Zyxel Nebula is a cloud-managed networking solution consisting of Wi-Fi access points, Ethernet switches, security gateways, and a management console. Zyxel developed Nebula to help business customers and their service providers to manage networking infrastructure more cost-effectively. For this review, I wanted to find out how much value Zyxel Nebula would provide to prosumers who can’t get the performance they need from consumer-grade equipment in residential environments.
Note that I had tested and reviewed business-class networking equipment from Ubiquiti in the past, and so I had well-defined requirements and reference points, especially regarding Wi-Fi performance and ease of use.
Reviewed Zyxel Nebula Equipment
|NSG200 Security Gateway|
|NSW100-10P 8-Port Gigabit Switch with PoE|
|NAP303 Managed Access Point|
|NAP203 Managed Access Point|
|NAP102 Managed Access Point|
Zyxel sent me a security gateway, two 10-port Ethernet switches, and four access points to replace my existing UniFi infrastructure for this review.
To be perfectly honest, I was hesitant to “rip out” the existing infrastructure that both my wife and I rely on, from a personal and professional perspective. But this challenge gave me an excellent opportunity to test Zyxel’s “Zero Touch” deployment claim.
My Migration Strategy
For those of you who haven’t followed the evolution of my network infrastructure, here is a quick overview of what I intended to replace.
I live and work out of a 3,300 square feet ranch-style home. My home office is on one side of the house, and that’s where AT&T’s fiber-optic Internet connection enters the home. The family room, where I spend most time when I’m not working, and where we stream TV shows and movies to an Apple TV, is on the opposite side of the house.
As is the case with many residential and commercial settings, a single wireless access point or router doesn’t provide proper Wi-Fi coverage for the whole area. That’s why I got into mesh networking and later expanded to commercial Wi-Fi equipment.
Before migrating to Zyxel Nebula, I had my current modem, a security gateway (router) and an 8-port switch installed in my home office. From there, I ran three CAT6 Ethernet cables into the attic where they would terminate in a second switch.
The second switch feeds the numerous Wi-Fi access points I had strategically positioned throughout the house using ceiling mounts. Additionally, the switch also connects various home security cameras to my network, but those are not part of this review.
How I Executed the Migration
First, I downloaded the Zyxel Nebula app to my iPhone, created an account and started scanning each piece of equipment I had received.
Each Zyxel device has a label with a QR code that you can scan to add the hardware to your Nebula account. As soon as you do that, Nebula provisions it with a default configuration. That is what Zyxel calls “Zero Touch” deployment. In my tests that worked incredibly well and it sped up the whole process.
Since Zyxel primarily designed Nebula for managed service providers who might support multiple clients and locations, I had to create an “organization” and a “site” as part of the setup process. Since I’m not a real organization and have only a single site, I used “Kummer Household” and “Home” for those parameters. You’ll see those terms in some of the screenshots below.
Create Wi-Fi SSID
The first thing I did after I had plugged in the security gateway to my ISP’s modem and transferred all Ethernet cables from the old to the new switch was to set up a Wi-Fi network. Since I didn’t want to reconfigure 40+ Wi-Fi-enabled devices, I made sure to use the same SSID and password I had used before. That way, my computers, phones, tablets and IoT devices could easily reconnect once the new access points came online.
Install Second Switch
Next, I installed the second switch in the attic, which took less than a minute. Similar to installing the primary switch in my office, all I had to do was move the Ethernet cables over and connect the device to the uninterruptible power supply (UPS).
Install Access Points
The most time-consuming part of the migration was to replace the existing access points. I wish I could have reused the mounting brackets from my Ubiquiti APs, but, apparently, that wasn’t the case.
For this review, I didn’t want to rip out the old mounting brackets and drill new holes, which would have involved crawling around in the attic.
I tried 3M mounting tape first, hoping it would hold the weight of the access points, but that didn’t work as you can see in the photo.
So I ended up leaving the old mounting brackets on the ceiling, and I installed the new brackets on top of the old ones. I still had to drill holes for that, but, at least, I didn’t have to go to the attic to remove the Ubiquiti bracket that “sandwiches” the drywall.
Cosmetically, it’s not looking great because you can see a clear gap between the access point and the ceiling. But for this review, my wife was OK with that.
Once all the hardware was in place, most of my devices could reconnect to the new access points without any troubles. Only some IoT devices, such as smart light switches and bulbs required a power cycle before they could reconnect to Wi-Fi.
Overall, I was impressed by the ease of deploying the Nebula equipment. All devices worked out of the box and without requiring configuration changes. The only setup step I had to perform was to create an SSID (Wi-Fi network) to match the old one.
