN Router (TL-R600VPN) [Website]
|Inexpensive PPTP / IPsec VPN router with Gigabit Ethernet ports
|• VPN for not a lot of $
• Gigabit ports
• Internal power supply
|• No L2TP support
• Site-to-site IPsec only
• No IPv6
• No VLANs
I’ve had the opportunity to review several TP-LINK products, including their TL-ER6020 Dual-WAN VPN Router and the TL-SG2216 Smart Switch. Prior to reviewing these two products, I hadn’t heard of TP-LINK, so I was intrigued to read their goal is to become “one of the top 3 networking brands in the world…” That’s certainly a bold goal. At the conclusion of both of those reviews, I found no reason TP-LINK couldn’t reach that goal. Both of those products performed well and are competitively priced.
In this review, I’m going to look at another of TP-LINK’s VPN routers, the TL-R600VPN SafeStream Gigabit Broadband VPN Router. A look at TP-LINK’s product page lists three models of VPN “SafeStream” routers, including the top-end TL-ER6120, mid-range TL-ER6020 and entry-level (and best selling) TL-R600VPN.
The TL-R600VPN is a desktop router measuring 8.2″L x 4.9″W x 1.0″H. Adhesive rubber feet are included for desktop use. I love the fact that the TL-R600VPN is silent and has an internal power supply. The internal power supply means no external power brick, just a cord from the router to the outlet. Very nice! Further, the power supplies on all TP-LINK SafeStream VPN routers include “professional lightning protection,” designed to withstand an electrical surge up to 4KV.
TP-LINK TL-R600VPN Front
As shown in the below front and rear shots, the LEDs are on the front panel while the RJ45 ports and power connector are on the back.
TP-LINK TL-R600VPN Rear
Under the Covers
The TL-R600VPN runs on a Realtek RTL-8198-GR ASIC which serves as both the router’s CPU and Ethernet controller. It also has 8 MB of Flash and 64 MB of RAM.
Below is photo of the TL-R600VPN’s main board. The power components are under the small panel to the left and the Realtek chip is in the center of the board. Note the lack of heatsinks.
Here’s a quick summary of the TL-R600VPN’s features.
- (4) 10/100/1000 Ethernet LAN ports, (1) 10/100/1000 Ethernet WAN ports
- NAT Throughput = 120 Mbps
- Concurrent Sessions = 10,000
- Bandwidth control
- Dynamic DNS
- DoS Protection (TCP/UDP/ICMP Flooding and Ping of Death)
- IP/MAC/Domain Filtering
- ALG (FTP/TFTP/H.323/RTSP)
- Port Forwarding, Port Triggering, DMZ
- IP/MAC/Domain Name Filtering
- (20) IPSec Tunnels and (16) PPTP Tunnels
- IPSec: DES/3DES/AES128/AES192/AES256 Encryption, MD5/SHA-1 Authentication
- IPSec Throughput = 20 Mbps
The TL-R600VPN was intuitive and easy to configure. Within 15 minutes of taking it out of the box, I configured the WAN interface, Dynamic DNS and Remote Access and an IPSec and PPTP tunnel up without using a configuration wizard or the manual.
The configuration menus on the TL-R600VPN are straightforward. There are 13 configuration menus, each with up to four submenus, with the exception of the System Tools menu that has 10 submenus for device management and troubleshooting. There are no additional tabs or separate configuration screens in the submenus. Table 1 summarizes the TL-R600VPN’s configuration options.
Table 1: Menu tree
I liked that each submenu displays a help menu on the right side of the window. Basically, the TL-R600VPN brings up the appropriate page from the manual with each configuration screen as illustrated below. TP-LINK also provides an 80 page manual with a little more detail for configuration help.
As you can see, the TL-R600VPN has a pretty standard set of router/gateway features along with VPN capability. Features I often see in VPN routers that are not supported by the TL-R600VPN are IPv6, VLANs and routing protocols such as RIP. However, for a smaller network with no need for these features, why pay for what you won’t use?
Although many folks have little or no need for IPv6 now, I’d like to see network products and service providers support IPv6. Sooner or later, it will become a necessity. However, that day isn’t quite here yet. While working on this review, I contacted the two ISPs that provide Internet in my area (Windstream and Time Warner) to see if they provide IPv6 addresses. Both claim their networks are IPv6 ready, but neither could provide IPv6 addresses for residential service.
The TL-R600VPN supports IPSec site-to-site VPN tunnels and PPTP remote VPN tunnels. Up to 20 concurrent IPSec tunnels and 16 concurrent PPTP tunnels are supported. Note, PPTP is the only remote VPN solution on the TL-R600VPN. Remote client IPSec VPN solutions are not supported. In my mind, that isn’t a bad thing. PPTP is a simpler remote VPN solution than IPSec and PPTP software is included in Windows and MacOS operating systems, as well as on iOS and Android devices.
Setting up both are ridiculously easy. Enabling PPTP was a matter of clicking enable on the PPTP server and creating a user name and password. Once completed, I configured my Windows laptop and iPhone for PPTP and entered the WAN address of the TL-R600VPN plus my user name and password. Both were able to connect to the TL-R600VPN. The screenshot shows my active PPTP connection.
There are a few more steps in setting up an IPSec tunnel, but they’re pretty straightforward. I set up an IPSec tunnel to a Zyxel ZyWALL 110 using 3DES encryption and SHA-1 authentication. The options for configuring phase 1 (IKE) and phase 2 (IPSec) of the tunnel are simple drop-down menus, as shown below.
My tunnel came right up once my configurations were applied on both the TL-R600VPN and the ZyWALL 110, as shown in the screenshot below. Interestingly, the TL-R600VPN shows two connections for a single IPSec tunnel, with one connection representing Tx and the other representing Rx.
