Two in one, or migration of the access point controller to the gateway

It is believed that a serious network infrastructure – it should be expensive, and the more devices in it, the better. But is this principle always true? Let’s try to understand the example of managing Wi-Fi access points.


Wi-Fi network management deserves close attention: both from the system or network administrator, and when introducing special equipment. Otherwise, you can easily get very interesting, but undesirable “oddities” when working with network devices.

One of such examples was considered by us in the article Synchronization of Wi-Fi access points for collaboration.

The same article provides information about specialized Wi-Fi controllers, with the help of which control is performed. But what does it do? Do you have to buy another device, configure it, update firmware and so on?

This is another point of failure (for example, the power supply may fail after a power surge), and another object for maintenance (at least occasionally you need to update the firmware).

Fortunately, Zyxel engineers have provided a more versatile option, adding access point management features to other devices, in particular to firewalls.

This approach is more convenient for managing the network infrastructure as a whole. Although it is theoretically possible to imagine the separation of duties from a series: one person only administers the Internet gateway, the other only administers Wi-Fi controllers and access points, but in practice this approach is extremely rare, usually there is one network administrator or an entire administrative link, whose responsibilities include maintaining the entire network.

Access point management is supported by almost all series of network gateways: ATP, USG, VPN, ZyWALL and USG FLEX. Actually, the network administrator has a place to roam in terms of choice.

A universal approach to managing access points and organizing a gateway in questions and answers

We offer readers answers to the most frequently asked questions (FAQ) that will help you better navigate when choosing alternative options.

Questions and answers on the general organization of infrastructure and business processes

Question 1. For what cases is this approach: the gateway and the AP controller – two in one – the most convenient?

Answer: Convenient for small companies and large organizations.

For small companies, this is convenient for reducing costs at the time of establishing a business: one device costs less than two. Accordingly, it is easier for the “coming admin” to administer one device.

For large companies, this approach is convenient in that it eliminates the additional point of failure that needs maintenance. This is important, for example, when using power management systems (watchdogs), which automatically restart the device by power when certain conditions occur.

Question 2. Could it be that because of the placement on the same device between managing access points and maintaining the functions of the Internet gateway, there will be competition for hardware resources: processor, memory?

No, if you purchase the appropriate device for the desired number of access points. Any device: ATP, USG, USG FLEX, VPN, ZyWALL is designed with a balance between the number of maximum possible Wi-Fi users and ensuring maximum gateway performance when accessing the Internet.

Quite the contrary, having an Internet gateway separately and an access point controller (NXC) separately, you can get the same performance imbalance, for example, when the access controller has already been upgraded to a more efficient one, and the Internet gateway has not yet (or vice versa).

Licensing Questions and Answers

Question 3. Which of the following devices: ATP, USG, VPN, USG FLEX are better suited for managing access points.

Answer: All of these devices do a good job of managing your wireless network. The set of Wi-Fi controller functions is approximately the same. Another thing is that there may be other critical areas for business, for example, VPN access functions (VPN series) or enhanced security mechanisms (ATP series).

Therefore, it would be more correct to use an integrated approach when designing a future network and upgrading an existing one.

If we talk only about the cost of the devices themselves, then the most budget option is the VPN series.

Question 4. For which of the VPN series models can the NXC2500 be replaced to make it cheaper and which model – for the most complete replacement?

Answer: If there are less than 36 points, then at the entry level it is enough ZyWALL VPN50if more – then on ZyWALLVPN100.

Figure 1. ZyWALL VPN50 firewall.

Question 5. A similar question for older models. What are we changing from VPN
NXC5000, to make it cheaper and change the NXC5500 so that it is as much as possible
full replacement?

Answer: If there are less than 132 points, then at the entry level it is enough ZyWALL VPN300,
if more – then you need to use ZyWALL VPN1000.

Figure 2. ZyWALL VPN300 firewall.

Figure 3. ZyWALL VPN1000 Firewall.

Important. Speaking about the initial level, we are discussing just the simplest situation — only Wi-Fi control. For example, the VPN50 may not be suitable if you need to use a redundant WAN channel over a twisted pair cable, for which the VPN100 has a special second WAN port, and starting from the VPN300 you can reconfigure any of the available network interfaces.

As mentioned above, depending on the number of points, instead of the NXC series, you can use not only the VPN series, but also others.

Table 1 shows the number of access points that can be controlled “right out of the box” (without acquiring a license):

Table 1. The number of access points available for management by default.

NXC2500: 8ATP100 / 100W / 200/500/700/800: 8 *USG40 / 40W: 2USG FLEX 100: 8VPN50 / 100/300/1000: 4ZyWALL 110/310: 2
NXC5500: 64USG60 / 60W: 2USG FLEX 200: 8ZyWALL 1100: 2
USG110 / 210/310: 2USG FLEX 500: 8
USG1100 / 1900: 2

Table 2. shows the maximum number of points for all devices.

