REVIEW: Best VPN routers for small business
By Eric Geier (Our Owner & Lead Wi-Fi Consultant)
Originally published on NetworkWorld
When selecting VPN routers, small businesses want ones that support the VPN protocols they desire as well as ones that fit their budgets, are easy to use and have good documentation.
We looked at five different models from five different vendors: Cisco, D-Link, and DrayTek, Mikrotik and ZyXEL. Our evaluation called for setting up each unit and weighing the relative merits of their price, features and user-friendliness.
Below is a quick summary of the results:
All the units we reviewed support IPSec, SSL, and L2TP VPNs. All support PPTP VPNs, except ZyXEL. If you’re looking for a wider variety of VPN options, consider D-Link or Mikrotik, both of which also support OpenVPN.
Here are the individual reviews.
Cisco RV345P
The Cisco RV345P has a manufacturer’s suggested retail price of $599 but sells online in the $350-$400 range. In addition to the typical routing and VPN functions, this unit has support for content filtering, which requires a separate license.
This Cisco unit has a metal casing, measuring about 11 inches wide, 7 inches deep and 2 inches high. It can be rack-mounted with the included brackets or put on a table or shelf using the non-slip feet.
On the front of the unit you’ll find LED lights for the power, VPN, DMZ, USB ports and diagnostics. There’s one USB 2.0 port on the front for connecting drives, configuration, storage and 3G/4G modems for WAN failover. You’ll find two Ethernet WAN ports, which support load balancing and failover. There’s 16 Ethernet ports for LAN/DMZ connections, with PoE supporting up to 30W per port, which is enough to power 802.11ac Wave 2 access points. Lastly, there’s a hole for the reset button on the front as well.
On the left side of the unit is another USB 2.0 port for connecting a drive or cellular WAN connection.
Unfortunately, none of the USB ports on this unit allow you to plug in a drive or printer for sharing on the network. On the back of the unit is the AC power input, power button and an Ethernet port for the console access.
Along with the router, you receive an AC power adapter, Ethernet cable, Ethernet-to-serial console cable, mounting brackets and a quick-start guide. The unit also comes with a registration guide, which you need to follow in order to activate the security/filtering features.
We evaluated this Cisco unit with the firmware version 1.0.01.18. After logging into the web GUI, you see the Getting Started page with shortcuts to setup wizards, various settings and stats.
You’ll find the typical Cisco web GUI with the categorized navigation menu on the left side of the page with sub-menus that expand. The Status and Statistics menu gives you pages to see details on the TCP/IP services, ports, QoS, applications, routing and other network and system components. In the Administration menu you’ll find the general system- and file-management settings, including those for licenses and certificates.
The System Configuration menu contains more general system settings, like the typical hostname, time and logging and alert configuration. We also found an automatic update feature, which not all routers support. It can conveniently email you when the router firmware, USB modem or security signatures have an update available.
In the WAN menu are the typical Internet connection settings, including the WAN balancing/fail-over configuration with mobile 3G/4G support and the setting to change port 16 on the router to DMZ mode. In the QoS menu you can configure the quality of service settings for the WAN connections and the LAN with the port-based, differentiated services code point (DSCP)-based or class of service (CoS)-based modes.
In the LAN menu you can configure the port, PoE, VLAN, DHCP and 802.1X settings. Unlike some of the other units we reviewed, this Cisco router does allow you to enable 802.1X authentication on the LAN ports. In the Routing menu, you can configure the IGMP proxy, RIP and static-routing settings. In the Firewall menu, you can configure the typical firewall settings, like remote access, access rules, NAT, port forwarding and triggering, and DMZ host.
In the VPN menu, you can utilize a setup wizard for site-to-site connections. It has conveniently preconfigured IPsec profiles for the Amazon and Microsoft clouds. You can also configure the client-to-site connections, with support of Cisco’s Teleworker VPN client. There are also the PPTP, L2TP and SSL VPN servers you can utilize.
In the last menu, Security, you can utilize their application-control wizard or manually create policies. You can also configure Web and content filtering and IP source guard features.
Throughout our evaluation, we didn’t notice any tooltips or help shortcuts in the settings of the Web GUI. But there’s always a help shortcut on the top of the Web GUI. Clicking that link pops up their documentation for the particular settings you have up.
