I have been reviewing tech for almost two decades with DRN, and it would be safe to say that I have had all kinds of experiences from awesome to downright ugly. This may be the first time a piece of gear has absolutely ruined things for me going forward.
When Zyxel launched their SCR 50AXE secure cloud-managed router, I was eager to put my hand up to see how far I can push it. Happily Zyxel came to the party.
What is it?
The SCR 50AXE (going to call it SCR50 from hereon) is a AXE5400 Tri-Band WiFi 6E secure cloud-managed router. It is designed for small and home office users, remote workers, and small business owners looking for a network with best-in-class security and superfast WiFi.
Let’s face it, the SCR50 is not pitched at your average home router audience but it should. I will go into why later in the review.
It look a little while from launch to when the review unit was shipped to me, with the delay being attributed to a revised firmware needing further testing prior to release.
As it was, firmware V1.10 was launched about a week after I first started my review. I will write this up based on this version of firmware.
First Impressions
The SCR50 is probably best described as a matte white slab with a red frame cutting in mid-point of the device and circles the unit along the vertical plane. It’s rounded off on all the corners and is neither modern nor dated.
There are no bristling of antennas around the unit, just a clean plastic shell. I assume the four antennas are hidden in the red strip that bisects the device, but I am not about to deconstruct the unit to find out.
It comes with a stand to keep it upright, with a thoughtful magnetic attachment to guide it in place.
Speaking of keeping it upright, this one isn’t going dish out performance lying down in a rack. But then again, why would you ever want to kill your signal by putting your wireless router in the rack anyway?
It also sports four Gigabit ports in addition to the Gigabit WAN port.
Getting Started
This is important, the SCR50 is a cloud-managed router, which means, it is managed via the cloud. Getting going means downloading the Nebula app onto your phone and following the bouncing ball.
You will need to create a Zyxel account if you don’t have one already (no surprises), and you will be prompted to enable 2FA here. Given the heart of your network is going to be managed from the cloud, you really don’t want to put this off. Do it now and be done with it.
The wizard will prompt you to create a site name, so put in something you can live with. It can be changed later, you just need to find where. It also need your country and timezone.
Next you can either scan a QR Code off the back of the unit, or enter the device details manually. Once this is done, the device will be registered onto Nebula and become “Nebula managed”.
Zyxel provides 30 day trials for each license type available. It’s a once only so if you deactivate it early, it’s done. You can skip accepting the trial here and activate it later in the Nebula Control Center. I will cover off what is available later. It is important to note not all of these trials suit SCR50.
Once the SCR50 is powered on and connected to the internet, the wizard will prompt you to create your first WiFi network.
At this point, you are up and running in the most basic of ways.
Diving Deeper – Managing the Router
There are three ways to manage the SCR, loosely. If you are a power user, you need a combination of the latter two options.
webUI
There is the in-built webUI which is super basic, not surprisingly given this is a cloud-managed router.
There is just enough control to change your WAN connection type if are having issues connecting to the internet or have special configuration such as a VLAN ID (for telcos like TPG). It also allows you to release your public IP (if you are on DHCP there) and some basic diagnostic tests.
The catch here is, if your device is Nebula registered, then you will need to head onto the Nebula Control Center to find the local admin password. The one printed on the unit won’t work any more.
App
The Nebula app on the phone is where to go for a bit more control over your SCR50. Here you can create up to four WiFi networks, set their VLAN and Band Mode (2.4 GHz, 5 GHz, 6 GHz).
You can perform a connection test, which is either an IP or FQDN (Fully Qualified Domain Name) and it will reach out to see if there is a domain name resolution if using FQDN and make a connection.
Next to that is a reboot button, because sometimes you just need to kick the tyres and start again. I have had to do it a few times when playing heavily with WiFi settings.
Statistics are also prominent in the app, with a client list of all devices on all VLANs displayed. If the options are enabled, you can get Application Usage snapshot, Threat Report and Content Filter Reports.
Lastly in the app you can manage your site, administrators and licences.
Nebula Control Center
This is where the power users will come to, the Nebula Control Center (NCC). Upon login, the Dashboard gives you a “single pane of glass” view of your network. In my case the SCR50 is my only Zyxel device at the moment.
The Dashboard is customisable and by default, all the widgets for the security router is enabled already. It is not particularly exciting for your run of the mill home user, but for me, the level of details I can get at a glance tells a thousand words about my network, which kid is doing what and how much. It is great!
