ZyXEL ZyAIR G-2000 Plus 802.11g Wireless 4-port Router



Setup and Administration - Firewall

The Plus' firewall / routing portion uses stateful packet inspection (SPI) to provide protection against denial of service (DoS) and other attacks. The firewall is primarily rule-driven in its configuration and behavior and uses a basic set of default rules but custom firewall rules may be defined and added to its rules base.

The documentation includes a reasonably helpful and comprehensive rule logic overview for those who want to create custom firewall rules, and includes a checklist to determine the intent of the rule, label it as an allow or deny mechanism, specify whether its focus is on inbound or outbound traffic, identify IP services involved, as well as computers affected.

The rule definition interface is visual, and includes data entry fields or pull down lists to specify what action to take (Block, Forward) and the service against which it operates (the interface includes a large list of predefined services, but also includes a mechanism to add new definitions to that list).

Default rules permit LAN-to-WAN (outbound) traffic, but deny traffic initiated from WAN-to-LAN (inbound). Firewall rules are grouped based on direction of travel, into the following categories:

  1. LAN to LAN / ZyAIR
  2. LAN to WAN
  3. WAN to LAN
  4. WAN to WAN / ZyAIR

The default stateful inspection rules block WAN to LAN and WAN to WAN / ZyAIR traffic, so that computers on the Internet cannot use the Plus as a gateway to other computers on the WAN, nor can they attempt to manage the Plus itself. It's possible to add custom rules by comparing Source IP address, destination IP address and IP protocol type for traffic to rules defined by the administrator.

One of the first things I needed to do was to set up inbound access for my web and email server, which meant changing firewall settings. This was fairly simple using the SUA/NAT page (Figure 5).

SUA Server

Figure 5: SUA Server
(click to enlarge)

Unfortunately, making these entries did not achieve the desired results, which should have been to forward all incoming requests on ports 80 and 25 to my server at IP address 192.168.1.4. The G-2000 Plus's own logs even confirmed that those requests were being dropped. I managed to figure out that in addition to making the proper SUA / NAT entry, I also had to create rules in the firewall to tell the system to properly forward such requests. Once that was done, it worked fine.

While I now understand why the firewall rules had to be entered, I think ZyXEL should either provide some sort of reminder or flag that a firewall rule creation is necessary when defining an SUA / Server, or do it automatically like many other consumer routers do! And to make matters even more confusing, I found that when setting a "Default Server" (commonly known as a "DMZ" machine), I didn't need to program a matching firewall rule!

Besides the usual firewall functions of keeping out the bad guys and acting as a gatekeeper for your local network, the Plus also performs basic web filtering. You can restrict web features like ActiveX and Java, and you can restrict URL's by outright specification or by keywords. You can even assign the days and times when filtering is active (Figure 6).

Firewall Content Filter

Figure 6: Firewall Content Filter