TP-Link TL-ER6020 VPN Router Reviews: Introduction

In this review, I’m going to look at TP-LINK’s TL-ER6020, a dual WAN VPN Router with Gigabit ports. This router has two Gigabit Ethernet WAN ports and three Gigabit Ethernet LAN ports. The third LAN port can alternatively be configured as a dedicated DMZ port.

The TP-Link TL-ER6020 VPN Router is enclosed in a gray metal case measuring 11.6″ W x 7.1″ D x 1.7″ H. Brackets and screws are included for mounting in a standard 19″ rack. WAN and LAN Ethernet ports, a console port, indicator lights, and the reset button are located on the front of the device as shown below.

The back of the TL-ER6020, shown below, has a Kensington security slot, grounding terminal and power socket. If needed, the grounding terminal can be used for an additional ground. According to the TP-LINK data sheet, the TP-Link TL-ER6020 VPN Router is “designed to (withstand) lightning up to 4Kv in well-grounded connection conditions.” The power supply of the TL-ER6020 is internal. It comes with adhesive backed rubber feet for desktop use and has no internal cooling fan so it runs silently.

Where To Buy TP Link TL-ER6020 VPN Router:

TP-Link TL-ER6020 VPN Router Reviews: Inside

The TL-ER6020 runs on a Cavium CNS3411 600 MHz CPU, hidden under the heat sink in the shot of the main board below. There is no mention of jumbo frame support in any of the TP-LINK documentation. I did not test for jumbo frame support.

TP-Link TL-ER6020 VPN Router Reviews: Configuration

The TP-Link TL-ER6020 VPN Router can be configured via a browser, as well as via CLI with the included console cable or telnet (but not ssh). The user manual has a full chapter devoted to CLI configuration options. I found the web configuration GUI logical and easy to use. Menus are responsive and quick to apply. I suspect the 600MHz CPU contributes to the fast configuration performance.

Menu options are listed along the left of the web page, with sub options available once expanded. Within each sub menu, multiple tabs provide access to additional configuration pages. The table below provides a summary of the TL-ER6020’s configuration options.

The configuration pages in the web GUI have a help section that provides definitions for each of the fields. The 168 page user manual is also useful. Missing are configuration wizards in the web GUI, however. If you search through TP-LINK’s support site, there are some useful configuration examples, which I’ll mention shortly.

TP-Link TL-ER6020 VPN Router Reviews: VPN Configuration

The TL-ER6020 supports up to 16 L2TP tunnels, 16 PPTP tunnels and 50 IPsec tunnels. It can function as a server or client for L2TP and PPTP. As a server, remote clients can connect via L2TP and PPTP tunnels. As a client, the TP-Link TL-ER6020 VPN Router can connect to other L2TP or PPTP servers.

IPsec functionality includes support for remote access and site to site tunnels. TP-LINK doesn’t provide IPsec client software, but recommends Shrew Soft’s free VPN client or GreenBow’s VPN client. I successfully set up L2TP, PPTP, and IPsec tunnels to the TL-ER6020. VPN tunnel configuration on the TP-Link TL-ER6020 VPN Router is relatively straightforward, although you won’t find configuration wizards to help. For L2TP and PPTP tunnels, you enable the L2TP or PPTP server, create a user name and password, select whether encryption is enabled and create an IP address pool for the remote clients.

Using a Windows 7 PC and the native VPN “connect to a work network” utility, I was able to remotely connect to the TL-ER6020 via L2TP and PPTP. I was also able to remotely connect to the TL-ER6020 via a PPTP tunnel from an iPhone. In the screenshot from the TL-ER6020 below, my iPhone is connected via PPTP and my laptop via L2TP.

I set up IPsec tunnels with a remote Windows 7 PC running Shrew Soft’s IPsec VPN client software as well as a site-to-site tunnel to a NETGEAR SRX5308 VPN router. In the screenshot from the TL-ER6020 below, you can see I have a site-to-site and remote IPsec tunnel connected. IPsec configuration on the TP-Link TL-ER6020 VPN Router requires creating an IKE profile and policy as well as an IPsec profile and policy. All typical IPsec options are available, including MD5 and SHA-1 authentication and 3DES and AES encryption.

To set up a site-to-site tunnel, the NETGEAR SRX5308 VPN configuration wizard selects SHA1, 3DES, and DH2 for IKE/Phase 1, and ESP, PFS, sha1 and 3des = DH2 for IPsec/Phase 2. Once I manually applied the same options on the TP-Link TL-ER6020 VPN Router, the tunnel between the two routers came right up.

To set up remote IPsec tunnel support, I had to configure the options on both the TP-LINK and Shrew Soft client software, which took a bit of trial and error. After I got a remote IPsec tunnel working as shown in the screenshots below, I stumbled across a nice step by step on how to configure a TP-LINK VPN router with the Shrew Soft VPN Client on TP-LINK’s website. You’ll find other configuration examples located in TP-LINK’s FAQ section.

