Gateways are the key to routing; They are routers on directly connected networks
through which a host can reach other networks. The kind of gateway most people
are familiar with is a default gateway, which is the router through which a
host will communicate to the Internet or any other networks it doesn’t have a
more specific route to reach. Gateways are also used for static routing, where
certain hosts or networks must be reached via specific routers. On most networks
a gateway resides in the same subnet as one of the interfaces on a host. For
example, if a firewall has an IP address of
192.168.22.5/24, then a gateway
to another network would have to be somewhere inside of
192.168.22.x if the
other network is reachable through that interface.
One notable exception to this is point-to-point interfaces like those used in PPP-based protocols, which often have gateway IP addresses in another subnet because they are not used in the same way.
Gateway Address Families (IPv4 and IPv6)¶
When working with routing and gateways the functionality and procedures are the same for both IPv4 and IPv6 addresses. However, all of the addresses for a given route must involve addresses of the same family. For example, an IPv6 network must be routed through an IPv6 gateway. A route cannot be created for an IPv6 network using an IPv4 gateway address. When working with gateway groups the same restriction applies: All gateways in a gateway group must be of the same address family.
Before a gateway can be utilized for any purpose, it must be added to the firewall configuration.
If a gateway will be used for a WAN-type interface, it can be added on the configuration page for that interface (See Interface Configuration Basics), or it may be added first manually and then selected from the drop-down list on the interface configuration.
Dynamic interface types such as DHCP, PPPoE, and some assigned tunnel interfaces receive an automatic gateway that is noted as Dynamic in the gateway list. The parameters for such gateways can be adjusted the same as the parameters for a static gateway.
Deleting a dynamic gateway will clear its custom settings but the dynamic gateway itself cannot be removed.
To add or manage gateways, navigate to System > Routing, Gateways tab.
On the screen there are a variety of options to manage gateway entries:
Add at the bottom of the list creates a new gateway
edits an existing gateway
creates a copy of an existing gateway
disables an active gateway
enables a disabled gateway
deletes a gateway
The individual options for gateways are discussed in detail in Gateway Settings.
Managing the Default Gateway¶
The Default Gateway section at the bottom of System > Routing, Gateways tab controls which gateway(s) are used by default when the firewall routes traffic. Traffic from the firewall itself will follow the default gateway, as will traffic passing through the firewall when it does not match policy routing rules or other more specific routes.
There are two controls in the section which set the default gateway for IPv4 and IPv6 respectively.
The default gateway can have one of the following values:
The firewall will automatically use gateways from this list (from the top down) for the default gateway, switching to the next item in the list if gateways fail or are marked down.
For more control over this behavior, use a gateway group instead.
This function can automatically select gateways from VPNs (e.g. IPsec, WireGuard, OpenVPN) and other sources, which may not be what the user intends. These gateways may not allow the firewall to reach the Internet, which may prevent regular traffic flow.
The best practice for failover is to create a custom gateway group with viable Internet gateways in the intended order by tier rather than relying on the automatic behavior.
The selected single gateway is always used for the default gateway.
- Gateway Group
The firewall uses the selected gateway group to select a default gateway. It will change from one gateway to another if the preferred default fails.
This function does not support load balancing, only failover. When using a gateway group for the default gateway, the group must only have one gateway in each tier.
No default gateway for the address family will be added to the routing table.
Though default gateway switching is handy for handling traffic from the firewall itself, it is not always the best fit for user traffic. When using gateway switching instead of policy routing the firewall states are not able to track gateway information which allows the firewall to selectively kill states for specific gateways. See State Killing on Gateway Failure.