Chapter 15 Firewall

1A computer on the LAN initiates a connection by sending out a SYN packet to a receiving server on the WAN.

2The AMG1312-T Series reroutes the SYN packet through Gateway A on the LAN to the WAN.

3The reply from the WAN goes directly to the computer on the LAN without going through the AMG1312-T Series.

As a result, the AMG1312-T Series resets the connection, as the connection has not been acknowledged.

Figure 95 “Triangle Route” Problem

LANWAN

1

ISP 1

 

 

 

 

 

 

 

 

 

3

 

 

 

2

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

ISP 2

A

15.6.4.2 Solving the “Triangle Route” Problem

If you have the AMG1312-T Series allow triangle route sessions, traffic from the WAN can go directly to a LAN computer without passing through the AMG1312-T Series and its firewall protection.

Another solution is to use IP alias. IP alias allows you to partition your network into logical sections over the same Ethernet interface. Your AMG1312-T Series supports up to three logical LAN interfaces with the AMG1312-T Series being the gateway for each logical network.

It’s like having multiple LAN networks that actually use the same physical cables and ports. By putting your LAN and Gateway A in different subnets, all returning network traffic must pass through the AMG1312-T Series to your LAN. The following steps describe such a scenario.

1A computer on the LAN initiates a connection by sending a SYN packet to a receiving server on the WAN.

2The AMG1312-T Series reroutes the packet to Gateway A, which is in Subnet 2.

3The reply from the WAN goes to the AMG1312-T Series.

4The AMG1312-T Series then sends it to the computer on the LAN in Subnet 1.

184

 

AMG1312-T Series User’s Guide