Troubleshooting Routes

When diagnosing traffic flow issues, one of the first things to check is the routes known to the firewall.

Viewing Routes

Viewing the routing table is described in detail at Route Table Contents. For routed destinations, check the contents of the table and see if the destination is listed as expected.

It is also possible to check how the operating system will route a specific destination at the CLI. For example, to see how the firewall will reach

$ route -n get
   route to:
        fib: 0
  interface: igb0
 recvpipe  sendpipe  ssthresh  rtt,msec    mtu        weight    expire
       0         0         0         0      1500         1         0

In that example, there isn’t a specific static route in place for the destination, so it uses the default route.

In the next example, there is a specific route for using an alternate gateway:

: route -n get
   route to:
        fib: 0
  interface: igb5
 recvpipe  sendpipe  ssthresh  rtt,msec    mtu        weight    expire
       0         0         0         0      1500         1         0

While viewing the routing table as a whole is helpful, sometimes querying the OS in this way is faster and easier when a specific destination is known.

Using traceroute

Traceroute is a useful tool for testing and verifying routes and multi-WAN functionality, among other uses. It shows each “hop” along the path a packet travels from one end to the other, along with the latency encountered in reaching that intermediate point. On pfSense® software, a traceroute can be performed by navigating to Diagnostics > Traceroute, or by using traceroute at the command line. From clients running Windows, the program is available under the name tracert.

See also

For details on how traceroute works and how to perform a traceroute using the GUI, see Traceroute.

Routes and VPNs

Depending on the VPN being used, the firewall may not have routes in the table for the remote side. IPsec in tunnel mode does not use the routing table, it is instead handled internally in the kernel using IPsec security policy database (SPD) entries. Static routes will never cause traffic to be directed across a tunnel mode IPsec connection. VTI mode IPsec, OpenVPN, and WireGuard use the system routing table and as such entries are present for networks reachable via those types of VPNs.

For example, the following output includes an OpenVPN tunnel:

#netstat -rWn
Routing tables

Destination        Gateway            Flags       Use    Mtu      Netif Expire
default         UGS       92421   1500        em0         UGS           0   1500     ovpnc2         UGS           0   1500     ovpnc2         link#9             UH            0   1500     ovpnc2         link#9             UHS           0  16384        lo0        link#2             U       1260771   1500        em1           link#2             UHS           0  16384        lo0          link#7             UH          866  16384        lo0    link#1             U       1251477   1500        em0       link#1             UHS           0  16384        lo0

The OpenVPN interface is, with a gateway of and the interface is ovpnc2. The network reachable using OpenVPN in this example is

With tunnel mode IPsec, traceroute is not as useful as with routed setups, because a tunnel mode IPsec connection does not have an interface or IP addresses. When running traceroute to a destination across tunnel mode IPsec, the client will experience a timeout when crossing the IPsec tunnel.