IPSec VPN Status
To measure VPN throughput, I used two PCs running 64-bit Windows with their software firewall disabled. Using TotuSoft’s LAN Speed Test client and server application, with a file size of 100 MB, I measured throughput over an IPSec tunnel to the Zywall 110 and over a PPTP tunnel to Windows client. Below are my throughput measurements.
|VPN Tunnel Type
|IPsec Site to Site
Table 2: VPN Throughput
The ZyWALL 110 is rated at 300 Mbps IPSec throughput, while the TL-R600VPN is rated at 20 Mbps, so the ZyWALL is not a limiting factor. As you can see from my chart, the TL-R600VPN matched its 20 Mbps VPN rating with a IPSec Transmit speed of 19.4 Mbps and Receive speed of 20.9 Mbps.
TP-LINK doesn’t provide a PPTP throughput rating for the TL-R600VPN. As you can see, I measured PPTP Transmit speed of 16.4 Mbps and Receive speed of 17.4 Mbps. Bottom line is unless your Internet connection is faster than 16 Mbps in both directions, the TL-R600VPN’s IPSec and PPTP VPN throughput should be more than sufficient.
The TL-R600VPN allows you to create bandwidth control rules to provide a minimum and maximum bandwidth for LAN devices accessing the WAN. Rules are defined based on source IP address, destination port and protocol, and bandwidth.
To measure the effectiveness of this feature, I measured my Internet connection speed through the TL-R600VPN via speedtest.net. My Internet connection speed measured 12.68 Mbps down and 560 kbps up. I set the TL-R600VPN to limit my PC’s bandwidth to 3 Mbps down and 300 kbps up, as shown in the screenshot below.
Running a speedtest with this rule in place produced a result of 2.3 Mbps down and 210 kbps up. I tried several other rule settings, each producing actual throughput below the values I entered in the rule. Thus, it appears the TL-600VPN effectively limits bandwidth usage per PC, but you may have to play with the settings to get the desired limit.
Common firewall options that are supported include Port Forwarding, Port Triggering, DMZ and UPnP. Firewall rules can be created to allow or deny traffic from specific MAC addresses; to/from specific IP addresses or range of IP addresses; to domain names; by port, protocol (All, ICMP, TCP, UDP) or application (DNS, FTP, GOPHER, HTTP, NNTP, POP3, PPTP, SMTP, SOCK, TELNET); and by schedule based on day of week and time of day.
As a test, I set up a rule to block traffic from my PC to smallnetbuilder.com. Firewall rules on the TL-R600VPN require you to configure a source object, destination object and either use the default anytime schedule or create a schedule object. My rule is displayed in the below screen shot. With the rule enabled, my PC was blocked from accessing only smallnetbuilder.com, other PCs were not restricted.
From a network standpoint, the TL-R600VPN supports a single subnet on the LAN. As mentioned earlier, port based and 802.1Q VLANs are not supported nor is IPv6, as previously noted. Common network options exist for reserving a DHCP provided address for specific hosts on the LAN, mapping MAC addresses to specific IP address, and Dynamic DNS. Supported Dynamic DNS providers are dyndns.org, oray.net, comexe.cn, and no-ip.com. As mentioned earlier, I successfully configured a domain from dyndns.org to resolve to the WAN IP address of the TL-R600VPN.
Administration security is also basic on the TL-R600VPN. For example, it only supports a single user name to access the router, and there doesn’t appear to be an option to adjust the timer to log out an idle session. Thus, you remain logged in to the router, even if you’re no longer actively configuring it.
Routing performance for the TL-R600VPN v2 loaded with firmware 1.2.2 build 140422 and using our standard test method is summarized in Table 3. Interestingly, TP-LINK’s ratings for the TL-R600VPN, as listed in their product specs, are lower than our measurements. TP-LINK rates NAT Throughput on the TL-R600VPN at 12.0 Mbps and Concurrent Sessions at 10,000.
|WAN – LAN (Mbps)
|LAN – WAN (Mbps)
|Total Simultaneous (Mbps)
|Maximum Simultaneous Connections
|1.2.2 build 140422
Table 3: Routing Throughput performance
Our throughput tests for unidirectional download and upload speeds are shown in the composite IxChariot plot, which shows steady uplink throughput, but large variation in downlink.
The Simultaneous up / downlink plot below shows that downlink traffic stopped around 5 seconds into the one minute test. This wouldn’t be very helpful in real use!
When we reran the test with throughput limited to 100 Mbps, we got VERY smooth and equal results as shown in the plot below. So it looks like hitting the TL-R600VPN full blast may overload the routing engine. This could explain TP-LINK’s NAT Throughput rating of 120 Mbps.
Bidirectional Throughput – 100 Mbps Send rate limit
The TL-R600VPN is comparable in features to several other single WAN VPN Firewall routers that I’ve reviewed, including the NETGEAR FVS318G, Cisco RV180, Linksys LRT214 and TRENDnet TW100-BRV214. I’ve summarized key performance numbers and prices for bunch in the chart below. (Pricing is from pricegrabber.com.)
Table 4: Comparison summary
The TL-R600VPN lacks some of the features of the other routers in this group. For example, FVS318G has eight LAN ports and both the Cisco RV108 and Linksys LRT214 support VLANs and IPv6. On the other hand, the TL-600VPN is significantly less expensive than the Cisco, Linksys and NETGEAR. Further, the TL-R600VPN is a few dollars less than the TRENDnet and much faster.
As with previous TP-LINK products I’ve tested, I found the TL-R600VPN stable and its features easy to configure. Clearly, the TL-R600VPN is another TP-LINK product that beats the competition in a key area: Value.