Choosing the best dual-WAN router may prove to be a bit difficult considering that this type of devices weren’t created for home use, their functionality and complexity being far beyond the needs of the usual user (setting up a multi WAN router can be tedious), and, while the emergence of the DOCSIS 3.1 could have helped seeing more dual WAN routers within the consumer market, it didn’t really go that route.
Even so, the dual-WAN routers (or multi-WAN routers) are needed by businesses (no matter their size) and were created to give your organization an edge over the competition by maintaining a stable Internet connection, without relying on a single ISP. This is extremely important because running a business successfully can’t allow any downtime period (and nowadays, being connected to the Internet is a vital point for ensuring the survival of a company).
UPDATE 01.08.2024: The Zyxel USG Flex 200HP Dual-WAN VPN Router has been added to the best dual WAN routers list.
Zyxel USG Flex 200HP | Zyxel USG Flex 100 | DrayTek Vigor2926 | TP-Link TL-ER7206 |
Read More | Read More | Read More | Read More |
Of course, the Dual (or Multi) WAN router can also help get a better throughput and uniformly balance the handling of the data packets between the two (or more) separate connections (to avoid bandwidth throttling). This desirable feature is called load balancing (or multi-homing) and, besides balancing the network usage, it will also provide network redundancy, meaning that, if one of the WAN links fails, you still get access to your network resources using the secondary WAN link.
Best 3 dual WAN routers brief comparison
Zyxel USG Flex 200HP | Zyxel USG Flex 100 | DrayTek Vigor2926 | TP-Link TL-ER7206 | |
CPU | quad-core 1.4GHz CPU (Marvell ARMADA 7050 CAT72) | dual-core 1.2GHz Cavium Octeon III CN7020-1200WG640 | dual-core 720MHz CPU (?) | dual-core 880MHz CPU (probably Mediatek) |
RAM | 8GB Samsung | 2GB Nanya NT5CC512M8EN-EK | 128MB WINBOND W971GG6SB | 512MB Samsung SEC 204 K4B2G16 |
Storage | 8GB Samsung | 8GB Kingston EMMCC08G | 128MB Toshiba TC58NVG0S3ETA00 | 128MB ESMT F59L1G81MB |
Ports | 2x WAN (2GbE), 6x LAN, 1x Console | 4x LAN/DMZ, 1x WAN – SFP & OTP as secondary WAN | 2x WAN, 4x LAN | 2x WAN (one SFP), 2x LAN/WAN, 2x LAN |
WiFi | No | No | Yes (802.11ac) | No |
Advertised IPsec VPN throughput | 1.2Gbps | 270Mbps | 80Mbps | 291.6Mbps |
Max. concurrent IPsec VPN tunnels | 100 | 40 | 50 | 100 |
Read more | Full review | Full review | Full review | Full review |
Now, you may wonder why not simply go for multiple routers instead of a multi-WAN single router? The price is an answer, but other aspects, such as the aforementioned load balancing is going to become more complicated, so there is little to no gain.
Since we saw how important it is to have a multi-port router when running a successful business let’s look at the best dual WAN VPN router solutions that the market has to offer.
1. Zyxel USG Flex 200HP
Read the full review of Zyxel USG Flex 200HP
Just like the Flex 100, the Zyxel USG Flex 200HP deserves to be a part of this article, moreso considering the improvements that the manufacturer has made and which are reflected in the new gateway series. The Flex 200HP is quite a bit more than just a reliable dual WAN router, sporting two multi-Gigabit WAN ports, from which one is PoE, there’s the throughput over SPI firewall, UTM, VPN and the ISP is far more optimized.
Also, software-wise, we get a robust package of security features (including the aforementioned IPS). There is more because the dual WAN gateway comes with uOS and it can be managed both locally, as well as on the Cloud (Nebula Cloud Center). Design-wise, the device is rectangular, completely made of metal and the color palette of choice is gray with red accents on the front. The router is a bit wider than the FLEX 100, so it’s easier to mount it in a rack, but do be aware that the Power connector is on the rear side.