TP-Link TL-ER6020 VPN Router Reviews: VPN Performance

I tested the TL-ER6020’s VPN performance with iperf using default TCP settings, with a TCP window size of 8KB and no other options. I used iperf on two PCs running 64-bit Windows 7 with their software firewall disabled. For the site to site test, I used my standard NETGEAR SRX5308 to terminate the other end of the tunnel. NETGEAR specs the SRX5308 site-to-site tunnel throughput at 180 Mbps. But the best I was able to do testing with a 64 bit Win 7 client running TheGreenBox IPsec client was 43 Mbps with traffic flowing from Gateway to client. So the site-to-site test results above might be slightly limited by the SRX5308.

Table 2 shows a VPN throughput table comparing the TP-Link TL-ER6020 VPN Router to several VPN routers I’ve reviewed in recent years. Note, you can click on the model listed in the table to go to the review for each device.

TP-LINK rates the TL-ER6020 capable of 80 Mbps for IPsec VPN throughput with 3DES encryption. As you can see, I measured IPsec 3DES throughput on the TP-Link TL-ER6020 VPN Router at ~ 40 Mbps in both directions. TP-LINK addresses throughput testing in their FAQ section, stating varying results are based on test tool and protocol (TCP vs. UDP) differences. Nevertheless, iperf based TCP testing for IPsec throughput is a pretty good indicator of real world performance. The TL-ER6020 stacks up well against the other devices in the chart. More specifically, the TL-ER6020’s IPsec throughput is more symmetrical than most of the other devices.

PPTP throughput on the TP-Link TL-ER6020 VPN Router is head and shoulders above the other routers in the chart at 30 Mbps+. PPTP tunnels have a lot of utility since the client software is easy to set up and is included with all Windows versions as well as most smart phones including the iPhone and Android devices.

TP-Link TL-ER6020 VPN Router Reviews: Dual WAN.

The TL-ER6020 has three router modes, NAT, Non-NAT and Classic. Non-NAT mode disables NAT functionality and requires the configuration of static routes and/or utilization of the RIP routing protocol to establish routing rules.

I could see classic mode as useful if it allowed configuration of NAT on one WAN interface and Non-NAT on the other WAN interface, but it didn’t seem to work that way for me. Documentation of this mode is vague, so I’ve reached out to TP-LINK for clarity and will post an update when I hear back.

The TL-ER6020 automatically performs load balancing between active WAN ports using TP-LINK’s “Intelligent Load Balancing”. Using the default configuration for load balancing, it looks to me like the TL-ER6020 distributes traffic equally between WAN interfaces based on sessions.

To test default load balancing on the TP-Link TL-ER6020 VPN Router, I set up two continuous pings to two different websites, with each ping representing a different session. I repeated the test multiple times with similar results. Based on my simple tests, the TP-Link TL-ER6020 VPN Router can fail over to the other WAN connection quite quickly. I like the fact that it automatically uses both connections by default, instead of leaving one connection as an idle backup.

The TL-ER6020 dual-WAN default mode assumes equal ISP connection bandwidth. If your ISP connections have different bandwidth capabilities or if one is usage sensitive or if one is more reliable than the other or if you have a requirement to send specific traffic out a specific connection, you may want to adjust the load balancing scheme. Load balancing on the TL-ER6020 can be customized based on source, bandwidth or destination IP address, TCP or UDP, tine of day/week schedule and primary/backup designation.

TP-Link TL-ER6020 VPN Router Reviews: Firewall and Security.

There are five main options on the TL-ER6020 firewall: Anti ARP Spoofing, Attack Defense, MAC Filtering, Access Control, and App Control.

Anti ARP Spoofing is a feature more commonly found on switches, but is useful on a router, too. With this feature, you can bind IP addresses to specific MAC addresses and permit only traffic that matches those bindings.

Traffic floods can be blocked based on six types of traffic flows and configurable packet per second thresholds. Below is a screenshot of the Attack Defense options.

MAC filtering provides both allow/ deny options for listed MAC addresses. For a small network (less than 10 users), MAC filtering based on a list of permitted devices can be an effective way to control access to the network, although somewhat resource intensive.

Access Control options on the TP-Link TL-ER6020 VPN Router are basic. The URL filtering option filters Internet traffic based on urls or keywords, while the Web filtering option filters Internet traffic based on the presence of Java, ActiveX, or Cookies.

App Control allows for blocking various well-known Internet traffic types including Instant Messaging, Social Networking, Peer to Peer, Media, and other Internet sites. The list of applications are defined by a database file provided by TP-LINK. Once my basic rule was applied, I tested this feature with a basic rule to block all traffic to all of the apps shown below and could no longer access YouTube.

TP-Link TL-ER6020 VPN Router Reviews: Routing Performance.

Routing throughput was measured running 1.0.0 Build 20120807 Rel.34348 firmware, using our router test process. The TL-ER6020’s throughput numbers come pretty close to TP-LINK’s product ratings of 180 Mbps NAT throughput and 30,000 concurrent sessions.

We measured WAN-LAN throughput at 162 Mbps, LAN-WAN throughput at 157 Mbps, total throughput at 162 Mbps and maximum connections at 29,990. These numbers put the TP-Link TL-ER6020 VPN Router above most of the other VPN routers I’ve tested, shown in Table 3 below, but behind the Cisco RV180 and RV220W, which both produce throughput numbers north of 700 Mbps.

Where To Buy TP Link TL-ER6020 VPN Router: