Like every other website on the planet, SmallNetBuilder uses cookies. Our cookies track login status, but we only allow admins to log in anyway, so those don't apply to you. Any other cookies you pick up during your visit come from advertisers, which we don't control.
If you continue to use the site, you agree to tolerate our use of cookies. Thank you!

Router Charts

Click for Router Charts

Router Ranker

Click for Router Ranker

NAS Charts

Click for NAS Charts

NAS Ranker

Click for NAS Ranker

More Tools

Click for More Tools

Wireless Reviews

Setup and Administration - Firewall

The Plus' firewall / routing portion uses stateful packet inspection (SPI) to provide protection against denial of service (DoS) and other attacks. The firewall is primarily rule-driven in its configuration and behavior and uses a basic set of default rules but custom firewall rules may be defined and added to its rules base.

The documentation includes a reasonably helpful and comprehensive rule logic overview for those who want to create custom firewall rules, and includes a checklist to determine the intent of the rule, label it as an allow or deny mechanism, specify whether its focus is on inbound or outbound traffic, identify IP services involved, as well as computers affected.

The rule definition interface is visual, and includes data entry fields or pull down lists to specify what action to take (Block, Forward) and the service against which it operates (the interface includes a large list of predefined services, but also includes a mechanism to add new definitions to that list).

Default rules permit LAN-to-WAN (outbound) traffic, but deny traffic initiated from WAN-to-LAN (inbound). Firewall rules are grouped based on direction of travel, into the following categories:

  1. LAN to LAN / ZyAIR
  2. LAN to WAN
  3. WAN to LAN
  4. WAN to WAN / ZyAIR

The default stateful inspection rules block WAN to LAN and WAN to WAN / ZyAIR traffic, so that computers on the Internet cannot use the Plus as a gateway to other computers on the WAN, nor can they attempt to manage the Plus itself. It's possible to add custom rules by comparing Source IP address, destination IP address and IP protocol type for traffic to rules defined by the administrator.

One of the first things I needed to do was to set up inbound access for my web and email server, which meant changing firewall settings. This was fairly simple using the SUA/NAT page (Figure 5).

SUA Server

Figure 5: SUA Server
(click to enlarge)

Unfortunately, making these entries did not achieve the desired results, which should have been to forward all incoming requests on ports 80 and 25 to my server at IP address 192.168.1.4. The G-2000 Plus's own logs even confirmed that those requests were being dropped. I managed to figure out that in addition to making the proper SUA / NAT entry, I also had to create rules in the firewall to tell the system to properly forward such requests. Once that was done, it worked fine.

While I now understand why the firewall rules had to be entered, I think ZyXEL should either provide some sort of reminder or flag that a firewall rule creation is necessary when defining an SUA / Server, or do it automatically like many other consumer routers do! And to make matters even more confusing, I found that when setting a "Default Server" (commonly known as a "DMZ" machine), I didn't need to program a matching firewall rule!

Besides the usual firewall functions of keeping out the bad guys and acting as a gatekeeper for your local network, the Plus also performs basic web filtering. You can restrict web features like ActiveX and Java, and you can restrict URL's by outright specification or by keywords. You can even assign the days and times when filtering is active (Figure 6).

Firewall Content Filter

Figure 6: Firewall Content Filter

More Wireless

Wi-Fi System Tools
Check out our Wi-Fi System Charts, Ranker and Finder!

Support Us!

If you like what we do and want to thank us, just buy something on Amazon. We'll get a small commission on anything you buy. Thanks!

Over In The Forums

I was doing some research and was seeing a lot about issues with the 2.4ghz band not working after a while or having very short range (or poor perform...
YazFi v4.1.3 Updated 2020-07-11 Feature expansion of guest WiFi networks on AsusWRT-Merlin, including, but not limited to:* Dedicated VPN WiFi netw...
Aquantia has a new firmware update out for the AQC100, AQC108, AQC107 and AQN100, AQN108, AQN107https://www.aquantia.com/support/driver-download/The f...
I have an AC68u and I put two fans behind it to cool it off. I used a double-sided tape to attach the fan but it fell off after three days.I saw some ...
https://fccid.io/MSQ-RTAXI600

Don't Miss These

  • 1
  • 2
  • 3