ZyXEL Communications P-2302 14.2 Triangle Route, 14.2.1 The “Triangle Route” Problem

Chapter 14 Firewall

Blocked LAN-to-WANpackets are considered alerts. Alerts are “higher priority logs” that include system errors, attacks and attempted access to blocked web sites. Alerts appear in red in the View Log screen. You may choose to have alerts e-mailed immediately in the Log Settings screen.

LAN-to-LAN/ZyXEL Device means the LAN to the ZyXEL Device LAN interface. This is always allowed, as this is how you manage the ZyXEL Device from your local computer.

14.1.4.2 WAN-to-LAN rules

WAN-to-LANrules are Internet to your local network firewall rules. The default is to block all traffic from the Internet to your local network.

How can you forward certain WAN to LAN traffic? You may allow traffic originating from the WAN to be forwarded to the LAN by:

•Configuring NAT port forwarding rules.

•Configuring WAN or LAN & WAN access for services in the Remote Management screens. When you allow remote management from the WAN, you are actually configuring WAN-to-WAN/ZyXEL Device firewall rules. WAN-to-WAN/ZyXEL Device firewall rules are Internet to the ZyXEL Device WAN interface firewall rules. The default is to block all such traffic. When you decide what WAN-to-LAN packets to log, you are in fact deciding what WAN-to-LANand WAN-to-WAN/ZyXEL Device packets to log.

Forwarded WAN-to-LANpackets are not considered alerts.

14.2 Triangle Route

When the firewall is on, your ZyXEL Device acts as a secure gateway between your LAN and the Internet. In an ideal network topology, all incoming and outgoing network traffic passes through the ZyXEL Device to protect your LAN against attacks.

Figure 104 Ideal Firewall Setup

14.2.1 The “Triangle Route” Problem

A traffic route is a path for sending or receiving data packets between two Ethernet devices. You may have more than one connection to the Internet (through one or more ISPs). If an alternate gateway is on the LAN (and its IP address is in the same subnet as the ZyXEL Device’s LAN IP address), the “triangle route” (also called asymmetrical route) problem may occur. The steps below describe the “triangle route” problem.

1A computer on the LAN initiates a connection by sending out a SYN packet to a receiving server on the WAN.

	181
P-2302HWUDL-P1 Series User’s Guide	181