ZyXEL Communications AMG1302-T11C User Manual page 179

Figure 91 Ideal Firewall Setup
15.6.4.1 The "Triangle Route" Problem
A traffic route is a path for sending or receiving data packets between two Ethernet devices. You
may have more than one connection to the Internet (through one or more ISPs). If an alternate
gateway is on the LAN (and its IP address is in the same subnet as the AMG1302-T11C's LAN IP
address), the "triangle route" (also called asymmetrical route) problem may occur. The steps below
describe the "triangle route" problem.
A computer on the LAN initiates a connection by sending out a SYN packet to a receiving server on
1
the WAN.
The AMG1302-T11C reroutes the SYN packet through Gateway A on the LAN to the WAN.
2
The reply from the WAN goes directly to the computer on the LAN without going through the
3
AMG1302-T11C.
As a result, the AMG1302-T11C resets the connection, as the connection has not been
acknowledged.
Figure 92 "Triangle Route" Problem
15.6.4.2 Solving the "Triangle Route" Problem
If you have the AMG1302-T11C allow triangle route sessions, traffic from the WAN can go directly
to a LAN computer without passing through the AMG1302-T11C and its firewall protection.
Another solution is to use IP alias. IP alias allows you to partition your network into logical sections
over the same Ethernet interface. Your AMG1302-T11C supports up to three logical LAN interfaces
with the AMG1302-T11C being the gateway for each logical network.
Chapter 15 Firewall
LAN
1
2
LAN
1
2
3
AMG1302-T11C User's Guide
WAN
WAN
A
179
ISP 1
ISP 2