On the front, besides the two 2.5GbE ports that I already mentioned, there are six other regular Gigabit LAN ports, a USB-A port and a Console port. There are, of course, some LEDs to show the status of the device and of each port. Zyxel has been very confident that the USG Flex 200HP is optimized well enough as to handle a lot of stress without having to rely on active cooling. Instead, there are two large heatsink plates inside the dual-WAN router which should properly dissipate the heat.
I have attached some photos to see how well it fared while I was running the multi-client stress tests. So it pretty much can’t get hotter than that.
It’s worth mentioning that the device does use a quad-core 1.4GHz CPU (Marvell ARMADA 7050 CAT72) CPU, it has 8GB of RAM, 8GB of storage memory and it also relies on a couple of Marvell 88E2111-BWS4 switch chips for the two 2.5GbE ports. In terms of security, the firewall gateway offers the standard DoS protection and a SPI firewall (set the number of access rules and block requests). Also, you get bandwidth management (set up the upstream and downstream speeds), IPS (needs to either be set on Prevention or Detection), Anti-Malware and Content Filtering.
The Zyxel USG Flex 200HP also has some VPN-related features, including the support for SecuExtender, IPsec, L2TP and SSL connections. Now let’s talk about the two WAN connections. As I mentioned, they’re both 2.5GbE and the supported trunk is Weighted Round Robin. This is the only type available at the moment and I did test how quickly the dual WAN router switches between connections.
And the result is about one second which is a good performance. I didn’t run the usual iperf tests where you check how fast a single connection to a single client is since it would pretty much be pointless and instead, I decided that it’s better to put some stress on the device and run various types of traffic simulations on multiple client devices at the same time. Obviously, this is just a sneak peak and you will have to read the full review to see all the results that I got. Of course, the dual WAN router did handle the clients well.
I need to mention that you can configure the Zyxel USG Flex 200HP locally, where you get the bulk of settings and options, but it is also possible to add the gateway to a larger site with multiple other types of devices. This way, it’s easier to configure them together and monitor them remotely.
2. Zyxel USG Flex 100
Read the full review of Zyxel USG Flex 100
The USG Flex series has been a long favorite of SMBs that needed a reliable security gateway that could balance at least a couple of Internet connection and Zyxel has refreshed the series last year to include the USG Flex 100 which, despite being the entry-level model, it has proven capable of handling a fairly demanding network, while also maintaining the security of your network. And the good news is that not very long ago, the manufacturer has added the USG series under Cloud platform management. And this is a huge step since besides being able to work perfectly fine as a stand-alone device (with only a few APs), it can be integrated in a far larger network, offering an easier way to control multiple access points, Ethernet switches and working alongside other gateways.
While the Zyxel USG Flex 100 will work as a router, its design is nothing like the regular home-suitable wireless routers. Instead, we get an old-school rectangular case made of metal with lots of heat vents on top and the sides and two red front parts for the logo and model. And yes, it does remind me of the USG40 which has been a part of the best dual wan router list for a long time. Size-wise, the USG 100 Flex is slightly bit larger than the USG40, measuring 11.18 x 7.48 x 3.94 inches and both devices do rely on passive cooling (there are no fans).
On the front, in between the red accents, there are the LED status lights responsible for Power (PWR), System (SYS), six Ethernet ports (P1 to P6) and there’s also a USB 3.0 port. The rear side of the USG Flex 100 is home to the Power connector, an On/Off button, an SFP port (Gigabit), a Console port (used for managing the router using CLI commands), a WAN port and four LAN/DMZ Ethernet Gigabit ports.