All the features in the app is available in NCC – well almost. Taking a step back, the NCC is designed to manage all the Zyxel products. So if this is your first exposure to it with only one device, there are plenty of options and features that will lead to nowhere. But fear not, Zyxel has grouped things under product lines, so I only had to concentrate on the Security Router part of each section.
Configuration
I am not going to write a manual on using NCC, however I am going to point out specific features or issues that I have discovered along the way. If you have ever used Unifi before, it is similar just fully cloud based. There is no requirement for a local install instance of the control panel, or a hardware key for Zyxel.
Interface
If you want to change the SCR50’s local IP, this can only be done via NCC under the Security Router Interface section.
In firmware v1.0, there was no support for VLANs. This feature has since been released with firmware v1.1. Additional LAN interfaces can be configured here to correspond with the VLAN IDs. Why am I talking about VLANs (Virtual LAN) so much? I will cover that off later in the review.
WiFi Networks
In the previous section I mentioned that you can create up to four WiFi networks and configured their options in app. To fully leverage the WiFi options, you have to use both the app and NCC in combination. The WiFi settings are site-wide, meaning if you have Access Points in play, these changes are global. There are ways to control what SSID gets broadcasted by what device, but it doesn’t apply in this review.
There are some quirks in the way options are presented in NCC. For example, when setting the WiFi SSID settings on surface it looks like you can’t set the VLAN ID in NCC, something that you can easily do in the app. But if you dig deeper into SSID advanced settings in another part of the configuration, then you can find where to set the VLAN ID.
NCC also allows you to set whether the SSID is a guest network, which you can’t do in app. True story.
NCC also allows you to enable 802.11k/v for assisted roaming and U-APSD (Unscheduled Automatic Power Save Delivery) which is part of the 802.11e standard.
Threat Management
Impressively, Zyxel has made Threat Management a subscription free feature. Better still, threat management is not lumped into a single bucket but six distinct categories:
- Ransomware / Malware Prevention
- Intrusion blocker
- Dark Web blocker
- Stop mail fraud & phishing
- Block Ads
- Block VPN Proxy
Each can be enabled or disabled individually, with exception lists by client or IP, as well as custom allowed / blocked domain.
As is the case with content filters, it is never perfect and you will get false positives as I found out some legit and popular sites backed onto Shopify were blocked.
Traffic Management
To get a detailed picture of what your bandwidth is being used for, you need to enable application identification.
The trade off for the knowledge is a possible reduction in maximum throughput speeds.
Firewall
In firmware v1.1, I am happy to say that you can route traffic between VLANs. Prior to this, clients on the guest network can only go out through the main gateway.
Detailed Configuration
Why was I so excited about testing the SCR50, and why did I say at the start that it ruined things for me?
In a nutshell – VLANs. Being able to create more than two SSID and fine grain control of the VLAN means I can finally set my network up the way I really want.
For the past few years, I have been saying that even the most basic WiFi routers need to have more than two SSIDs. Why? Because you want to be able to hive off your IoT devices into their own network, separate from your trusted internal SSID. Yes, you should not implicitly trust the security of IoT devices as they are an easy attack vector. Additionally guests coming to your network should not be put onto the main WiFi network, they really should be set to a guest network that is isolated.
Unfortunately having this feature means little is available in the domestic home or SOHO market. The products that supports it are either expensive, or difficult to manage, or both.
On the point of management, there is some learning curve involved in using the NCC. However if you are considering the sort of network I talked about, then you at least have some understanding of the technical and security specifications. There are plenty of help articles on the Zyxel network, a quick Google has pointed me in the right direction for anything I couldn’t figure out quickly.
I figured my SCR50 with three SSIDs and two VLANs.
- First is the core trusted network where my data is stored.
- The IoT VLAN where my smart devices connect to, with a firewall rule to allow inbound traffic to the port where my media server listens for connection.
- The last VLAN is my guest network which is isolated from everything but the gateway.
Each VLAN has it’s own DHCP range and I can tighten this down to a small range to limit the devices that can jump on per VLAN. For example, would I need a pool of 200 IP addresses for my guest network? Absolutely not.
With this basic configuration, I can limit the attack vectors from devices that I have little control over.
