Page 376 / 427
Scroll up to view Page 371 - 375
P-2602H(W)(L)-DxA Series User’s Guide
376
Appendix G Firewall Commands
Page 377 / 427
P-2602H(W)(L)-DxA Series User’s Guide
Appendix H Triangle Route
377
A
PPENDIX
H
Triangle Route
The Ideal Setup
When the firewall is on, your ZyXEL Device acts as a secure gateway between your LAN and
the Internet. In an ideal network topology, all incoming and outgoing network traffic passes
through the ZyXEL Device to protect your LAN against attacks.
Figure 217
Ideal Setup
The “Triangle Route” Problem
A traffic route is a path for sending or receiving data packets between two Ethernet devices.
Some companies have more than one alternate route to one or more ISPs. If the LAN and
ISP(s) are in the same subnet, the “triangle route” problem may occur. The steps below
describe the “triangle route” problem.
1
A computer on the LAN initiates a connection by sending out a SYN packet to a
receiving server on the WAN.
2
The ZyXEL Device reroutes the SYN packet through Gateway
B
on the LAN to the
WAN.
3
The reply from the WAN goes directly to the computer on the LAN without going
through the ZyXEL Device.
As a result, the ZyXEL Device resets the connection, as the connection has not been
acknowledged.
Page 378 / 427
P-2602H(W)(L)-DxA Series User’s Guide
378
Appendix H Triangle Route
Figure 218
“Triangle Route” Problem
The “Triangle Route” Solutions
This section presents you two solutions to the “triangle route” problem.
IP Aliasing
IP alias allows you to partition your network into logical sections over the same Ethernet
interface. Your ZyXEL Device supports up to three logical LAN interfaces with the ZyXEL
Device being the gateway for each logical network. By putting your LAN and Gateway
B
in
different subnets, all returning network traffic must pass through the ZyXEL Device to your
LAN. The following steps describe such a scenario.
1
A computer on the LAN initiates a connection by sending a SYN packet to a receiving
server on the WAN.
2
The ZyXEL Device
reroutes the packet to Gateway B, which is in Subnet 2.
3
The reply from WAN goes through the ZyXEL Device to the computer on the LAN in
Subnet 1.
Figure 219
IP Alias
Page 379 / 427
P-2602H(W)(L)-DxA Series User’s Guide
Appendix H Triangle Route
379
Gateways on the WAN Side
A second solution to the “triangle route” problem is to put all of your network gateways on the
WAN side as the following figure shows. This ensures that all incoming network traffic passes
through your ZyXEL Device to your LAN. Therefore your LAN is protected.
Figure 220
Gateways on the WAN Side
Page 380 / 427
P-2602H(W)(L)-DxA Series User’s Guide
380
Appendix H Triangle Route
19216811.live