Practically Networked Logo
ZyXEL Prestige 312 Broadband Access Security Gateway

Page 2 
 Author: Tim Higgins
 Review Date: 10/4/2000

 Add Your Review
 Read 10 Reviews by Users

Of Filters and Firewalls


NOTE: Opening holes in your firewall can compromise your LAN's security if done incorrectly.

With the basics out of the way, let's take a look at the real reason that you'd buy the 312... its Firewall.  But we also run into the first obstacle:

You can only configure the Firewall features via the PNC Firewall Setup application.

This means that you'll need a computer running Windows 95, 98, or NT4 to do anything besides enable and disable the Firewall (which you can do through the SMT (Telnet) interface).

Assuming you have the proper computer available, you use the PNC Firewall app to:

  • Enable / Disable the firewall

  • Setup emailing of firewall alerts

  • Set timing thresholds for Alert features

  • Configure policies

  • View Firewall logs

The screenshots below show some of the Firewall setup features.

P312 Firewall Email Alert window  P312 Policy Rule summary window

I tested the firewall by port scanning it and by trying to connect with applications that I had set policies to block.  The 312 properly blocked the traffic and sent an email alert, with my LAN clients none the worse for the attack.  I also tried a ping flood with similar results.  Looks like it works!

There are some nice Firewall features that I didn't try, such as the ability to set timeouts on various TCP, UDP and ICMP connection types, and the ability to define customs services (for use in Policy rules) that include port ranges.   On the downside, however, you can't define custom services using the ICMP protocol, and the logging could be better (more on that later).

The main thing that I found confusing about this part of the 312's capabilities is the relationship (overlap?) between the Filter and Firewall capabilities.  Although page 12-7 of the User Guide gives a good explanation of when to use the Filter and Firewall features, I found it easy to be confused.  When I compare ZyXEL's approach to that used by SonicWall, I definitely prefer SonicWall's approach, in which Filtering applies more to content vs. packets/ports.  I also found it a pain to have to keep switching between the SMT (Telnet), Advanced Setup PNC, and Firewall PNC, to configure the 312, and especially to debug my setup problems.  (This is due to the limitation of only one admin login at a time.)   For example, it took me some hunting between the Advanced and Firewall PNCs to track down the way to shut off a Policy that was logging all LAN to WAN traffic and causing constant email Alerts to be sent.

Filter configuration is possible without using the PNC application, but you'll probably prefer using the PNC.  The PNC screens and the browser based help pages that can be brought up via a Help button on each screen should help many users successfully set up this important part of the router's capabilities.  

P312 Filter Setup window  P312 Filter Rule Configuration window

P312 Ethernet Filter window 

 

Multi-flavored NAT


What sets the 312 apart from any other routers that I've tested so far is its five different NAT modes (Multi-NAT). (Check this ZyXEL FAQ for more details.)

These new NAT modes will be useful primarily to people who have multiple IP addresses from their ISP.  With Multi-NAT, for example, you can have more than one of the same type server (HTTP for example) running on the same port number, but on different IP addresses (or domains).  This is like having multiple "DMZ" capability, but you still get the firewall protection for the servers.  Great stuff, huh? 

The old "SUA" (Single User Account) NAT mode (the only mode on the 310 and 314 routers) is still supported, and it fortunately is the default setup for the router.  So you can have the 312's NAT router allow servers on your LAN can be accessed from the Internet, but you are limited to 12 port-number-to-LAN IP mappings.  You can't specify TCP or UDP protocol, and you can't map port ranges, either.  One of the twelve mappings is dedicated to the Default Server mapping.  This is similar to the DMZ Host, or Exposed Computer feature on other routers.  Any inbound service request that doesn't have a defined IP address to handle it will be sent to the Default Server.  Another mapping is dedicated to Port 1026 "RR Reserved", so this leaves ten single port mappings for users to set.

But remember that you also have the 312's Firewall to deal with before you can get to a mapped server.  And then there's the Filters to configure or maybe disable... ooooh I think my brain is moving into overload!  But not before I deliver a little bad news:

  • Multi-NAT features are useful only if you have multiple WAN IP addresses.  For example, you can't have multiple "default servers" ,i.e. "DMZ" computers if you have only one WAN IP.

  • There is no PNC support for the multi-NAT features (or even the basic "SUA" mode.  You have to use the SMT interface, User Guide and Applications Notes to setup these features.

And before you ask, the 312 has only one physical WAN port, so it can't be connected to multiple WAN feeds, i.e. both a cable modem and a DSL connection.  Your multiple WAN IP addresses must come from the same ISP.
  • Page 1
  • Page 3
    		•

    Jupitermedia is publisher of the internet.com and EarthWeb networks.

    Copyright 2003 Jupitermedia Corporation All Rights Reserved.
    Legal Notices,  Licensing,Reprints, &Permissions,  Privacy Policy.
    http://www.internet.com/
    http://www.earthweb.com/