ZyXEL Communications AMG1302 User Manual

 Chapter 15 Firewall

AMG1302/AMG1202-TSeries User’s Guide

A computer on the LAN initiates a connection by sending out a SYN packet to a receiving server on 
the WAN.

The AMG1302/AMG1202-TSeries reroutes the SYN packet through Gateway A on the LAN to the 
WAN. 

The reply from the WAN goes directly to the computer on the LAN without going through the 
AMG1302/AMG1202-TSeries. 

As a result, the AMG1302/AMG1202-TSeries resets the connection, as the connection has not been 
acknowledged.

“Triangle Route” Problem

If you have the AMG1302/AMG1202-TSeries allow triangle route sessions, traffic from the WAN can 
go directly to a LAN computer without passing through the AMG1302/AMG1202-TSeries and its 
firewall protection. 

Another solution is to use IP alias. IP alias allows you to partition your network into logical sections 
over the same Ethernet interface. Your AMG1302/AMG1202-TSeries supports up to three logical 
LAN interfaces with the AMG1302/AMG1202-TSeries being the gateway for each logical network. 

It’s like having multiple LAN networks that actually use the same physical cables and ports. By 
putting your LAN and Gateway A in different subnets, all returning network traffic must pass 
through the AMG1302/AMG1202-TSeries to your LAN. The following steps describe such a scenario.

A computer on the LAN initiates a connection by sending a SYN packet to a receiving server on the 
WAN. 

The AMG1302/AMG1202-TSeries reroutes the packet to Gateway A, which is in Subnet 2. 

The reply from the WAN goes to the AMG1302/AMG1202-TSeries. 

The AMG1302/AMG1202-TSeries then sends it to the computer on the LAN in Subnet 1.

1

2

3

A

ISP 1

ISP 2