Packet Flow Explore
Overview
Use this to get a clear picture on how the Zyxel Device determines where to forward a packet and how to change the source IP address of the packet according to your current settings. This function provides you a summary of all your routing and SNAT settings and helps troubleshoot any related problems.
What You Can Do in this Chapter
• Use the Routing Status screen (see Routing Status) to view the overall routing flow and each routing function’s settings.
• Use the SNAT Status screen (see The SNAT Status Screen) to view the overall source IP address conversion (SNAT) flow and each SNAT function’s settings.
• Use the Route Traces screen (see Section 30.4 on page 518) to configure traceroute to identify where packets are dropped for troubleshooting.
Routing Status
The Routing Status screen allows you to view the current routing flow and quickly link to specific routing settings. Click a function box in the Routing Flow section, the related routes (activated) will display in the Routing Table section. To access this screen, click Maintenance > Packet Flow Explore > Routing Status.
Different features may have overlapping criteria that trigger different actions for the same traffic. Packet Flow Explore defines the order that features check criteria. This resolves conflicts when criteria overlap in different features. Features that may encounter overlapping criteria are:
• Routing
• NAT
Once a packet matches the criteria of a routing rule, the Zyxel Device takes the corresponding action and does not perform any further flow checking. If you use the vrf main routing policy-route override-direct-route command, the Zyxel Device will prioritize Policy Route over Direct Route for packets routing.Dynamic/SiteToSite VPN
This is where packets are forwarded according to the criteria you configure in VPN > IPSec VPN > Site to Site VPN.
The following table describes the labels in this screen.
Label | Description |
|---|---|
Routing Flow | This section shows you the flow of how the Zyxel Device determines where to route a packet. Click a function box to display the related settings in the routing table section. |
Routing Table | This section shows the corresponding settings according to the function box you click in the Routing Flow section. |
# | This field is a sequential value, and it is not associated with any entry. |
Source | This is the IP address(es) of the local VPN network. |
Destination | This is the IP address(es) for the remote VPN network. |
VPN Tunnel | This is the name of the VPN tunnel. |
Direct Route
This is where packets are sent to directly connected subnets.
The following table describes the labels in this screen.
Label | Description |
|---|---|
Routing Flow | This section shows you the flow of how the Zyxel Device determines where to route a packet. Click a function box to display the related settings in the routing table section. |
Routing Table | This section shows the corresponding settings according to the function box you click in the Routing Flow section. |
# | This field is a sequential value, and it is not associated with any entry. |
Destination | This is the destination IP address of a route. |
Interface | This is the name of an interface associated with the route. |
Policy Route
This is where packets are forwarded according to the criteria you configure in Network > Routing > Policy Route.
The following table describes the labels in this screen.
Label | Description |
|---|---|
Routing Flow | This section shows you the flow of how the Zyxel Device determines where to route a packet. Click a function box to display the related settings in the routing table section. |
Routing Table | This section shows the corresponding settings according to the function box you click in the Routing Flow section. |
# | This field is a sequential value, and it is not associated with any entry. |
User | This is the name of the user (group) object from which the packets are sent. any means all users. |
Incoming Interface | This is the interface on which the packets are received. |
Source | This is the source IP address(es) from which the packets are sent. |
Destination | This is the destination IP address(es) to which the packets are transmitted. |
Service | This is the name of the service object. any means all services. |
Source Port | This is the source port(s) from which the packets are sent. |
DSCP Code | This is the DSCP value of incoming packets to which this policy route applies. |
Next Hop Type | This is the type of the next hop to which packets are directed. |
Next Hop Info | • This is the main route if the next hop type is Auto. • This is the interface name and gateway IP address if the next hop type is Interface /GW. • This is the trunk name if the next hop type is Trunk. |
Policy Route Priority | Enter the priority of the rule on the Zyxel Device. The Zyxel Device uses this priority to determine which rule to apply. The lower the number, the higher the priority. |
Static Route
This is where packets are forwarded according to the criteria you configured in Network > Routing > Static Route.
