Route Table Contents¶

The current contents of the firewall route table are displayed by the GUI page at Diagnostics > Routes. The CLI can also be display the route table using the command netstat -rWn.

Route Table GUI¶

The GUI route table contents looks like Figure Route Table Display.

../../_images/routes.png — Route Table Display¶

The route table contents are described in detail later in this document.

Routing Table Display Options¶

The list of routes displayed by the GUI supports pagination and filtering to aid with viewing large routing tables such as those found with a full BGP feed. The top section of the page contains the following options which control the behavior of the page:

Resolve Names:: This option controls whether or not the firewall attempts to resolve items using DNS. The default is unchecked, which disables DNS resolution. When checked, the firewall attempts a DNS lookup to show hostnames rather than IP addresses for route table entries.

Warning

Enabling this feature causes a delay and performance penalty as the page attempts to resolve all of the entries. As the size of the table increases, the delay will also increase and performance will degrade further.
Rows to display:: This option controls the number of rows output from each route table. By default the page displays 100 rows. Choose a new value to show more or less rows.
Filter:: This text entry box defines a string or pattern which the page uses to search the route table for matching entries. The field supports regular expressions for advanced filtering.

Click fa-arrows-rotate Update to redisplay the routing table with the current settings.

Route Table CLI¶

Viewing the route table in the CLI is similar to the GUI. The same information is present, and the labels are similar.

The netstat -rWn command can be run from a console or SSH shell:

$ netstat -rWn
Routing tables

Internet:
Destination        Gateway            Flags       Use    Mtu      Netif Expire
default            198.51.100.1       UGS         294   1500     vtnet0
127.0.0.1          link#4             UH        20976  16384        lo0
192.168.1.0/24     link#2             U             1   1500     vtnet1
192.168.1.1        link#2             UHS           0  16384        lo0
198.51.100.0/24    link#1             U           116   1500     vtnet0
198.51.100.1       ca:1d:62:6c:c6:9c  UHS         191   1500     vtnet0
198.51.100.103     link#1             UHS           0  16384        lo0

Omit the -n flag and the command will attempt to use DNS to resolve IP addresses to hostnames where possible.

IPv4 and IPv6 Route Table Content¶

The route table information output by either the GUI or the CLI contains the following fields:

Destination:

The destination network or host for this route.

The default route for the each address family is listed as default. Otherwise, hosts are listed as an IP address and networks are listed with an IP address and CIDR mask or prefix.

Gateway:

The next hop through which the firewall will route traffic going to the Destination.

If this column shows a link, such as link#1, then that network is directly reachable by that interface and no special routing is necessary. If a host is visible with a MAC address, then it is a locally reachable host with an entry in the ARP table, and packets are sent there directly.

Flags:

Properties of this route. See Route Table Flags for the meanings of each flag.

Uses:

The total number of packets the firewall has sent via this route.

This is helpful for determining if the firewall is actively using a route as the value will continually increment as packets utilize the route.

MTU:

The MTU for packets using this route.

Interface:

The interface through which the firewall will route traffic for Destination.

Expire:

An expiration time for temporary routes, such as those added from ICMP redirects.

Route Table Flags¶

There are quite a few flags, all of which are covered in the FreeBSD man page for netstat(1). The portion of the content from that document covering flags is reproduced in Route Table Flags.

Route Table Flags¶
Letter	Flag	Meaning
1	RTF_PROTO1	Protocol specific routing flag #1
2	RTF_PROTO2	Protocol specific routing flag #2
3	RTF_PROTO3	Protocol specific routing flag #3
B	RTF_BLACKHOLE	Discard packets during updates
b	RTF_BROADCAST	Represents a broadcast address
D	RTF_DYNAMIC	Created dynamically by redirect
G	RTF_GATEWAY	Destination requires forwarding by intermediary
H	RTF_HOST	Host entry (net otherwise)
L	RTF_LLINFO	Valid protocol to link address translation
M	RTF_MODIFIED	Modified dynamically (by redirect)
R	RTF_REJECT	Host or net unreachable
S	RTF_STATIC	Manually added
U	RTF_UP	Route usable
X	RTF_XRESOLVE	External daemon translates proto to link address

For example, a route flagged as UGS is a usable route, packets are sent via the gateway listed, and it is a static route.