The case is definitely far more rugged than your regular router, but let’s also see what’s inside the USG Flex 100. The tear-down process has revealed a Qualcomm QCA8337 Ethernet switch chip, 8GB of flash memory from Kingston, an Intel ALTERA 5M160ZE64C5N CPLD and a Qualcomm Atheros AR8033 PHY. In terms of wireless connectivity, you will have to purchase a separate wireless access point since this device lacks any WiFi capabilities (check out the excellent WAX650S).
The USG Flex 100 was initially designed to work as a sort of stand-alone device since it did have the means to monitor and configure multiple APs at the same time, and the user interface was (and still is) feature-rich, covering everything one may expect from a security gateway (including URL Threat Filter, the Anti-Malware, IDP, App Patrol and more). But, since the point of this article is to cover the best dual WAN routers, the Zyxel USG Flex 100 does have the means to balance two Internet connection and more.
I know that it has a single WAN port, but you can make use of either the SFP or the OPT port to add a secondary connection. So, if you want to balance the traffic load, you can rely on trunks (System Default WAN Trunk with the Least Load First algorithm) and, in my test, after disconnecting one link, the router would immediately switch to the secondary available Internet connection. The mode for each trunk interface can either be Active or Passive and you can enable the Disconnect Connections Before Falling Back, so, in case the interface that was set to Active regains the link, it will automatically switch back from the secondary connection. The Zyxel USG Flex 100 can also rely on the Weighted Round Robin algorithm for load balancing, ensuring that in case the two links have different bandwidths, the device will distribute the clients on a rotating basis.
There is also the Spillover algorithm where the traffic is first sent to the first WAN interface and, when it reaches the maximum allowed load, the device will send the ‘excess traffic’ to the secondary link. Trunking is not the only way to handle a dual-WAN connection since you can simply set a policy route for the Incoming Interface to the first WAN and the Next-Hop to the secondary interface; don’t forget to create a Policy Route the other way around. Using this method, I noticed that the USG Flex 100 required about 5 seconds to switch from one link to the other.
If you decide to move to the Cloud, the Zyxel USG Flex 100 will keep its features, but they will be distributed differently and don’t forget to check out the changed system for the security-related licenses – you can see a more detailed analysis on how Zyxel has added the USG Flex 100 to the Cloud management platform.
3. DrayTek Vigor2926
Read the full review of DrayTek Vigor2926
DrayTek is a Taiwanese manufacturer of (mostly) enterprise-grade networking products, including VPN devices, firewalls, routers and other types of wireless LAN devices (mainly with a focus towards the SMBs). DrayTek is known as being one of the first manufacturers to implement the VPN technology into less expensive routers and, right now, it basically is the go-to-company if you don’t want to purchase very expensive equipment from Cisco, Arista or Juniper (therefore being a godsend to start-up companies that don’t have a large budget). One of its more interesting products is the DrayTek Vigor2926, a dual WAN router created to replace the popular Vigor2925.
The Dual WAN routers aren’t known to be very aesthetically pleasing and most have a plain, industrial look (begging you to hide it in some corner or in a closet), but DrayTek, despite having kept the same design approach for almost a decade, it has made its broadband routers feel surprisingly fresh even in 2019. So, the case of the Vigor2926 remains rectangular, but the top has a wave-like form, covered by a black matte finish and lots of small longitudinal canals which slightly expose the internal hardware. While some other dual WAN routers are metallic, the case of Vigor2925AC is entirely made of plastic but, despite that, the device has the element of uniqueness and it doesn’t look as the other routers on the market (some consumer-type routers could learn a thing or two).
The Vigor2926 is not really a compact device, but its footprint is smaller than some consumer-type routers, measuring 9.48 x 6.50 x 1.73 inches and because the device weighs about 1.1 pounds, the Vigor2926 will feel sturdy and stable, even if you connect lots of cables to it. Another important aspect is the fact that the manufacturer has covered the bottom side almost entirely with ventilation cut-outs which do have an impact into how the heat management is handled: even under stress, the router did not overheat, but there were some warm spots on the top and bottom of the device.