D-Link DSR-1000AC
The D-Link DSR-1000AC has an MSRP of $629.99 but sells online for $400-$500. It has a desktop form-factor but is rack-mountable with the necessary brackets included. In addition to typical routing and VPN functions, this unit has a built-in 802.11ac wireless AP. Like most of the other units, it also has support for content filtering, which requires a separate license.
On the front of the unit you’ll find LED lights for the power and Wi-Fi. There’s two USB 2.0 ports for connecting drives for file sharing, printers for network sharing, and 3G modems for WAN failover. You’ll find two Ethernet WAN ports, which support load balancing and failover. There’s four Ethernet ports for LAN connections. Lastly, there’s a Ethernet port for a console connection. On the back of the unit is the AC power input, power button, hole for reset button, and a grounding connection.
The router comes packaged with an AC power adapter, mounting brackets and a quick-start guide. The unit also comes with a registration guide, which you need to follow in order to activate the security/filtering features.
We evaluated this D-Link unit with the firmware version 3.12. After logging into the web GUI, you see the Dashboard. Here you see graphs and stats on the network traffic types, bandwidth usage, WAN ports, VPNs and CPU and memory utilization.
On the top, you find the main menu. Hovering over the categories displays a drop-down of the sub-menus. Under Status you’ll find status pages for all the components, such as the WAN, LAN, VPN and wireless ports, connections and clients. On the Wireless menu, you can manage the access-point functionality. We liked how you can modify the power output on the Wi-Fi bands, but didn’t like how automatic channel selection wasn’t enabled by default.
On the Network menu, you find the typical LAN, VLAN, WAN and general networking settings. In the QoS settings, we found a rather unique feature: session limiting, allowing you to limit the amount of internet sessions per client.
On the VPN menu, you’ll find all the VPN settings for IPSec, PPTP, L2TP, SSL, OpenVPN and GRE-server and -client functions. It’s nice all their VPN options offer both server and client functionality. However, it would also be nice if they offered wizards to help you configure the VPN connections, particularly for IPSec.
In addition to the typical VPN user-authentication methods, like local database, RADIUS, and Active Directory, you can specify a POP3 server. This is a great option for a smaller business that might not have a directory server but wants to authenticate against a central database.
On the Security menu, you can manage the internal user database and configure access to external authentication servers. You can also configure the web content filtering and the firewall.
On the Maintenance menu, you find general system, device and admin settings. One convenient and fairly unique feature we found is SMS logging to send you text alerts for WAN up/down, VPN connect/disconnect and max CPU/memory usage.
Each setting page has a general description of the settings on that page. Furthermore, you can click the question-mark icon in the upper-right of each page, which brings up their documentation to those particular settings, making it quick and easy to get help.
DrayTek Vigor2926
The DrayTek Vigor2926 unit sells online for $200-$300. It has a desktop form-factor, so it’s not directly rack-mountable. We reviewed the base model, but they also offer models in this same product-line with Wi-Fi and even a VoIP server. All models offer content filtering, app enforcement and centralized management of other Vigor devices in addition to the typical routing and VPN functions. The content filtering requires annual subscription to Cyren Web Content Filtering service, but it offers a 30-day free trial.
This DrayTek unit has a curved plastic casing, which is a welcome break from the mundane metal boxes most other vendors use. It measures 9.5 inches wide, 6.5 inches deep, and 1.5 inches high. It can be mounted on a wall with the mounting holes on the bottom and the included screws or set on a table or shelf with the included non-slip feet.
On the front of the unit you’ll find LED lights for the activity and statuses of the main ports and functions. There’s also a hole for a factory-reset button. There’s two USB 2.0 ports for connecting drives for file sharing, printer sharing and cellular modems for WAN failover. There’s two Ethernet WAN ports that support load balancing and failover. Lastly, there’s four Ethernet ports for LAN, DMZ, and additional WAN connections. On the back of the unit is the AC power input and power switch.
Along with the router, you receive an AC power adapter, Ethernet cable, mounting screws and a quick-start guide.
We evaluated this Vigor2926 unit with the firmware version 3.8.9. After logging into the web GUI, you see the Dashboard. You see general router, system and network stats and info. There’s also a graphic depicting the device, showing the port statuses, a great help when trying to troubleshoot remotely.
