Is H-series stable for basic tasks?
Ally Member
Hi,
We are considering switching from old USG60s to new FLEX200HPs. However, I've been monitoring these forums for the past year and let's be frank, the H-series is not yet production-ready for all use cases.
So I would like to ask users who have been using the H-series, if it is stable for basic firewall and routing tasks. We are mainly planning on using these functions:
- Security Policy (basic firewall rules, etc.)
- VPN IKEv2 access (client-to-site, site-to-site)
- NOTE: We are using native Windows/Mac clients and would like it to stay this way
- basic NAT
- simple Policy Routes
- SIP (just pass-through, SIP ALG turned off)
- Dual-WAN failover (we have 2 ISPs)
- Also works with VPN access?
- PoE (the 200HP has 1 in-built PoE+ port)
We are also considering buing a FLEX200, but it will be discontinued in 2030 and does not have a built-in PoE port (the latter can be easily solved via an injector).
Do firmware upgrades break these basic functions, or not?
Thank you for any insights and suggestions!
All Replies
-
Their are things I find missing in the H-series but from for what you list it should be fine for you.
1 -
Thanks, @PeterUK. I know you have been using the H-series for quite a while and have been reporting many bugs to ZyXEL. I appreciate your work, you've been doing us other users a valuable service!
I have one follow-up question: Did it ever happen that a firmware update rendered these basic functionalities unusable?
PS: What are the things that you miss in the H-series?
0 -
I'm not sure… their are outstanding bugs and problems with nebula when config in nebula vs local.
One problem with nebula is if they don't add all the options that local has their can be problem like fqdn address objects don't know if they should expire ttl or not which causes all address objects for fqdn to rewrite without the option causing it to be a unknown state on local but I'm hoping they fix that.
Other problems are if you have more then IP WAN and you choice to route Zywall to go out a given interface can cause connection problem that rely on nebula like the content filter and reptation filter this has be on going for over a year and still being looked into yet if you don't control Zywall its fine.
The way in which Wifi controller MAC filtering looks to work not as good as ZLD has done it.
WWW Admin Service Control was useful in ZLD and no Authentication Server page
2FA HTTPS not using my certificate
Wifi MAC Authentication
Email logging of traffic logs like ZLD does
BWM with fqdn support and all interface Egress rating limiting support along with bwm control-tcp-ack
being able to have many SSL and VPN Polices support as you can only have one SSL remote access and one IKEv2 remote access and no longer can you do IKEv1 L2TP/IPsec
IKEv1 many tunnels when you connect to the FLEX H on the same IP even with different ID may not work and thats not going to be looked at anymore
Some type of overload (ping spike) if you have many fqdn to which I hope that gets fixed
Being able to do fqdn like on ZLD *grc.com not *.grc.com which means you may have to do grc.com with *.grc.com do get everything
being able to control VPN tunnel and for remote access in routing rule incoming and next hop
0 -
being able to have many SSL and VPN Polices support as you can only have one SSL remote access and one IKEv2 remote access and no longer can you do IKEv1 L2TP/IPsec
IKEv1 many tunnels when you connect to the FLEX H on the same IP even with different ID may not work and thats not going to be looked at anymore
@PeterUK Can you please elaborate? Can't I have 2 IKEv2 policies/tunnels at the same time (one for connecting people to the office (client-to-site), another between 2 offices (site-to-site))?
PS: I'm planning on using the firewall in standalone mode. Are there any problems with that?
0 -
You can have many site to site tunnels on IKEv2 with different ID on Phase 1 its when you use IKEv1 that is the H-series as Responder Only that only one tunnel connects.
As for remote access VPN only one can be setup this is separate from site to site that can do many
Standalone is fine but you will need to register with nebula even if you don't use it
0
Guru Member
Categories
- All Categories
- 439 Beta Program
- 2.8K Nebula
- 203 Nebula Ideas
- 127 Nebula Status and Incidents
- 6.4K Security
- 520 USG FLEX H Series
- 330 Security Ideas
- 1.7K Switch
- 84 Switch Ideas
- 1.3K Wireless
- 49 Wireless Ideas
- 6.9K Consumer Product
- 289 Service & License
- 461 News and Release
- 90 Security Advisories
- 31 Education Center
- 10 [Campaign] Zyxel Network Detective
- 4.4K FAQ
- 34 Documents
- 86 About Community
- 98 Security Highlight