On the front of the Vigor2926, you can find a series of LED lights which show the status of ACTivity, WAN1 and WAN2 (if any of the three aforementioned LED is blinking, it means that the data is being transmitted or received), QoS (if it’s on, then the QoS function is active), USB1 and USB 2 (if any of the two LEDs blinks, then data is being transmitted / received), WCF (it’s on when the Web Content Filter feature is active), VPN and DMZ. On the left of the LED lights, you can find a single recessed button for returning the device to the factory default settings (press and hold the button for more than 5 seconds).
On the right side of the LED lights, there are four 10/100/1000Mbps Base-TX Ethernet LAN RJ-45 LAN ports (each port has two LED lights – if the left LED is blinking, it means that data is being transmitted; if the right LED is enabled, then the port is connected at 1000Mbps, otherwise, if it’s off, then the connection is at 10/100Mbps), a 1000Base-TX RJ-45 WAN1 port, a 1000Base-TX RJ-45 WAN2/LAN port (can be used for the dual WAN feature if you need two Internet connections at the same time or simply as a LAN port) and further to the right, there are two USB 2.0 ports (useful if you want to connect printers, storage devices, environmental thermometers or 3G/4G/LTE modems). The rear side is populated by a PWR connector (for the adapter) and an On/Off switch (there are no antenna connectors).
Inside the case, the DrayTek Vigor2925AC is equipped with a Qualcomm Atheros AR8035-A Ethernet PHY Chip, 128 MB Toshiba TC58NVG0S3ETA00 flash memory, 128MB of RAM (WINBOND W971GG6SB-25) – the main chip is clocked at 720MHz (couldn’t access it because DrayTek covered the area with a non-removable plate).
In terms of software features, DrayTek Vigor2925AC doesn’t lack anything important. You get the dual WAN port used for FailOver and Load-Balancing (if you connect 3G/4G/LTE modems to the two USB ports, it will be added to the load balancing pool). The Failover feature works like this: if the first Internet connection fails, the router automatically switches to the other WAN port (the process doesn’t take more than 2-3 seconds) and, when the primary WAN regains its connection, the router will switch you back from the secondary WAN connection (this time, the process takes about 5 seconds); the Load Balancing feature keeps both Internet connections active at the same time, creating a ratio for the number of sessions that will be connected to either of the two WANs – furthermore, you can also use a single WAN port for certain websites or aggregate the ports to increase the total available bandwidth.
The Vigor2926 also supports multiple types of VPN, such as IPsec, L2TP with IPsec, PPTP, SSL and Open VPN; there’s also VLAN tagging, Smart Monitor Traffic Analyser, Bandwidth Management (set bandwidth limits by number of simultaneous sessions or IP; QoS) and a lot more. In terms of security, the Vigor2925AC features an Object-based SPI Firewall, DoS Defence (Ports Scan detection, SYN, UDP, ICMP defences and the ability to block IP options, Ping of death, trace route and so on), Spoofing Defence (IP and ARP Spoofing) and more. The Vigor2926 features a Central Management utility, allowing you to locally manage additional DrayTek devices connected to the network (switches, access points), but the manufacturer also allows you to adopt the Vigor2926 within a controller (VigorACS 2).
Considering that the Vigor2926 comes with two USB ports, I decided to test the storage performance of the router: using a Samsung T5 SSD drive (FAT32), I moved a 3GB multimedia folder and the writing speed was 10.13 MBps and the reading speed was 10.26 MBps. Afterwards, I decided to test the wired performance of the router using two computers, one as the server and the other as the client: from the client to the server, I got an average of 949 Mbps and, from the server to the client, I measured an average of 921Mbps.
Note: The DrayTek Vigor2926 is also available in other variations: with integrated VoIP and wireless capabilities (the Vigor2926Vac), using only the wireless N technology (Vigor2926n) and with both the 2.4GHz and 5GHz radio bands (Vigor2926ac).