The following table describes the labels in this screen.
Label | Description |
|---|---|
Routing Flow | This section shows you the flow of how the Zyxel Device determines where to route a packet. Click a function box to display the related settings in the routing table section. |
Routing Table | This section shows the corresponding settings according to the function box you click in the Routing Flow section. |
# | This field is a sequential value, and it is not associated with any entry. |
Destination | This is the destination IP address of a route. |
Gateway | This is the IP address of the next-hop gateway or the interface through which the traffic is routed. |
Interface | This is the name of an interface associated with the route. |
Metric | This is the route’s priority among the displayed routes. The lower the number, the higher the priority. |
Nebula Static Route
This is the static route created when you are using Nebula VPN.
The following table describes the labels in this screen.
Label | Description |
|---|---|
Routing Flow | This section shows you the flow of how the Zyxel Device determines where to route a packet. Click a function box to display the related settings in the routing table section. |
Routing Table | This section shows the corresponding settings according to the function box you click in the Routing Flow section. |
# | This field is a sequential value, and it is not associated with any entry. |
Destination | This is the destination IP address of a route. |
Gateway | This is the IP address of the next-hop gateway or the interface through which the traffic is routed. |
Destination Site | This is the Nebula site name of the next-hop gateway or the interface through which the traffic is routed. |
Metric | This is the route’s priority among the displayed routes. The lower the number, the higher the priority. |
1-1 SNAT
This maps an internal private IP address to a single external public IP address for outbound traffic.
The following table describes the labels in this screen.
Label | Description |
|---|---|
Routing Flow | This section shows you the flow of how the Zyxel Device determines where to route a packet. Click a function box to display the related settings in the routing table section. |
Routing Table | This section shows the corresponding settings according to the function box you click in the Routing Flow section. |
# | This field is a sequential value, and it is not associated with any entry. |
Source | This is the external source IP address(es). |
Protocol | This is the transport layer protocol. |
Source Port | This is the source port number. |
Destination | This is the external destination IP address(es). |
Outgoing | This is the outgoing interface that the SNAT rule uses to transmit packets. |
Gateway | This is the IP address of the gateway in the same network of the outgoing interface. |
NAT Rule | This is the name of an activated 1:1 or Many 1:1 NAT rule in the NAT table. |
Default WAN Trunk
This is where packets are forwarded to the active interface in a WAN trunk and then onto the destination IP address.
The following table describes the labels in this screen.
Label | Description |
|---|---|
Routing Flow | This section shows you the flow of how the Zyxel Device determines where to route a packet. Click a function box to display the related settings in the routing table section. |
Routing Table | This section shows the corresponding settings according to the function box you click in the Routing Flow section. |
# | This field is a sequential value, and it is not associated with any entry. |
Source | This is the source IP address(es) from which the packets are sent. any means any IP address. |
Destination | This is the destination IP address(es) to which the packets are transmitted. any means any IP address. |
Trunk | This is the name of the WAN trunk through which the matched packets are transmitted. |
Algorithm | This displays the load balancing method of the WAN trunk. Select Weighted Round Robin to balance the traffic load between interfaces based on their respective weights. An interface with a larger weight gets more chances to transmit traffic than an interface with a smaller weight. For example, if the weight ratio of wan1 and wan2 interfaces is 2:1, the Zyxel Device chooses wan1 for 2 sessions’ traffic and wan2 for 1 session’s traffic in each round of 3 new sessions. Select Least Load First to send new session traffic through the least utilized trunk member. Select Spillover to send network traffic through the first interface in the group member list until there is enough traffic that the second interface needs to be used (and so on). |
Member | This displays the trunk member’s interface(s). |
Main Route
This is the default routing table of the Zyxel Device system kernel where packets are forwarded onto the destination IP address.
