ZyXEL Communications P-202 User Manual

P-202H Plus v2 Support Notes

The above figure indicates the "triangle route" topology. It works fine if you turn
off firewall function on P-202H Plus v2 box. However, if you turn on firewall, your
connection will be blocked by firewall because of the following reason.

Step 1. Being the default gateway of PC, P-202H Plus v2 will receive all

"outgoing" traffic from PC.

Step 2. And because of Static route/Policy Routing, P-202H Plus v2

forwards the traffic to another gateway (ISDN/Router) which is in the
same segment as P-202H Plus v2's LAN.

Step 3. However the return traffic won't go back to P-202H Plus v2, in stead,

the "another gateway (ISDN/Router)" will send back the traffic to PC
directly. Because the gateway (say, P201) and the PC are in the same
segment.

When firewall is turned on, P-202H Plus v2 will check the outgoing traffic by ACL
and create dynamic sessions to allow return traffic to go back. To achieve Anti-
DoS, P-202H Plus v2 will send RST packets to the PC and the peer since it
never receives the TCP SYN/ACK packet. Thus the connection will always be
reset by P-202H Plus v2.

Solutions.

(A) Deploying your second gateway in IP alias segment is a better solution. In
this way, your connection can be always under control of firewall. And thus there
won't be Triangle Route problem.

All contents copyright © 2006 ZyXEL Communications Corporation.

21