4. TP-Link TL-ER7206 Dual-WAN VPN Router
Read the full review of TP-Link TL-ER7206
The TP-Link TL-ER7206 is one of the most inexpensive multi-WAN routers available on the market and, while not as powerful as some of the other dual WAN routers in this list, it can definitely hold its own against its main competitors. And this includes the inexpensive option from Ubiquiti, the EdgeRouter-X. But can it be a reliable replacement for the Cisco RV340 and RV345 as well?
After hearing that Cisco will discontinue the series after already reaching EOL, there are some big shoes to fill and, after testing the TP-Link TL-ER7206, I can say that it can handle a small to medium network (SMBs, basically), but you will have the best performance if you switch to a full Omada ecosystem.
The TP-Link TL-ER7206 uses a compact all-metal case covered by a black matte finish and, while I do appreciate having to deal with smaller networking devices, there is a shortcoming. And that’s the difficulty of using it in a rack – you will need a tray.
Then, TP-Link made the uninspired decision to not add mounting holes on the bottom of the dual-WAN router, which means that it can only be positioned on a flat surface. I did check the TP-Link TL-ER7206 temperature while I was running some tests and it didn’t show any signs of overheating (I included a thermal photo in the full review as well).
As for the available ports, you get a WAN SFP port, followed by one dedicated Ethernet Gigabit port, two WAN/LAN ports (can work in either mode) and two Ethernet Gigabit LAN ports. This means that you get a large variety of options to choose from in case you need to run load-balancing or to rely on failover / failback techniques. The TP-Link TL-ER7206 does offer a standalone mode where you can configure the router to function the way you want it to, but you do lose on some important aspects.
For example, I could not find how to set the ratio using load balancing in standalone mode, but the most important loss is that you can’t configure and monitor multiple devices at the same time using the Omada SDN.
This software has grown quite a bit the last few years and it resembles in many aspects the UniFi controller. So, to set up the features related to the dual-WAN functions, I adopted the router to the Omada SDN.
This way, I was finally able to set the ratio for the bandwidth when using two or more concurrent Internet connections.
Then, I decided to check out just how quick the TP-Link TL-ER7206 is when disconnecting the primary WAN and switching to the secondary one. To do so, I pinged two websites and simply checked how many packets would be lost. Both pings were paused for a brief moment, with only a single packet loss, so the dual WAN router is quite fast in this regard. This is not all because I also need to see the LAN-to-LAN performance which, as expected, it was good. I saw an average of 945Mbps upstream and an average of 887Mbps downstream.
But, the TP-Link TL-ER7206 is also a VPN gateway, so I decided to check out a couple of the available ones.
The router will allow you to set up 50 OPenVPM connections, 100 LAN o LAN IPSec connections, 50 PPTP VPN connections (careful because it’s not the most secure protocol) and 50 L2TP connections.
I did configure an L2TP VPN policy and Client (which was a very simple process) and then I used an iPhone to connect to the router in a secure manner. And it worked wonderfully well, even if the throughput wasn’t as high as I hoped. Then, I also used a laptop for a PPTP connections (the iPhone no longer supports PPTP) and again, it worked fine, but the throughput is not that great (19Mbps up and 12Mbps downstream).
The TP-Link TL-ER7206 has some security-related features implemented, as expected, and it offers URL Filtering, Access Control and the Firewall, where I liked to set the State Timeout. In terms of hardware, TP-Link TL-ER7206 was not completely transparent to me because I was unable to remove the heatsink which hides the main chip, but I do know that we’re dealing with a dual-core CPU clocked at 880MHz.
I have encountered this configuration before and it was a Mediatek CPU – maybe this is what we’re dealing with here as well. Besides the CPU, there are 512MB of RAM from Samsung, 128MB of flash memory from ESMT and the Realtek RTL8365 as the switching chip.