ZyXEL Communications ZyWALL 5 Support Notes page 267

The above figure indicates the "triangle route" topology. It works fine if you turn off firewall function on
ZyWALL box. However, if you turn on firewall, your connection will be blocked by firewall because of
the following reason.
Step 1. Being the default gateway of PC, ZyWALL will receive all "outgoing" traffic from PC.
Step 2. And because of Static route/Traffic Redirect/Policy Routing, ZyWALL forwards the traffic to
another gateway (ISDN/Router) which is in the same segment as ZyWALL's LAN.
Step 3. However the return traffic won't go back to ZyWALL, in stead, the "another gateway
(ISDN/Router)" will send back the traffic to PC directly. Because the gateway (say, P201) and
the PC are in the same segment.
When firewall is turned on, ZyWALL will check the outgoing traffic by ACL and create dynamic sessions
to allow return traffic to go back. To achieve Anti-DoS, ZyWALL will send RST packets to the PC and
the peer since it never receives the TCP SYN/ACK packet. Thus the connection will always be reset by
ZyWALL.
[Solutions]
(A) Deploying your second gateway in IP alias segment is a better solution. In this way, your connection
can be always under control of firewall. And thus there won't be Triangle Route problem.
(B) Deploying your second gateway on WAN side.
All contents copyright (c) 2006 ZyXEL Communications Corporation.
ZyWALL 5 Support Notes
267