On the left side you’ll find the main menu. You click on a category and a sub menu will expand below. On the top of the menu, you can access the wizards for a general quick start, service activations, VPN client functionality and VPN server functionality. There’s also an additional stats page for the physical ports and virtual WANs.
In addition to the typical WAN options, we found this unit supports a WAN budget feature that allows you to limit usage – particularly useful for 4G WAN connections. In the firewall settings, we found the DoS and spoofing defense settings. Although other routers might offer some of the same protections, not all allow you to configure them, so this was nice to see. Additionally, they offer a neat firewall diagnostic feature to troubleshoot packet travel from the LAN or WAN.
In the applications menu, we found that the unit offers an internal RADIUS server, convenient if you don’t have a Windows Server or other third-party server. In the USB application menu, we found a relatively unique feature: temperature-sensor support.
Near the bottom of the main menu are the central management menus. The unit not only serves as a wireless controller (as do other units), but it allows you to centrally manage VPN connections across multiple sites plus local VigorSwitches. This is a convenient feature to help streamline configurations and management.
During our evaluation, we didn’t see any on-screen help in the GUI or shortcuts to any documentation. We also couldn’t find any real documentation on their website either. After asking Draytek, we were given a link to the user guide. The documentation seems thorough and detailed like we’d expect, but it would be nice to see on-screen help and shortcuts to the full user guide in the web GUI.
MikroTik RouterBOARD 2011UiAS-IN
The MikroTik RB2011UiAS-IN unit has an MSRP of $119 and sells online the $100-$120 range. There’s three other models in the RB2011L series: RB2011UAS-RM (adds a rackmount case), RB2011UAS-2HnD (adds wireless AP function), and RB2011UAS-2HnD-IN (adds indoor case). All utilize the RouterOS software, which you can actually download and install on your own hardware, even a PC, if desired. They offer a free 24-hour fully functional trial period, an always-free mode with limited functionality after that, and then they sell licenses starting at $45.
This RouterBOARD unit has a metal housing and measures about 9 inches wide, 3.5 inches deep, and 1 inch high. It can be mounted on a wall with the mounting holes on the bottom or put on a table or shelf with the provided non-slip feet.
On the top of the unit, you’ll notice a unique feature: a touchscreen LCD screen. With it, you can check the status of the interfaces/ports and even add static IPs, view throughput stats and graphs, view the logs, and reboot the device. The small touchscreen seems a bit sensitive and hard to get a hang of, but it’s a really neat feature that could provide some convenience when performing on-site troubleshooting or maintenance.
On the front of the unit you’ll find a mini USB port and with the included adapter can connect standard USB devices for file sharing and 4G WAN failover. There’s an SFP port, supporting gigabit modules. Then there are five Gigabit Ethernet ports, the first of which is pre-configured for the WAN connection and supports PoE. The next set of five Ethernet ports only support 100 Mbps (Fast) connections, the last of which is pre-configured for PoE output to optionally power other RouterBOARD devices. Between the two sets of Ethernet ports are LED status lights for all the ports. On the back of the unit is the power input and an Ethernet port for serial console access.
Along with the router, you receive an AC power adapter and a mini USB cable adapter so you can connect a standard USB drive or USB cellular modem.
We evaluated this MikroTik unit with the firmware version 3.33. After logging into the web GUI, you’re thrown into the settings on the Quick Set page, which contain the basic WAN and LAN settings.
On the left-hand side of the GUI you see a long list of items on the menu. I suppose that helps reduce the number of clicks to get to certain settings, but it’s a bit overwhelming. A nice categorized menu with more sub-menus might be better.
The first two items on the menu are related to Wi-Fi, which is supported in other units in the product-line. The next few items are for the interfaces, bridges and switches. Deserving notable mention are their cable test, blink and torch (traffic monitoring) features for troubleshooting.
In the IP submenu you find all the basic IP settings, plus the hotspot functionality, IPsec VPN, and web proxy feature. In the next items on the menu, we found it supports MPLS and also advanced routing: BFD, BGP, MME, OSPF, and RIP.
In the Tools menu we found many troubleshooting features, including a bandwidth tester that shows you tx/rx graphs, packet sniffer, and even a traffic generator.
Overall, we were impressed with the LCD screen and all the advanced features of this Mikrotik RouterBOARD unit. However, the archaic look and feel of the web GUI doesn’t impress. A more modern GUI with integrated tooltips and better on-screen help would make this unit even better.
