Gateways are the key to routing; They are routers on directly connected networks through which a host can reach other networks. The kind of gateway most people are familiar with is a default gateway, which is the router through which a host will communicate to the Internet or any other networks it doesn’t have a more specific route to reach. Gateways are also used for static routing, where certain hosts or networks must be reached via specific routers. On most networks a gateway resides in the same subnet as one of the interfaces on a host. For example, if a firewall has an IP address of, then a gateway to another network would have to be somewhere inside of 192.168.22.x if the other network is reachable through that interface.


One notable exception to this is point-to-point interfaces like those used in PPP-based protocols, which often have gateway IP addresses in another subnet because they are not used in the same way.

Gateway Address Families (IPv4 and IPv6)

When working with routing and gateways the functionality and procedures are the same for both IPv4 and IPv6 addresses. However, all of the addresses for a given route must involve addresses of the same family. For example, an IPv6 network must be routed through an IPv6 gateway. A route cannot be created for an IPv6 network using an IPv4 gateway address. When working with gateway groups the same restriction applies: All gateways in a gateway group must be of the same address family.

Managing Gateways

Before a gateway can be utilized for any purpose, it must be added to the firewall configuration.

If a gateway will be used for a WAN-type interface, it can be added on the configuration page for that interface (See Interface Configuration Basics), or it may be added first manually and then selected from the drop-down list on the interface configuration.

Dynamic interface types such as DHCP, PPPoE, and some assigned tunnel interfaces receive an automatic gateway that is noted as Dynamic in the gateway list. The parameters for such gateways can be adjusted the same as the parameters for a static gateway.


Deleting a dynamic gateway will clear its custom settings but the dynamic gateway itself cannot be removed.

To add or manage gateways, navigate to System > Routing, Gateways tab.

On the screen there are a variety of options to manage gateway entries:

  • fa-plus Add at the bottom of the list creates a new gateway

  • fa-pencil edits an existing gateway

  • fa-clone creates a copy of an existing gateway

  • fa-ban disables an active gateway

  • fa-square-check enables a disabled gateway

  • fa-trash-can deletes a gateway

See also

The individual options for gateways are discussed in detail in Gateway Settings.

Managing the Default Gateway

The Default Gateway section at the bottom of System > Routing, Gateways tab controls which gateway(s) are used by default when the firewall routes traffic. Traffic from the firewall itself will follow the default gateway, as will traffic passing through the firewall when it does not match policy routing rules or other more specific routes.

There are two controls in the section which set the default gateway for IPv4 and IPv6 respectively.

The default gateway can have one of the following values:


The firewall will automatically use gateways from this list (from the top down) for the default gateway, switching to the next item in the list if gateways fail or are marked down.

For more control over this behavior, use a gateway group instead.


This function can automatically select gateways from VPNs (e.g. IPsec, WireGuard, OpenVPN) and other sources, which may not be what the user intends. These gateways may not allow the firewall to reach the Internet, which may prevent regular traffic flow.

The best practice for failover is to create a custom gateway group with viable Internet gateways in the intended order by tier rather than relying on the automatic behavior.


The selected single gateway is always used for the default gateway.

Gateway Group:

The firewall uses the selected gateway group to select a default gateway. It will change from one gateway to another if the preferred default fails.


This function does not support load balancing, only failover. When using a gateway group for the default gateway, the group must only have one gateway in each tier.


No default gateway for the address family will be added to the routing table.


Though default gateway switching is handy for handling traffic from the firewall itself, it is not always the best fit for user traffic. When using gateway switching instead of policy routing the firewall states are not able to track gateway information which allows the firewall to selectively kill states for specific gateways. See State Killing on Gateway Failure.