Gateways are the key to routing; They are routers through which other networks
can be reached. The kind of gateway most people are familiar with is a default
gateway, which is the router through which a host will communicate to the
Internet or any other networks it doesn’t have a more specific route to reach.
Gateways are also used for static routing, where other networks must be reached
via specific local routers. On most networks, gateways reside in the same subnet
as one of the interfaces on a host. For example, if a firewall has an IP address
192.168.22.5/24, then a gateway to another network would have to be
somewhere inside of
192.168.22.x if the other network is reachable through
that interface. One notable exception to this is point-to-point interfaces like
those used in PPP-based protocols, which often have gateway IP addresses in
another subnet because they are not used in the same way.
Gateway Address Families (IPv4 and IPv6)¶
When working with routing and gateways, the functionality and procedures are the same for both IPv4 and IPv6 addresses, however all of the addresses for a given route must involve addresses of the same family. For example, an IPv6 network must be routed using an IPv6 gateway/router. A route cannot be created for an IPv6 network using an IPv4 gateway address. When working with gateway groups, the same restriction applies; All gateways in a gateway group must be of the same address family.
Before a gateway can be utilized for any purpose, it must be added to the firewall configuration.
If a gateway will be used for a WAN-type interface, it can be added on the configuration page for that interface (See Interface Configuration Basics), or it may be added first manually and then selected from the drop-down list on the interface configuration.
Dynamic interface types such as DHCP and PPPoE receive an automatic gateway that is noted as Dynamic in the gateway list. The parameters for such gateways can be adjusted the same as the parameters for a static gateway.
Deleting a dynamic gateway will clear its custom settings, but the dynamic gateway itself cannot be removed.
To add or manage gateways, navigate to System > Routing, Gateways tab.
On the screen there are a variety of options to manage gateway entries:
Add at the bottom of the list creates a new gateway
creates a copy of an existing gateway
edits an existing gateway
deletes a gateway
disables an active gateway
enables a disabled gateway
The individual options for gateways are discussed in detail in Gateway Settings.
Managing the Default Gateway¶
The Default Gateway section at the bottom of System > Routing, Gateways tab controls which gateway(s) are used by default when the firewall routes traffic. Traffic from the firewall itself will follow the default gateway, as will traffic passing through the firewall when it does not match other more specific routes or policy routing rules.
There are two controls in the section which set the default gateway for IPv4 and IPv6 respectively.
The default gateway can have one of the following values:
The firewall will automatically use gateways from this list (from the top down) for the default gateway, switching to the next item in the list if gateways fail or are marked down.
For more control over this behavior, use a gateway group instead.
The selected single gateway is always used for the default gateway.
- Gateway Group
The firewall uses the selected gateway group pick the default gateway. It will change from one gateway to another if the preferred default fails.
This function does not support load balancing, only failover. When using a gateway group for the default gateway, the group must only have one gateway in each tier.
No default gateway for the address family will be added to the routing table.