The following table describes the labels in this screen.
Label | Description |
|---|---|
Routing Flow | This section shows you the flow of how the Zyxel Device determines where to route a packet. Click a function box to display the related settings in the routing table section. |
Routing Table | This section shows the corresponding settings according to the function box you click in the Routing Flow section. |
# | This field is a sequential value, and it is not associated with any entry. |
Destination | This is the destination IP address(es) to which the packets are transmitted. any means any IP address. |
Gateway | This is the IP address of the gateway in the same network of the outgoing interface. |
Interface | This is the name of an interface associated with the route. |
Metric | This is the route’s priority among the displayed routes. The lower the number, the higher the priority. |
The SNAT Status Screen
The SNAT Status screen allows you to view and quickly link to specific source NAT (SNAT) settings. Click a function box in the SNAT Flow section, the related SNAT rules (activated) will display in the SNAT Table section. To access this screen, click Maintenance > Packet Flow Explore > SNAT Status.
Once a packet matches the criteria of an SNAT rule, the Zyxel Device takes the corresponding action and does not perform any further flow checking. The order of the SNAT flow may vary depending on whether you:
• Enable/disable Default SNAT in the Network > Interface > Edit External interface screen.
SitetoSite VPN SNAT
SNAT for policy-based SitetoSite IPsec VPN maps all internal private IP addresses of a site to a single IP address for outbound traffic.
The following table describes the labels in this screen.
Label | Description |
|---|---|
SNAT Flow | This section shows you the flow of how the Zyxel Device changes the source IP address for a packet according to the rules you have configured in the Zyxel Device. Click a function box to display the related settings in the SNAT Table section. |
SNAT Table | The table fields in this section vary depending on the function box you select in the SNAT Flow section. |
# | This field is a sequential value, and it is not associated with any entry. |
Source | This is the external source IP address(es). |
Destination | This is the external destination IP address(es). |
SNAT | This is the source IP address(es) that the SNAT rule uses finally. |
VPN Tunnel | This is the name of the VPN tunnel. |
Policy Route SNAT
This is where packets are forwarded according to the criteria you configured in Network > Routing > Policy Route, with the private source IP address of the sender replaced with a public IP address for outbound traffic.
The following table describes the labels in this screen.
Label | Description |
|---|---|
SNAT Flow | This section shows you the flow of how the Zyxel Device changes the source IP address for a packet according to the rules you have configured in the Zyxel Device. Click a function box to display the related settings in the SNAT Table section. |
SNAT Table | The table fields in this section vary depending on the function box you select in the SNAT Flow section. |
# | This field is a sequential value, and it is not associated with any entry. |
User | This is the name of the user (group) object from which the packets are sent. any means all users. |
Incoming | This is the interface on which the packets are received. |
Source | This is the source IP address(es) from which the packets are sent. |
Destination | This is the destination IP address(es) to which the packets are transmitted. |
Service | This is the name of the service object. any means all services. |
Source Port | This is the source port(s) from which the packets are sent. |
DSCP Code | This is the DSCP value of incoming packets to which this policy route applies. |
Outgoing | This is the outgoing interface that the route uses to transmit packets. |
SNAT | This is the source IP address(es) that the SNAT rule uses finally. |
Rule Priority | Enter the priority of the rule on the Zyxel Device. The Zyxel Device decides which gateway to use based on this priority. The lower the number, the higher the priority. |
1-1 SNAT
1-1 SNAT maps an internal private IP address to a single external public IP address for outbound traffic.
The following table describes the labels in this screen.
