VPN

The information on the '10's VPN support is a little fuzzy.  PPTP client passthrough is supported, but the number or sessions and sessions per servers aren't specified.  It also looks like you can have a PPTP server on your LAN, as long as you set up an SUA and firewall rule.  It's not clear whether IPsec is supported at all.

The '10 provides a number of methods to control the Web sites that can be visited by LAN users:

• by subscription list (Cyber Patrol's CyberNot list)

• by type of data, i.e. ActiveX, Cookies, Java Applet, Web proxy

• Trusted / Forbidden domain list (up to 32 domains)

• URL keyword (up to 64)

The filtering can be enabled by time of day, using one settable time range.  If you go to the Telnet interface, however, you can also set the days of the week that the filtering is enabled.

Attempts to access blocked sites result in a "Please contact your network administrator!" message, which I like better than just having the browser hang.  Even nicer would be the ability to change the message, but that's not provided.  You can, however, via the "Exempt Zone" feature, define 32 IP addresses ranges that can be exempted from the Content filters, or limit the filtering to only those ranges.

Update 9/21/01
TIP: When registering for the Content Filter list, use the Free link. According to ZyXEL, this will give you a free 6 month subscription to the list.  After 6 months, you'll need to use the icard link to renew your subscription. Note that ZyXEL may decide to charge for the Filter list subscription at some point, although it's now free.

Routing, Logging, and Other Features

 
The '10 supports the RIP-1, RIP-2M, and RIP-2B dynamic routing protocols and you can set the unit to send only, receive only or do both with its routing information.  You can also set up to 8 static routes and also tell the '10 to not include a route in its RIP broadcasts.

Logging results for firewall and content filtering activity can be viewed on two different browser screens.  Detailed logging to a syslog server (go here for information on obtaining Windows and MacOs syslog clients) is also supported and can be set to include logging of each outbound request, but you'll need to set this up via the Telnet interface.

Logged events are time stamped, but the stamps won't make any sense unless you use the Telnet interface to set the date and time.  Strangely enough, there's an option to automatically use a Daytime, Time, or NTP server (you provide the IP address) on router boot to set the time and date, but it's disabled!  ZyXEL has made this harder than it needs to be, given that the routers that they OEM to NETGEAR automatically get the date and time on boot and allow you to set your time zone via the browser interface!

Performance

I ran the Qcheck suite to test routing performance. I ran my normal WAN-LAN and LAN-WAN tests with results shown below:

(Details of how we tested can be found here.)

Comment: No problems encountered and UDP performance is improved from what I measured for the P312.  Plenty fast for most broadband connections.

Summary

The ZyWALL 10 provides plenty of bang for the buck, and I suspect that experienced users will get more out of it than newbies.  ZyXEL has done a lot of work on the user interface, but the '10 has enough quirks and controls missing from the browser interface that I'd say that they're still not where they need to be for the average user.  However, it's still worth being on your short list of candidates if you're looking for a full-featured, Stateful Inspection router.