ZyXEL Communications P-334WT Support Notes page 24

The above figure indicates the "triangle route" topology. It works fine if you turn off firewall
function on P-334WT box. By default, your connection will be blocked by firewall because of the
following reason.
Step 1. Being the default gateway of PC, P-334WT will receive all "outgoing" traffic from
PC.
Step 2. And because of Static route/Traffic Redirect/Policy Routing, P-334WT
forwards the traffic to another gateway (ISDN/Router) which is in the same segment as P-
334WT's LAN.
Step 3. However the return traffic won't go back to P-334WT, in stead, the "another
gateway (ISDN/Router)" will send back the traffic to PC directly. Because the gateway
(say, P201) and the PC are in the same segment.
By default, P-334WT will check the outgoing traffic by ACL and create dynamic sessions to
allow return traffic to go back. To achieve Anti-DoS, P-334WT will send RST packets to the
PC and the peer since it never receives the TCP SYN/ACK packet. Thus the connection will
always be reset by P-334WT.
Solutions.
(A) Deploying your second gateway in IP alias segment is a better solution. In this way, your
connection can be always under control of firewall. And thus there won't be Triangle Route problem.