Zyxel Nebula Cloud Managed Platform
- Efficient Deployment (Zero Touch)
- Powerful Management Console
- Multi-User/Multi-Tenant Support
- Commercial Design
- Some Features Require a Paid License
Many of the network management capabilities of Zyxel’s Nebula platform are overkill for what I need. I’m not a service provider, and I don’t work with one to help manage my network, so this review doesn’t go into the details of those features. But since they might be a deciding factor for many commercial customers, I wanted to share a few highlights:
- Licenses stick with the organization and transfer from device to device. So you can upgrade the hardware without losing your investment in the license.
- Zyxel offers a free subscription tier to maintain full control of your equipment. Some competitive solutions won’t allow you to make configuration changes without a valid (paid) subscription.
- Nebula supports multiple tenants and sites under one management console
- “Zero touch” makes deploying new devices a breeze and reduces the cost of ownership.
The reason why I have mentioned the terms “subscription” and “license” a few times is that the Nebula Cloud Management Platform is a subscription-based service that enables you to manage all supported devices. You can choose between a free license and a professional pack. The latter offers additional features and reporting.
Nebula is a Cloud Network Management Solution that brings the benefits of the cloud to your network. The Nebula Control Center gives centralized, easy to use, control over all Nebula wired and wireless networking devices from a single pane of glass, from any device. Nebula simplifies your business infrastructure and offers simple, intuitive and scalable management for networks of all sizes.
Zyxel’s cloud management platform is incredibly powerful and feature-rich. So it takes some getting used, especially if you recently upgraded from consumer-grade equipment.
What Does Cloud-Managed Mean?
The term cloud managed means that instead of managing your devices locally (on the Local Area Network), you do it via a platform that Zyxel operates in its data centers. Any changes you make get then pushed down to your devices. As a result, you might sometimes see a delay of one to two minutes for changes to take effect.
The advantage of that cloud-based approach is that you can hand off network management to an external service provider. That’s particularly useful if you are small- or medium-sized business without an internal IT staff; or if you are a big-shot business owner who works from home, appreciates reliable networking infrastructure but needs a knowledgeable relative or employee who can configure and troubleshoot all those gadgets without having to be onsite.
Nebula Management Console
To access the management portal, open a browser and point it to https://nebula.zyxel.com. Alternatively, you can use a mobile app from your platform’s App Store. The primary benefit of the mobile app is to keep an eye on the status of your devices. If you want to make configuration changes to your equipment, you have to use the web console. One of the few exceptions is maintaining wireless network settings, which you can do via the mobile app.
If you are on the paid subscription tier, Nebula can send you “push notifications” to your mobile phone to alert you if your uplink or any of the devices have gone offline. I wish Zyxel would make that feature part of the free license because such notifications are useful for almost everybody.
Zyxel Nebula Security Gateway
- Gigabit Firewall Performance
- Decent VPN and IDP Throughput
- Two WAN Ports for Fail-over Support
- Wall-mounting only an option for NSG50
- Power Plug Easily Comes Loose
- Limited AV Throughput
Zyxel offers three models of its cloud-managed security gateway that mostly differ in performance, number of ports and mounting options. I got to test the top-tier NSG200.
The NSG200 Zyxel gave me for this review has a ton of useful features that most (business) users can benefit from. As a result, some of the “cons” I mentioned above, might not apply to you. They impact me because I don’t have a server rack to mount my NSG200. So I would have preferred a wall-mounting option, which is only available for the NSG50.
Additionally, my fiber-optic internet upload offers almost 1,000 megabits per second (Mbps) of bandwidth. That’s over twice as fast as the NSG200 can handle when you enable anti-virus scanning and intrusion detection and prevention (IDP). As a result, I don’t use some of those security features.
The other feature I would have liked to have is support for X.509 certificate-based authentication for the site-to-site VPN. That way, I could permanently connect the NSG200 to our corporate network and wouldn’t have to worry about using a software VPN client on my iMac.
But to be fair, my Ubiquiti security gateway doesn’t have any of those missing features either. So I’m not losing anything with the Zyxel gateway.
If your site requires an always-on Internet connection, you’ll appreciate that the NSG200 supports up to two WAN uplinks with traffic shaping and fail-over. Before I switched to a fiber-optic connection, I often had issues with Comcast’s unreliable and analog cable link. During that time, I considered signing up for backup DSL service, but I didn’t have the router to support two uplinks.
