The traceroute page, located at Diagnostics > Traceroute, works like the traceroute command found on many platforms. It sends special packets which, as the name implies, trace a route across the network from this firewall to a remote host.

The results include a list of hops between hosts along with response times, as long as the intervening hosts support (or do not filter) traffic required for traceroute to work.

This document also includes a detailed explanation of how traceroute functions.

Traceroute Options

The GUI page to perform a traceroute contains the following options which control the behavior of the test:


A hostname or IP address to which the firewall will trace the route.

IP Protocol

The address type the firewall will use when a hostname has both A (IPv4) and AAAA (IPv6) records.

Source Address

The IP address from which the firewall will send the trace.

This is especially important when testing LAN-to-LAN VPN connectivity.

Maximum number of hops

The maximum length of the path to trace.

The trace will stop if the path cannot be traced completely after this number of hops.

Reverse Address Lookup

When checked, traceroute will attempt to perform a PTR lookup to locate hostnames for hops along the path.

This option slows down the process as it has to wait for DNS replies.


By default, traceroute uses UDP but that may be blocked by some routers. Check this box to use ICMP instead, which may succeed.

The page will display output once the trace is complete. Press the Stop button at any time to see the current output of the trace if it is still running or stalled.

How Traceroute Works

Every IP packet contains a time-to-live (TTL) value. When a router passes a packet it decrements the TTL by one. When a router receives a packet with a TTL of 1 and the destination is not a locally attached network, the router returns an ICMP error message “Time-to-live exceeded” and drops the packet. This limits the impact of routing loops, which otherwise would cause each packet to loop indefinitely.

Traceroute uses this TTL to its advantage to map the path to a specific network destination. It starts by sending the first packet with a TTL of 1. The first router (usually the default gateway) will send back an ICMP time-to-live exceeded error. The program outputs the time between sending the packet and receiving the ICMP error along with the IP address that sent the error and its reverse DNS, if any. After sending three packets with a TTL of 1 and displaying their response times it increments the TTL to 2 and sends three more packets. It outputs the same types of information for the second hop. Traceroute increments the TTL and repeats the process until it reaches the specified destination or exceeds the maximum number of hops.

Traceroute functions slightly differently on Windows and Unix-like operating systems (BSD, Linux, macOS, Unix, etc.). Windows uses ICMP echo request packets (pings) while Unix-like systems use UDP packets by default. ICMP and UDP are layer 4 protocols, and traceroute is done at layer 3, so the protocol is largely irrelevant except when considering firewall rules and policy routing configurations. Traceroute from Windows clients will be policy routed based on rules which permit ICMP echo requests, while Unix-like clients will be policy routed by rules matching UDP.

In this example, traceroute is used to view the route to

# traceroute
traceroute: Warning: has multiple addresses; using
traceroute to (, 64 hops max, 40 byte packets
 1  core (  1.450 ms  1.901 ms  2.213 ms
 2 (  4.852 ms  3.698 ms  3.120 ms
 3 (  3.275 ms  3.210 ms  3.215 ms
 4 (  8.791 ms  8.593 ms  8.891 ms
 5 (  8.460 ms  39.941 ms  8.551 ms
 6 (  10.376 ms  8.904 ms  8.765 ms
 7 (  19.479 ms  20.058 ms  19.550 ms
 8 (  20.547 ms  19.761 ms (  20.131 ms
 9 (  30.184 ms (  21.337 ms  21.756 ms
10 (  19.793 ms  19.665 ms  20.603 ms

The output shows that it took 10 hops to reach the destination and the latency generally increased with each hop, which is expected.


When utilizing policy routing, such as with Multi-WAN, the firewall itself may not appear as a hop in traceroute. When policy routing is employed, pf does not decrement the TTL when forwarding packets, so traceroute cannot detect the firewall as an intermediate router.