1. Home
    2. /
  2. Manuals
    3. /
  3. Zyxel
    4. /
  4. P-660R-F1
    5. /
  5. 21
Page 101 / 268 Scroll up to view Page 96 - 100
Chapter 7 Firewalls
P-660R-F1 Series User’s Guide
101
3
Does a rule that allows Internet users access to resources on the LAN create a security
vulnerability? For example, if FTP ports (TCP 20, 21) are allowed from the Internet to the LAN,
Internet users may be able to connect to computers with running FTP servers.
4
Does this rule conflict with any existing rules?
Once these questions have been answered, adding rules is simply a matter of entering the
information into the correct fields in the web configurator screens.
7.5.4
Triangle Route
When the firewall is on, your ZyXEL Device acts as a secure gateway between your LAN and the
Internet. In an ideal network topology, all incoming and outgoing network traffic passes through
the ZyXEL Device to protect your LAN against attacks.
Figure 61
Ideal Firewall Setup
7.5.4.1
The “Triangle Route” Problem
A traffic route is a path for sending or receiving data packets between two Ethernet devices. You
may have more than one connection to the Internet (through one or more ISPs). If an alternate
gateway is on the LAN (and its IP address is in the same subnet as the ZyXEL Device’s LAN IP
address), the “triangle route” (also called asymmetrical route) problem may occur. The steps below
describe the “triangle route” problem.
1
A computer on the LAN initiates a connection by sending out a SYN packet to a receiving server on
the WAN.
2
The ZyXEL Device reroutes the SYN packet through Gateway
A
on the LAN to the WAN.
3
The reply from the WAN goes directly to the computer on the LAN without going through the ZyXEL
Device.
1
2
WAN
LAN
Page 102 / 268
Chapter 7 Firewalls
P-660R-F1 Series User’s Guide
102
As a result, the ZyXEL Device resets the connection, as the connection has not been acknowledged.
Figure 62
“Triangle Route” Problem
7.5.4.2
Solving the “Triangle Route” Problem
If you have the ZyXEL Device allow triangle route sessions, traffic from the WAN can go directly to
a LAN computer without passing through the ZyXEL Device and its firewall protection.
Another solution is to use IP alias. IP alias allows you to partition your network into logical sections
over the same Ethernet interface. Your ZyXEL Device supports up to three logical LAN interfaces
with the ZyXEL Device being the gateway for each logical network.
It’s like having multiple LAN networks that actually use the same physical cables and ports. By
putting your LAN and Gateway
A
in different subnets, all returning network traffic must pass
through the ZyXEL Device to your LAN. The following steps describe such a scenario.
1
A computer on the LAN initiates a connection by sending a SYN packet to a receiving server on the
WAN.
2
The ZyXEL Device
reroutes the packet to Gateway A, which is in Subnet 2.
3
The reply from the WAN goes to the ZyXEL Device.
1
2
3
WAN
LAN
A
ISP 1
ISP 2
Page 103 / 268
Chapter 7 Firewalls
P-660R-F1 Series User’s Guide
103
4
The ZyXEL Device then sends it to the computer on the LAN in Subnet 1.
Figure 63
IP Alias
1
2
3
LAN
A
ISP 1
ISP 2
4
WAN
Subnet 1
Subnet 2
Page 104 / 268
Chapter 7 Firewalls
P-660R-F1 Series User’s Guide
104
Page 105 / 268
P-660R-F1 Series User’s Guide
105
C
HAPTER
8
Packet Filters
8.1
Overview
Your ZyXEL Device uses filters to decide whether to allow passage of traffic. This chapter discusses
how to create and apply filters.
8.1.1
What You Can Do in the Packet Filter Screen
Use the
Packet Filter
screens to display the filter sets and configure the rules for protocol and
generic filters.
8.1.2
What You Need to Know About the Packet Filter
Filters
Your ZyXEL Device uses filters to decide whether to allow passage of a data packet. Filters are
subdivided into generic and protocol filters. Generic filter rules act on the raw data from/to LAN and
WAN. Protocol filter rules act on IP packets.
Filter Structure
A filter set consists of one or more filter rules. The ZyXEL Device allows you to configure up to
twelve filter sets with six rules in each set, for a total of 72 filter rules in the system. You cannot
mix generic filter rules and protocol filter rules within the same set. You can apply up to four filter
sets to a particular port to block multiple types of packets. With each filter set having up to six
rules, you can have a maximum of 24 rules active for a single port.
8.2
The Packet Filter Screen
Use this screen to set up packet filters on your ZyXEL Device. Click Security > Packet Filter to
display the following screen.

Rate

4.5 / 5 based on 2 votes.

Popular Zyxel Models

Famous Router IPs
Famous Router Companies
Bookmark Our Site

Press Ctrl + D to add this site to your favorites!

Share
Top