Zyxel ZyWALL-USG50 Router Manual PDF (Setup & Configuration Guide)

Page 91 / 944 Scroll up to view Page 86 - 90

Chapter 6 Configuration Basics

ZyWALL USG 50 User’s Guide

91

6.3

Terminology in the ZyWALL

This section highlights some terminology or organization for ZLD-based ZyWALLs.

6.4

Packet Flow

Here is the order in which the ZyWALL applies its features and checks.

Traffic in > Defragmentation > ALG > Destination NAT > Routing > Stateful

Firewall > ADP > Application Classification > IDP > Anti-virus > Application Patrol

> Content Filter > Anti-Spam > SNAT > Bandwidth Management > Traffic Out.

Table 15

ZLD ZyWALL Terminology

FEATURE / TERM

ZLD ZYWALL FEATURE / TERM

IP alias

Virtual interface

Gateway policy

VPN gateway

Network policy (IPSec SA)

VPN connection

Source NAT (SNAT)

Policy route

Trigger port, port triggering

Policy route

Address mapping

Policy route

Address mapping (VPN)

IPSec VPN

Interface bandwidth management

(outbound)

Interface

OSI level-7 bandwidth

management

Application patrol

General bandwidth management

Policy route

Page 92 / 944

Chapter 6 Configuration Basics

ZyWALL USG 50 User’s Guide

92

Packet Flow

The packet flow is as follows:

•

Automatic SNAT and WAN trunk routing for traffic going from internal to

external interfaces (you don’t need to configure anything to all LAN to WAN

traffic).

The ZyWALL automatically adds all of the external interfaces to the default WAN

trunk. External interfaces include ppp and cellular interfaces as well as any

Ethernet interfaces that are set as external interfaces.

Examples of internal interfaces are any Ethernet interfaces that you configure as

internal interfaces.

•

A policy route can be automatically disabled if the next-hop is dead.

•

You do not need to set up policy routes for IPSec traffic.

•

Policy routes can override direct routes.

•

You do not need to set up policy routes for 1:1 NAT entries.

•

You can create Many 1:1 NAT entries to translate a range of private network

addresses to a range of public IP addresses

•

Static and dynamic routes have their own category.

6.4.1

Routing Table Checking Flow

When the ZyWALL receives packets it defragments them and applies destination

NAT. Then it examines the packets and determines how to route them. The

checking flow is from top to bottom. As soon as the packets match an entry in one

Page 93 / 944

Chapter 6 Configuration Basics

ZyWALL USG 50 User’s Guide

93

of the sections, the ZyWALL stops checking the packets against the routing table

and moves on to the other checks, for example the firewall check.

Figure 53

Routing Table Checking Flow

1

Direct-connected Subnets

: The ZyWALL first checks to see if the packets are

destined for an address in the same subnet as one of the ZyWALL’s interfaces. You

can override this and have the ZyWALL check the policy routes first by enabling

the policy route feature’s

Use Policy Route to Override Direct Route

option

(see

Section 13.1 on page 281

).

2

Policy Routes

: These are the user-configured policy routes. Configure policy

routes to send packets through the appropriate interface or VPN tunnel. See

Chapter 13 on page 281

for more on policy routes.

3

1 to 1 and Many 1 to 1 NAT

: These are the 1 to 1 NAT and many 1 to 1 NAT

rules. If a private network server will initiate sessions to the outside clients, create

a 1 to 1 NAT entry to have the ZyWALL translate the source IP address of the

server’s outgoing traffic to the same public IP address that the outside clients use

to access the server. A many 1 to 1 NAT entry works like multiple 1 to 1 NAT rules.

It maps a range of private network servers that will initiate sessions to the outside

clients to a range of public IP addresses. See

Section 17.2.1 on page 324

for

more.

Page 94 / 944

Chapter 6 Configuration Basics

ZyWALL USG 50 User’s Guide

94

4

Auto VPN Policy

: The ZyWALL automatically creates these routing entries for the

VPN rules. Disabling the IPSec VPN feature’s

Use Policy Route to control

dynamic IPSec rules

option moves the routes for dynamic IPSec rules up above

the policy routes (see

Section 23.2 on page 378

).

5

Static and Dynamic Routes

: This section contains the user-configured static

routes and the dynamic routing information learned from other routers through

RIP and OSPF. See

Chapter 13 on page 281

for more information.

6

Default WAN Trunk

: For any traffic coming in through an internal interface, if it

does not match any of the other routing entries, the ZyWALL forwards it through

the default WAN trunk. See

Section 12.2 on page 276

for how to select which

trunk the ZyWALL uses as the default.

7

Main Routing Table

: The default WAN trunk is expected to be used for any traffic

that did not match any earlier routing entries.

6.4.2

NAT Table Checking Flow

The checking flow is from top to bottom. As soon as the packets match an entry in

one of the sections, the ZyWALL stops checking the packets against the NAT table

and moves on to bandwidth management.

Figure 54

NAT Table Checking Flow

1

SNAT defined in the policy routes.

2

1 to 1 SNAT (including Many 1 to 1) is also included in the NAT table.

3

NAT loopback is now included in the NAT table instead of requiring a separate

policy route.

Page 95 / 944

Chapter 6 Configuration Basics

ZyWALL USG 50 User’s Guide

95

4

SNAT is also now performed by default and included in the NAT table.

6.5

Feature Configuration Overview

This section provides information about configuring the main features in the

ZyWALL. The features are listed in the same sequence as the menu item(s) in the

Web Configurator. Each feature description is organized as shown below.

6.5.1

Feature

This provides a brief description. See the appropriate chapter(s) in this User’s

Guide for more information about any feature.

Example:

This provides a simple example to show you how to configure this

feature. The example is usually based on the network topology in

Figure 14 on

page 90

.

Note:

PREQUISITES

or

WHERE USED

does not appear if there are no prerequisites

or references in other features to this one. For example, no other features

reference DDNS entries, so there is no

WHERE USED

entry.

MENU ITEM(S)

This shows you the sequence of menu items and tabs you should click

to find the main screen(s) for this feature. See the web help or the

related User’s Guide chapter for information about each screen.

PREREQUISITES

These are other features you should configure before you configure

the main screen(s) for this feature.

If you did not configure one of the prerequisites first, you can often

select an option to create a new object. After you create the object

you return to the main screen to finish configuring the feature.

You may not have to configure everything in the list of prerequisites.

For example, you do not have to create a schedule for a policy route

unless time is one of the criterion.

WHERE USED

There are two uses for this.

These are other features you should usually configure or check right

after you configure the main screen(s) for this feature. For example,

you should usually create a policy route for a VPN tunnel.

You have to delete the references to this feature before you can delete

any settings. For example, you have to delete (or modify) all the

policy routes that refer to a VPN tunnel before you can delete the VPN

tunnel.

Rate

Popular Zyxel Models

Famous Router IPs

Famous Router Companies

Bookmark Our Site

Share