Add a Static Route

A route is the sequence of devices through which network traffic must go to get from the source to the destination. A router is the device in a route that finds the next network point through which to send the network traffic to its destination. Each router is connected to a minimum of two networks. A packet can go through a number of network points with routers before it gets to the destination. 

Each hop in the route is isolated, which means routing issues are caused by point-to-point connection problems between devices in the route.

You can create static routes to send traffic to specific hosts or networks. The router can then send the traffic from the specified route to the correct destination. If you have a full network behind a router on your local network, add a network route. If you do not add a route to a remote network, all traffic to that network is sent to the Firebox default gateway.

Before you begin, you must understand the difference between a network route and a host route. A network route is a route to a full network behind a router located on your local network. Use a host route if there is only one host behind the router, or if you want traffic to go to only one host.

If you have configured a BOVPN virtual interface, you can also add and edit VPN routes for a BOVPN virtual interface in the static routes table.

By default, the Firebox has one external interface, which includes a default gateway. If you disable all external interfaces, or if you change all external interfaces to internal interfaces, the Firebox prompts you to specify a default gateway IP address for the Firebox. You cannot add a default route for the Firebox in the Network > Routes configuration.

In Fireware v12.9 or higher, the Distance setting replaces the Metric setting. If you configured a static route in previous Fireware versions, metric values automatically convert to distance values when you upgrade. A metric value less than 1 converts to a distance value of 1. A metric value greater than 255 converts to a distance value of 255.

Link Detection

By default, routes remain installed when the next hop interface is down. In Fireware v12.9 or higher, you can specify a CLI command to automatically uninstall routes when the next hop interface is down:

WG(config)#global-setting routing-link-detect enable

This setting is available only in the Fireware CLI and is disabled by default. For more information, see the Command Line Interface Reference.

Add an IPv4 Static Route

You can add an IPv4 static route to a network or a single host IP address.

Add an IPv6 Static Route

When you add an IPv6 route, you can optionally specify which IPv6-enabled interface to use for the route. Specify an interface if you want to control which interface is used in the route. For example:

  • If more than one interface can reach the gateway, and you want to route traffic to the gateway through a specific interface, select the interface that you want this route to use.
  • If there are two gateways with the same IPv6 link local address on different connected networks, select the interface that connects to the gateway you want to route to.

You can add an IPv6 static route to a network, or a single host IP address

Add a BOVPN Virtual Interface Route

If you have configured a BOVPN virtual interface, you can also add and edit BOVPN virtual interface routes here. This option is available only after you configure at least one BOVPN virtual interface. For more information, see Configure a BOVPN Virtual Interface.

In Fireware v12.4 or higher, you can configure IPv6 BOVPN virtual interface gateway endpoints. These route types are supported:

6in4 Routes

If you have internal IPv6 networks and external IPv4 networks, you can send traffic between the internal IPv6 networks with 6in4 tunnel routes. You must configure an IPv4 BOVPN virtual interface gateway endpoint and IPv6 tunnel routes. The tunnel routes are 6in4 routes, which means traffic is routed through a GRE tunnel within the IPv4 IPSec tunnel.

6in6 Routes

In Fireware v12.4 or higher, if you have internal IPv6 networks and an external IPv6 networks, you can send traffic between the internal IPv6 networks with 6in6 tunnel routes. You must configure an IPv6 BOVPN virtual interface gateway endpoint and IPv6 tunnel routes. The tunnel routes are 6in6 routes, which means traffic is routed through an IPv6 IPSec tunnel. You can use 6in6 routes only if the internal and external networks are IPv6. If you have an internal IPv6 network and an external IPv4 network, you must configure 6in4 routes.

In Fireware v12.3.1 or lower, IPv6 is not supported for BOVPN virtual interface gateway endpoints. 6in6 tunnel routes are not supported.

4in6 tunnels are not supported. This means you cannot configure a BOVPN virtual interface tunnel to send traffic between IPv4 internal networks if you have IPv6 external networks.

The BOVPN virtual interface routes you configure here also appears in the VPN Routes tab in the BOVPN virtual interface configuration

If the Firebox is configured in drop-in mode, the route table on the Firebox might or might not immediately show the correct interface for a static route after you restart the device, or after you move the gateway associated with a static route to a different interface. The Firebox cannot update the route table with the correct interface for a static route until it receives network traffic through the gateway for that static route. The Firebox updates the internal route table on demand when traffic is received from the gateway.

See Also

Routes and Routing