ZyWALL VPN100
The ZyWALL VPN100 has a MSRP of $650 but sells online in the $400-$500 range. It’s a rack-mountable router. In addition to it’s routing and VPN capabilities, it includes content filtering, a Wi-Fi controllerand hotspot management with a captive portal and Facebook integration. The filtering and hotspot functions require paid subscriptions, but the content filtering is provided free for the first year and the hotspot subscription has a 30-day free trial.
The router has a metal casing and measures about 10.5 inches wide, 7 inches deep, and 1.5 inches high. It can be mounted on a wall with the mounting holes on the bottom, put on a table or shelf with the provided non-slip feet, or mounted in a rack with the included brackets.
On the front of the unit you’ll find LED lights for the power, system, link and activity status. There’s also a hole for reset button. There are two USB 3.0 ports for connecting drives for file sharing, printers for network sharing, and 4G modems for WAN failover. You’ll find two Ethernet WAN ports, which support load balancing and failover. There’s also an empty SFP port for fiber connections. Lastly, there’s four Ethernet ports for LAN/DMZ connections. On the back of the unit is the AC power input, power button and a serial console port.
Along with the router, you receive an AC power adapter, mounting brackets and a quick-start guide. The unit also comes with a registration guide, which you need to follow in order to activate the security/filtering features.
We evaluated this ZyWALL unit with the firmware version 4.31. After logging into the web GUI, you see the Dashboard, which displays general router system and network stats and info. There’s also a graphic depicting the device, showing the port statuses, a great help when trying to remotely troubleshoot. There’s also a Dashboard tab showing the VPN status and statistics.
The next item on the main menu on the left is the Monitor menu. There you can see detailed statuses on the ports, interfaces, any wireless APs, printers, VPN connections and logs for security and system.
The third item on the main menu is Quick Setup, which pops up a wizard to perform WAN or VPN setup. The fourth item is Configuration, which is where you can configure all the settings. We found all the typical network settings. In the VPN settings, we found the usual IPSec, SSL and L2TP options. Plus, it makes connecting to the Amazon Virtual Private Cloud easier by allowing you to upload your VPC configuration file.
The web authentication settings caught our eye with the Facebook Wi-Fi feature, which gives users the option to login to the Wi-Fi with their Facebook account. This increases the visibility of your Facebook page, possibly leading to more Facebook Check-ins or Likes. The hotspot-management features also support integrated billing and printer support, but these require purchasing a separate license.
The last item on the main menu is Maintenance. There you can manage configuration files, firmware and upload shell script. There are also diagnostic features, such as packet capture and typical network tools like ping.
Throughout our review we noticed there’s several ways to get additional explanations and help for the features and settings in the web GUI. There’s always a Help icon in the top global navigation menu and most setting windows have a question mark icon in the upper-right. Both of those shortcuts pop up their documentation to the particular settings you have up, making it quick and easy to get help. There’s also some settings with tooltip icons you can hover over for a quick description.
ZyXEL offers two cloud-management tools compatible with this router. The first is their myZyxel portal where you can see a list of registered devices, manage firmware plus licenses for any subscriptions.
The second is their Cloud CNM SecuManager, which is a virtural appliance that enables centralized management of multiple devices.
Overall, this seems like a solid router from ZyXEL. There’s great help and documentation, but if you’re wanting PoE or PPTP or OpenVPN support, then you might look elsewhere.
Comparing the routers
All these routers have the basic business network features, such as VLAN support and multiple WAN inputs with load balancing/failover. The many of the other features vary and which unit has it pros and cons. Consider what’s most important to your network or organization.
If you’re looking for an inexpensive option, consider DrayTek or Mikrotik. But consider that DrayTek lacks PoE, SFP port and OpenVPN support. Mikrotik has some great advanced features but lacks a USB print server and has an archaic web GUI.
If you need multiple PoE ports, consider Cisco’s unit, but remember it does not have an SFP port, lacks file or printer sharing via the USB and offers no web authentication.
If you need the router to support fiber connectivity, look at Mikrotik or ZyXEL, both of which have an empty SFP port. But keep in mind the ZyXELL unit doesn’t have PoE, or support for PPTP and OpenVPN.