Besides the aforementioned benefits, the NSG200 supports all the features you would expect from a mid-tier router and more, including:
- Stateful firewall
- Custom routing options
- Content and security filtering
- Site-to-Site VPN
- L2TP over IPSEC client (VPN)
- Walled Garden
- Captive portal
- Traffic shaping
- External authentication (AD, Radius) and external DNS server support
|10/100/1000 Mbps RJ-45 ports||4 x LAN (GbE)
2 x WAN (1x SFP, 1x GbE)
|4 x LAN (GbE)
2 x WAN (GbE)
|5 x LAN (GbE)
2 x WAN (GbE)
|SPI firewall throughput (Mbps)||300||450||1,250|
|VPN throughput (Mbps)||100||150||500|
|IDP throughput (Mbps)||110||160||500|
|AV throughput (Mbps)||50||90||300|
|SP throughput (Mbps, AV and IDP)||50||90||300|
|Max. TCP concurrent sessions||20,000||40,000||80,000|
|Max. TCP session rate||2,000||2,000||8,000|
|Max. concurrent IPsec VPN tunnels||10||40||200|
|Price (incl. 1 Year Subscription)||$229.99||$400.00||$650.00|
Overall, the NSG200 is a solid mid-tier security gateway and router with a ton of easy-to-use configuration options.
Zyxel Nebula Switches
- Solid Switching Performance
- Ethernet and SFP Ports
- Optional Power-over-Ethernet (PoE) Ports
- You Can’t Wall-mount Them
- The Fan is Noisy (PoE Models)
For this review, Zyxel has sent me two of their NSW100-10P switches. The number 10 indicated the number of ports the switch has and “P” indicates Power-over-Ethernet (PoE) support. The latter is useful for wireless access points and security cameras because it enables me to power them over Ethernet, instead of having to connect the devices to a traditional power outlet.
The disadvantage of Zyxel’s PoE switches is that their built-in fan is relatively loud. They are not annoyingly loud, but the noise is noticeable and more than what I’m used to from the Ubiquiti switches.
The NSW100-10P switches I was testing, have all the features you would expect from devices of this class:
- Port Aggregation and Bonding
- Cable Diagnostics
- VLAN Tagging
- IP Filtering
- Radius Policies for MAC-based Authentication
- PoE Schedules
- Quality of Service (QoS) for VLANs
|10/1000 Mbps Ports||8||✘||24||✘||✘|
|10/1000 Mbps PoE Ports||✘||8||✘||24||24|
|10 Gigabit SFP+||✘||✘||✘||✘||4|
|Gigabit combo (SFP/RJ-45)||2||2||4||4||✘|
|Switching Capacity (Gbps)||20||20||56||56||128|
|Forwarding Rate (Mbps)||14.88||15||41.67||41.67||95.2|
|Packet Buffer (KB)||448||448||1536||1536||1536|
|Acoustic Noise (dBA)||0||37.7||0||59.6||42.075|
|Total PoE power budget (Watt)||✘||180||✘||375||375|
|Price (incl. 1 Year Subscription)||$139.99||$220.00||$217.43||$385.00||$500.00|
Overall, I’m happy with the feature-set and performance of Zyxel’s Nebula switches. My advice is to pick a fan-less model if you don’t need PoE and if you don’t have a dedicated server room where noise is not an issue.
Zyxel Nebula Access Points
- MU-MIMO for Enhanced Performance
- Flexible Mounting Options
- Support for Up To Eight SSIDs
- Commercial Design
- Throughput Limited to 900 Mbps
Zyxel offers four cloud-managed access points, including an outdoor model with external antenna support that I haven’t tested. For this review, Zyxel sent me one NAP303, one NAP203, and two NAP102 access points.
Similar to what I did with Ubiquiti’s APs, I installed the most powerful AP (NAP303) in our family room, where we spend a lot of time and stream movies. The mid-tier NAP203 I installed in our living room to cover a bulk of our IoT devices (thermostats…) and the NAP102 I placed in my office. The reason for that is because my iMac is hardwired to the switch, and so I don’t need the best Wi-Fi performance in my office.
The two things I noticed immediately when installing the NAPs was their slightly taller form factor and “old school” commercial design. Of course, neither has any impact on their performance, and only a few users would care about that outside of a residential environment.
Beyond that, the access points have performed as well as I had expected. The installation was straightforward, and beyond creating an SSID, there was no configuration required.
Roaming and Handoff
Besides spotless coverage, one of the primary pain points with Wi-Fi I have had in the past was roaming and handover. I often make or accept a call in the kitchen or family room while my iPhone is connected to the nearest access point in that area. If I then walk into my office to continue the conversation, I want my phone to handoff to the access point in my office for the best possible connection.