Label | Description |
|---|---|
SNAT Flow | This section shows you the flow of how the Zyxel Device changes the source IP address for a packet according to the rules you have configured in the Zyxel Device. Click a function box to display the related settings in the SNAT Table section. |
SNAT Table | The table fields in this section vary depending on the function box you select in the SNAT Flow section. |
# | This field is a sequential value, and it is not associated with any entry. |
Source | This is the external source IP address(es). |
Protocol | This is the transport layer protocol. |
Source Port | This is the source port number. |
Destination | This is the external destination IP address(es). |
Outgoing | This is the outgoing interface that the SNAT rule uses to transmit packets. |
SNAT | This is the source IP address(es) that the SNAT rule uses finally. |
NAT Rule | This is the name of an activated NAT rule which uses SNAT. |
Loopback SNAT
Loopback SNAT maps an internal private IP address to the public IP address of an internal server.
The following table describes the labels in this screen.
Label | Description |
|---|---|
SNAT Flow | This section shows you the flow of how the Zyxel Device changes the source IP address for a packet according to the rules you have configured in the Zyxel Device. Click a function box to display the related settings in the SNAT Table section. |
SNAT Table | The table fields in this section vary depending on the function box you select in the SNAT Flow section. |
# | This field is a sequential value, and it is not associated with any entry. |
Source | This is the original source IP address(es). any means any IP address. |
Destination | This is the original destination IP address(es). any means any IP address. |
SNAT | This indicates which source IP address the SNAT rule uses finally. For example, Outgoing Interface IP means that the Zyxel Device uses the IP address of the outgoing interface as the source IP address for the matched packets it sends out through this rule. |
NAT Rule | This is the name of an activated NAT rule which uses SNAT and enables NAT loopback. |
Default SNAT
Default SNAT maps internal private IP addresses to a single external public IP address for outbound traffic.
The following table describes the labels in this screen.
Label | Description |
|---|---|
SNAT Flow | This section shows you the flow of how the Zyxel Device changes the source IP address for a packet according to the rules you have configured in the Zyxel Device. Click a function box to display the related settings in the SNAT Table section. |
SNAT Table | The table fields in this section vary depending on the function box you select in the SNAT Flow section. |
# | This field is a sequential value, and it is not associated with any entry. |
Incoming | This indicates internal interface(s) on which the packets are received. |
Outgoing | This indicates external interface(s) from which the packets are transmitted. |
SNAT | This indicates which source IP address the SNAT rule uses finally. For example, Outgoing Interface IP means that the Zyxel Device uses the IP address of the outgoing interface as the source IP address for the matched packets it sends out through this rule. |
Route Traces
Click Maintenance > Packet Flow Explore > Route Traces to display this screen. Use this screen to configure a traceroute to identify where packets are dropped for troubleshooting.
The following table describes the labels in this screen.
Label | Description |
|---|---|
IP Address | You can trace traffic through the Zyxel Device from a specific source-to-destination stream or just from/to a specific host (source or destination). |
Source | Enter the source IP address of traffic that you want to trace. |
Port | Enter the source port number of traffic that you want to trace. |
Destination | Enter the destination IP address of traffic that you want to trace. |
Port | Enter the destination port number of traffic that you want to trace. |
Host | Enter the IP address of a specific source or destination host whose traffic you want to trace. |
Port | Enter the port number for particular source traffic on the host that you want to trace. |
Protocol | Select the protocol of traffic that you want to trace. any means any protocol. |
Interval | Enter a time interval in seconds for renewing a route trace. The default time interval is 5 seconds. |
Capture | Click this button to have the Zyxel Device capture frames according to the settings configured in this screen. You can configure the Zyxel Device while a frame capture is in progress although you cannot modify the frame capture settings. |
Flush Data | Click this to clear all data on the screen. |
ID | This field displays the packet ID for each active session. |
Protocol | This field displays the protocol used in each active session. |
Debug | This field displays debug information for the session. Customer support may ask to see these debug messages when investigating a problem. There are three types of debug messages: • The packet outgoing interface: [interface name] • The packet was dropped by [feature name] • Pass the packet to userspace: [feature name] |
Incoming Interface | This is the source interface of packets to which this active session applies. |
Message | This field displays traceroute information. |
The following screen is an example of Route Trace information.