In Use
I used the SCR50 to replace a well known brand’s home market 3-node mesh network. My house isn’t huge, but with the way the walls are, I have my main node in the kitchen close to the ceiling, and a mesh node in the front room to provide coverage to the front of the house. I also had a mesh node in the garage to cover the backyard when I am working in there, which isn’t that often.
To be fair, the mesh network that I had in place was a nightmare of a beast with multiple issues and I was itching to replace it. There were concerns about the coverage of a single SCR50 when I put it in, but these are completely laid to rest in action.
I didn’t go and measure every part of the house with tools, instead I measured the screams of my biological testers when their network connections has high latency or drops out. And the best part? It was deadly silent. Other than when I was messing around with the configuration and rebooting the router without warning on the first couple of days, no one has complained. The SCR50 is so good that the teenager finally jumped back on his games because the latency does not suck anymore.
Using the kids current gen Lenovo laptops for school, I can see their connection on 802.11ax WiFi6. It surpasses everything else we have at home at the moment and guess what kids? Can’t tell me your connection is too slow to do your research and homework!
The biggest benefit I have derived from the SCR50 is the dedicated IoT SSID. What is absolutely fantastic is that I can specific which WiFi band(s) are active for each SSID. For all those pesky IoT devices that will only support 2.4GHz? Your WiFi SSID is only active for 2.4GHz. Happy days!
I have had the most stable connection ever to my ducted heater and my split air conditioner thanks to being able to limit the IoT SSID to just 2.4 GHz band. No more fiddling around turning 5GHz off (if it is even possible on some devices) to get things going, then turning it back on.
Another handy feature off the SCR50 is the ability to geo-block by country. Sick of Nigerian princes and their vault of gold? You can block the entire country via the Firewall section in NCC. (This is said in jest, you can block the originating country but if said Nigerian prince is stuck in London and are using email … you need the “Stop mail fraud & phishing” option enabled.)
Other Issues
Other than the few Shopify sites that were erroneously blocked by the ransomware filter (well strictly speaking they do take my money so it’s technically correct?), I did come into a couple of other issues.
My smart home devices are a mish mash of brands, it’s a definite “no” for coherence and homogeneous ecosystems. I was in the process of migrating all my IoT devices to their own SSID and smart light globes chewed up far too much of my time trying to get working with the SCR50.
The Sengled branded ones were easy, they just worked.
I ran into problems with Arlec branded ones (Tuya based) and Magic Home branded ones. Both of them were unable to complete registration regardless of every attempt, tricks and methods I could think of. In the end I had to submit a support ticket to help me sort this one out.
It turns out by changing the WLAN security to WPA3-Personal it fixed the Arlec branded ones. According to support even if you turn on WPA3, it runs it mixed mode in the background.
And in the process of getting these few smart light globes working, I messed around with the WiFi settings pretty heavily and frequently. This ended uo with my devices having general issues connecting to any of the SSIDs and the SCR50 had to be rebooted. I don’t really expect this to be an issue going forward, as I don’t have a need to constantly make changes to it.
Subscriptions
Zyxel’s subscription free tier is pretty impressive. Aside from the Threat Management listed above, it also comes with:
- Firewall
- Country Restriction (GeoIP)
- Allow list / Blocklist
- Traffic Management (applications & clients)
Subscribing to the SCR Pro Pack, which is available in 1 year or 3 years blocks gives everything above and in addition:
- Real-time threat intelligence Powered by Trellix (note: Trellix is the new name for Mcafee)
- Web Filtering (DNS) Powered by Trellix
- Nebula Pro Pack – Advanced feature set (more enterprise level features)
To clarify the real-time threat intelligence, it is Ransomware Prevention Premium with real-time update threat intelligence.
Gripes
Things aren’t perfect but there is an assumption of some technical knowhow when you use what is an essentially enterprise grade product.
The first thing to note is the four Gigabit ports. I will let that sink in for a moment because the security router is WiFi 6E capable – with speeds up to 1.788 Gbps at 4.5 metres.
It also irked me a bit that I can’t set a SSID as a guest network in the app. I would have thought that was a given.
The NCC interface is well beyond your basic home device webUI and I have no issues with that. Some of the options could have been grouped together such as SSID advanced settings being hived off away from the WiFi settings made it a little more clunky than necessary.
Playing with VLANs, NCC accepts an IP ending in 0 as a valid interface. A bit odd but ok …. a seasoned technical person would not made that mistake but hey, I thought I would try break things.