Most consumer-grade Wi-Fi equipment doesn’t support that. Zyxel offers various features that enable and encourage devices to hand off to the nearest access point with no or little interruption, such as dropped packages. Roaming and handoff are very much client-dependent, and newer clients offer better and more seamless support than older clients. But the great thing about Zyxel’s implementation is that the company has implemented features to make the handoff process more reliable for a wide range of devices by offering:
- Smart steering based on signal thresholds
- Assisted roaming using 802.11k/v protocols
|WLAN Maximum Throughput||450 Mbps||900 Mbps||900 Mbps|
|Number of LAN Ports||1||2||2|
|Antenna Gain||2.4 GHz 3 dBi
5 GHz 4 dBi
|Ceiling: 2.4 GHz 3 dBi
5 GHz 4 dBi
Wall: 2.4 GHz 4 dBi
5 GHz 5 dBi
|2.4 GHz, 4 dBi
5 GHz, 6 dBi
|Mounting Options||Ceiling||Ceiling or Wall||Ceiling or Wall|
|Price (incl. 1 Year Subscription)||$129.99||$159.99||$465.00|
Overall, I was impressed by the performance and ease-of-deployment of the Nebula access points.
Zyxel Nebula Licensing
Each Zyxel Nebula devices comes with a free license that should be sufficient for most non-commercial users.
If you need additional features, such as user auditing, notifications & alerts, advanced VPN features, etc., you can upgrade to a professional license pack. You can subscribe to the Professional Pack on an annual basis, or you can purchase a lifetime license.
Below are examples of how much a Zyxel Nebula Lifetime License costs per device for the following device types:
|Access Point Lifetime License|
|Security Gateway Lifetime License|
|Ethernet Switch Lifetime License|
The Zyxel Nebula platform worked overall well and met most of my expectations. I did run into a few issues that I wanted to point out:
The Power Cable Of The Security Gateway Is Lose
The rounded power plug of the Zyxel NSG200 is incredibly loose and comes out with only the slightest pull. I accidentally unplugged the gateway several times by just lifting it and moving it to another position. Zyxel is aware of the issue, and they are working on a fix.
Mobile App Keeps Logging Me Out
The mobile app keeps logging me out every 24 hours or so. As a result, I have to re-authenticate every time I want to use the app. While that’s only a minor inconvenience, I hope it doesn’t interfere with the delivery of push notifications. But either way, Zyxel ought to fix that and also add TouchID of FaceID on iOS to remove the need for username and password.
Random Device Disconnects
During the first few days of testing, I noticed that some of my devices, such as my iPhone and home security cameras would randomly disconnect from Wi-Fi or lose internet connectivity. The cause of the latter was due to my ISPs modem going offline for a minute at 4 AM. The Wi-Fi disconnects were likely caused by configuration changes I had made.
After the initial setup, I clicked through the management console and made changes without reading the documentation. You know, that’s what pros do :)
One of the settings I messed with was client steering, dynamic channel switching (DCS), and dynamic frequency selection (DFS).
The latter enables an access point to automatically switch channels if it detects radar or interference that looks like a radar signal. When it does, any connected device might go offline for a few seconds before it can reestablish connectivity using a different channel. To resolve that problem, I turned DFS off. Most consumer-grade Wi-Fi clients don’t support DFS channels anyway, so turning that setting of won’t affect me.
I also made sure that I enabled “DCS client aware” to prevent my access points from selecting better channels while clients are connected to it. You can read more about those radio settings in the online help.
Note that anytime you make changes to those settings, your APs may drop all clients. Most computers and smartphones immediately reconnect without any issues, but I have noticed that some IoT devices don’t. For instance, some of my LIFX smart bulbs don’t reconnect until you power cycle them. That’s a bit annoying, but a problem LIFX has to fix.
With its Nebula product line, Zyxel offers an easy-to-manage cloud platform and combines advanced features and rapid deployment capabilities. As a result, it’s not only an excellent fit for small- and medium-sized businesses but also for residential environments and prosumers that have high demands on networking equipment and Wi-Fi coverage.
Where does that leave me? Well, I already own a ton of Ubiquiti devices, and my investment goes beyond networking infrastructure. So I’ll stick with what I have, but for a new deployment, I’d seriously consider Zyxel’s Nebula platform and so should you.
What networking equipment do you use at your business or home? And what do you like/dislike about it? Let me know by leaving a comment below!