Routing tables are used to store the best path to a remote network. Routing tables are processed from top to bottom. If the source of the outgoing packets matches, the routes in the route table are evaluated and the packet forwarded to the correct interface, next hop gateway, or VPN tunnel. Routes are evaluated first by the destination route metric (preference) of an IP packet and then by the scope (network size) to determine which routes matches. Two routes of the same scope (e.g., /24) and metric cannot be created. The Management network always uses a preference of 0.
- If two routes with different preferences exist, the route with the lower preference is chosen. E.g., 10.0.10.0/25 (preference 10) is preferred over 10.0.10.0/25 (preference 100)
- If two routes with the same preference exist to a destination, the route with the smaller subnet mask is used. E.g., 10.0.10.0/24 is preferred over 10.0.0.0/16
- VPN routes are placed in a premain, source-based route table by default. If single routing table is enabled in the VPN settings, VPN routes are inserted into the main routing table with a preference of 10.
Static Network Interfaces, Direct Attached Networks
Static network interfaces define networks that are directly accessible through an interface on your firewall. For configuring a static network interface, you must enter an IP address and an address mask, and you must specify which interface to use. The address mask with the IP address determines the network address the interface will be bound to. Optionally, you can activate services like Ping, VPN Server, or SSL VPN to be available on that special IP address. After reactivating the network configuration, the IP address immediately becomes active on that network interface. If necessary, secondary IP addresses with their services can also be configured.
In case you want to access the Internet through a static network interface, it is necessary to configure a gateway to establish the route to your ISP. You can enter the gateway IP address during the static network configuration in the Gateway field. In this case, the firewall automatically creates a default gateway route in the routing table so that you do not have to create this route entry manually in NETWORK > Routing.
Using Secondary IP Addresses
The firewall service is automatically available on a configured IP address. However, if you want to make other services like Ping, the VNP Server, or SSL VPN available explicitly on other IP addresses, you can configure additional Secondary IP Addresses in NETWORK > IP Configuration in the Management IP Configuration or Static Interface Configuration section.
Gateway Routes (Next Hop Routing)
To reach networks that cannot be directly accessed, you must define gateway routes. A common gateway route is the default route (0.0.0.0/0), which will forward all packets not belonging to one of the directly attached networks to the remote gateway provided by the ISP. Before adding a gateway route, a direct route must be configured. Otherwise, you cannot contact the next hop IP address. If you are using multiple gateway routes for the same target network, you must give them different route metrics. Gateway routes automatically monitor the gateway IP address. When the gateway is no longer considered healthy, 6535 is added to the metric of the route. Routes with a metric above 65535 are considered to be down. To define a gateway route, you must enter:
Target network – Target network in CIDR format. E.g., 0.0.0.0/0 or ::0/0 for the default route
Next hop address – IP address of the gateway device the traffic is sent to. E.g., 22.214.171.124 or 2001:db8:10::ffff
After adding the gateway route, you must initiate a network reactivation for the route to become active.
Source-Based Routes (Policy-based Routing)
Source-based routes define the path from a sender to the next destination gateway where packets are forwarded from on their way to the destination. Source-based routes support unicast routing and can be created either manually for static interfaces or in the configuration for the dynamic interface (DHCP, xDSL, …). For each route table, you define which source network and then create routes in the source-based route table. Source-based routes are automatically created for dynamic interfaces. Configure a DHCP, xDSL, or ISDN link. You can disable source-based routing per advanced configuration.