You can’t set a VLAN on the physical gigabit ports.
This last one is less of a complaint but just pointing out the facts. The SCR50 is cloud-managed, so when you apply a new setting, it is not instantaneous like it would be with a locally managed device. It takes a few minutes to replicate and sync with the cloud.
I am also having endless issues with some smart globes, particularly with Tuya based ones where I can detect them but they refuse to complete the registration.
The 2FA page for Nebula Control Center displays in a random language for me every time I get it.
Conclusions
With the state of play, Microsoft is gatekeeping WiFi 6E to Windows 11 clients only which is a dog move. Not everyone will be able to take advantage of the speed boost that the SCR50 can offer.
Whilst I understand that the budget friendlier position of the SCR50 require some sacrifices to the price point, being limited to Gigabit ports also means there is a bottleneck to the throughput that you can’t go around. This makes the badge of WiFi 6E more for marketing than for real world use. But that said, having the option there means I don’t need to worry about needing to upgrade it any time soon.
What the Zyxel SCR 50AXE delivers is rock solid WiFi (and LAN) connections, fantastic baseline threat management features, and flexibility with WiFi networks and VLAN segregation. It is not one for your average home user as the proper configuration requires a bit of technical competency, but it is not so difficult that you need to complete a certified course first. YMMV though as I have the benefit of many years of working with many brands of networking gear across the spectrum.
At a RRP of USD $230 for the security router (which at time of publish is about AUD$350), this is a bargain prosumer device going into small business space. Given the performance and features, this is well worth considering. I am totally smitten by the multiple SSID and VLAN capability. It is available from Optical Solutions down in Port Melbourne.
The SCR Pro subscription is around USD$67 per year or USD $6.68 per month. I am already impressed with the subscription-free tier, but there is just a little more for a small amount per year, including extended logs which in the event of an incident, is mighty useful.
DRN would like to thank Zyxel for providing the review unit, this is a really solid device and it gets my vote for a Pulse Award. Congratulations Zyxel!
Specifications
CPU: Dual-core, 1.00GHz, Cortex A53
RAM/FLASH : 1GB/256MB
10/100/1000 Mbps RJ-45 ports : 1 x WAN: 1 GbE RJ45 port ; 4 x LAN: 1 GbE RJ45 ports
SPI firewall throughput LAN to WAN (Mbps) : 900
Throughput with threat Management on (Mbps) : 900
Standard compliance : IEEE 802.11ax/ac/n/a 2.4 GHz , IEEE 802.11ax/ac/n/a 5 GHz , IEEE 802.11ax 6 GHZ
Wireless frequency : 2.4/5/6 GHz
Radio: 3
SSID number: 4
No of antenna: 4 (internal)
Antenna gain: 2.0 dBi @2.4 GHz , 3.0 dBi @5 GHz , 3.5 dBi @6 GHz* (certified countries only)
Wireless speed: 2.4 GHz: 575 Mbps , 5 GHz: 2400 Mbps , 6 GHz: 2400 Mbps
Power input : 12V DC, 2.0 A
Max. power consumption (Watt Max.) : 21W
Security Features
Ransomware/malware protection: Yes
Intrusion blocker : Yes
Dark Web Blocker : Yes
Stop mail fraud & phishing : Yes
Block Ads : Yes
Block VPN proxy : Yes
Web Filtering : Yes
Firewall : Yes
Country Restriction (GeoIP) : Yes
Allowlist/Blocklist : Yes
Traffic Management (applications & clients) : Yes
Real-time threat intelligence: Yes
Web Filtering (DNS): Yes
Nebula Pro Pack: Yes
VPN Features
Site-to-site VPN: IPSec
Networking
WAN type : Static IP, DHCP, PPPoE, and PPPoE with Static IP
PPPoE Pass-through : Yes
Reserve IP : Yes
Block clients : Yes
NAT – Virtual server : Yes
DHCP server/client and DHCP relay : Yes
Dynamic DNS : Yes
Static route : Yes
IGMP Proxy : Yes
WLAN Management
Firmware upgrade: Yes
Configuration backup and restore : Yes
Live tools : Yes
The Zyxel SCR 50AXE router combines top-tier security with impressive speed and flexibility. How does the Zyxel SCR 50AXE compare to other routers in its class regarding security features?