Gateways are the key to routing; They are routers through which other networks can be reached. The kind of gateway most people are familiar with is a default gateway, which is the router through which a host will communicate to the Internet or any other networks it doesn’t have a more specific route to reach. Gateways are also used for static routing, where other networks must be reached via specific local routers. On most networks, gateways reside in the same subnet as one of the interfaces on a host. For example, if a firewall has an IP address of, then a gateway to another network would have to be somewhere inside of 192.168.22.x if the other network is reachable through that interface. One notable exception to this is point-to-point interfaces like those used in PPP-based protocols, which often have gateway IP addresses in another subnet because they are not used in the same way.

Gateway Address Families (IPv4 and IPv6)

When working with routing and gateways, the functionality and procedures are the same for both IPv4 and IPv6 addresses, however all of the addresses for a given route must involve addresses of the same family. For example, an IPv6 network must be routed using an IPv6 gateway/router. A route cannot be created for an IPv6 network using an IPv4 gateway address. When working with gateway groups, the same restriction applies; All gateways in a gateway group must be of the same address family.

Managing Gateways

Before a gateway can be utilized for any purpose, it must be added to the firewall configuration.

If a gateway will be used for a WAN-type interface, it can be added on the configuration page for that interface (See Interface Configuration Basics), or it may be added first manually and then selected from the drop-down list on the interface configuration.

Dynamic interface types such as DHCP and PPPoE receive an automatic gateway that is noted as Dynamic in the gateway list. The parameters for such gateways can be adjusted the same as the parameters for a static gateway.


Deleting a dynamic gateway will clear its custom settings, but the dynamic gateway itself cannot be removed.

To add or manage gateways, navigate to System > Routing, Gateways tab.

On the screen there are a variety of options to manage gateway entries:

  • fa-plus Add at the bottom of the list creates a new gateway

  • fa-clone creates a copy of an existing gateway

  • fa-pencil edits an existing gateway

  • fa-trash deletes a gateway

  • fa-ban disables an active gateway

  • fa-check-square-o enables a disabled gateway

The individual options for gateways are discussed in detail in Gateway Settings.

Managing the Default Gateway

The Default Gateway section at the bottom of System > Routing, Gateways tab controls which gateway(s) are used by default when the firewall routes traffic. Traffic from the firewall itself will follow the default gateway, as will traffic passing through the firewall when it does not match other more specific routes or policy routing rules.

There are two controls in the section which set the default gateway for IPv4 and IPv6 respectively.

The default gateway can have one of the following values:


The firewall will automatically use gateways from this list (from the top down) for the default gateway, switching to the next item in the list if gateways fail or are marked down.

For more control over this behavior, use a gateway group instead.


The selected single gateway is always used for the default gateway.

Gateway Group

The firewall uses the selected gateway group pick the default gateway. It will change from one gateway to another if the preferred default fails.


This function does not support load balancing, only failover. When using a gateway group for the default gateway, the group must only have one gateway in each tier.


No default gateway for the address family will be added to the routing table.