Table 2. Maximum number of access point management licenses for different families.

NXC2500: 64ATP100 / 100W: 24USG40 / 40W: 18USG FLEX 100: 24VPN50: 36ZyWALL 110: 34
NXC5500: 1026ATP200: 40USG60 / 60W: 18USG FLEX 200: 40VPN100: 68ZyWALL 310: 34
ATP500: 72USG110 / 210: 34USG FLEX 500: 72VPN300: 132ZyWALL 1100: 130
ATP700: 264USG310: 34VPN1000: 1032
ATP800: 520USG1100: 130
USG1900: 130

* The ATP series with a Gold Pack subscription (which is included in the package for 1 year) has a maximum number of access points.

Important! NXC had licenses to add 8, 32, and 64 access points. For firewalls, there are licenses for 2, 4, 8 and 64 points – that is, more flexible licensing.

In addition, for the ZyMesh function to work on the NXC series, an appropriate license was required, but for firewalls it is not needed (included).

Note. The ZyMesh function eliminates the need to lay a cable to connect new Wi-Fi access points and provides a Wi-Fi-based fault tolerance mechanism with the ability to select from multiple routes for each access point with a repeater function. Otherwise, to expand Wi-Fi coverage when setting up a WDS connection, the network administrator must assign a channel and a MAC address on each access point. ZyMesh allows you to automatically allocate resources, so management becomes
much simpler.

Question 6. And what about the reservation? Do I need to duplicate the number of licenses?

Answer: When backing up the Wi-Fi controller of the NXC series, a set of licenses for each device was required; for firewalls, in the case of backups, licenses for only one device are needed.

Technical questions that arise when building or administering a Wi-Fi network and answers to them.

Question 7. As you know, there is no “bloodless replacement” of one with another. What features may not be available when replacing the NXC with management from a router, such as a VPN series?

Answer: there are no firewalls in the near future and there will be no support for QR code authentication (QR Code Captive Portal Auth) or for MAC authentication with portal authentication (MAC Auth fallback to Portal Auth).

However, there is good news. Despite the fact that firewalls do not yet have full Wi-Fi 6 support with WPA3, this feature will appear in firmware version 4.60, which will be released in September.

Question 8. What features useful for WLAN can be obtained as a result of such a replacement?

Answer: As mentioned above, in the firewalls the ZyMesh function is available for free, and also in the case of device redundancy (Device HA Pro) for wireless (and not only) clients, the transition to the backup device will be seamless, since all open sessions and authorized sessions are synchronized between the firewalls users

Question 9. How are you doing with security? How will the use of access point management from ATP, USG, VPN, ZyWALL and USG FLEX series routers affect Wi-Fi network security.

Answer: When using the routers of the series described above (I would especially like to highlight ATP for its wealth of protective functions), the network administrator can use the whole set of tools for increasing the level of security that is available in the corresponding firewalls: content filter, Geo IP, antivirus, IDP, application patrol (depending from a specific model).

Therefore, the level of security from this will only increase.

Read more about these functions in the section. Security Services – Content Filtering 2.0 on the Zyxel website. It is also worth reading an article on our corporate blog. Eat breakfast yourself, share your work with the cloud.

Question 10. What access points can ATP, USG, VPN, ZyWALL, and USG FLEX firewalls communicate with?

Answer: Below is a list of access points that these firewalls can manage:

  • NWA3160-N
  • NWA3550-N
  • NWA3560-N
  • NWA5160N
  • NWA5550-N
  • NWA5560-N
  • NWA5121-NI
  • NWA5123-NI
  • NWA5121-N
  • NWA5301-NJ
  • WAC6502D-E
  • WAC6502D-S
  • WAC6503D-S
  • WAC6553D-E
  • WAC6103D-I
  • NWA5123-A
  • WAC5302D-S
  • NWA5123-AC HD
  • WAC6303D-S
  • WAC6552D-S
  • WAX650S *
  • WAX510D *
    * in compatibility mode (without WPA3 support)


Effective building of IT infrastructure is not always expensive and does not always require large resources. Sometimes acquiring one device can solve a whole range of problems: from filtering content on the network to managing access points.

useful links

  1. Sync Wi-Fi hotspots for collaboration.

  2. Eat breakfast yourself, share your work with the “cloud”

  3. Security Services – Content Filtering 2.0

    on Zyxel website

  4. Description ZyWALL VPN50

  5. Description ZyWALL VPN100

  6. Description ZyWALL VPN300

  7. Description ZyWALL VPN1000

  8. Russian-speaking telegram chat Zyxel for professionals

  9. Russian speakers Zyxel forums for professionals

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *