Add a Static Route

A route is the sequence of devices through which network traffic must go to get from the source to the destination. A router is the device in a route that finds the next network point through which to send the network traffic to its destination. Each router is connected to a minimum of two networks. A packet can go through a number of network points with routers before it gets to the destination. 

Each hop in the route is isolated, which means routing issues are caused by point-to-point connection problems between devices in the route.

You can create static routes to send traffic to specific hosts or networks. The router can then send the traffic from the specified route to the correct destination. If you have a full network behind a router on your local network, add a network route. If you do not add a route to a remote network, all traffic to that network is sent to the Firebox default gateway.

Before you begin, you must understand the difference between a network route and a host route. A network route is a route to a full network behind a router located on your local network. Use a host route if there is only one host behind the router, or if you want traffic to go to only one host.

If you have configured a BOVPN virtual interface, you can also add and edit VPN routes for a BOVPN virtual interface in the static routes table.

By default, the Firebox has one external interface, which includes a default gateway. If you disable all external interfaces, or if you change all external interfaces to internal interfaces, the Firebox prompts you to specify a default gateway IP address for the Firebox. You cannot add a default route for the Firebox in the Network > Routes configuration.

In Fireware v12.9 or higher, the Distance setting replaces the Metric setting. If you configured a static route in previous Fireware versions, metric values automatically convert to distance values when you upgrade. A metric value less than 1 converts to a distance value of 1. A metric value greater than 255 converts to a distance value of 255.

Link Detection

By default, routes remain installed when the next hop interface is down. In Fireware v12.9 or higher, you can specify a CLI command to automatically uninstall routes when the next hop interface is down:

WG(config)#global-setting routing-link-detect enable

This setting is available only in the Fireware CLI and is disabled by default. For more information, go to the Command Line Interface Reference.

Add an IPv4 Static Route

You can add an IPv4 static route to a network or a single host IP address.

  1. Select Network > Routes.
    The Routes page opens.
  2. Click Add.
    The Route dialog box opens.

Screen shot of the Add Route dialog box

  1. From the Route Type drop-down list, select Static Route.
  2. From the Destination Type drop-down list, select an option:
    • Host IPv4 — Select this option if only one IPv4 host is behind the router or you want traffic to go to only one host.
    • Network IPv4 — Select this option if you have a full IPv4 network behind a router on your local network.
  3. In the Route To text box, type the host address or network address. If you type a network address, use slash notation.
    For more information about slash notation, go to About Slash Notation.
  4. In the Gateway text box, type the IP address of the router.
    Make sure that you type an IP address that is on one of the same networks as the Firebox.
  5. In the Distance text box, type or select a value between 1 and 255 for the route. Routes with lower metrics have higher priority. In Fireware v12.9 or higher, the Distance setting replaces the Metric setting.
  6. Click OK to close the Route dialog box.
    The configured network route appears in the Routes page.
  7. Click Save to save the change to the configuration.
  1. Select Network > Routes.
    The Setup Routes dialog box opens.
  2. Click Add.
    The Add Route dialog box opens.

Screen shot of the Add Route dialog box

  1. From the Route Type drop-down list, select Static Route.
  2. From the Destination Type drop-down list, select an option:
    • Host IPv4 — Select this option if only one IPv4 host is behind the router or you want traffic to go to only one host.
    • Network IPv4 — Select this option if you have a full IPv4 network behind a router on your local network.
  3. In the Route To text box, type the network address or host address. If you type a network address, use slash notation.
    For more information about slash notation, go to About Slash Notation.
  4. In the Gateway text box, type the IP address of the router. Make sure that you type an IP address that is on one of the same networks as the Firebox.
  5. In the Metric or Distance text box, type or select a metric value for the route. Routes with lower metrics have higher priority. In Fireware v12.9 or higher, the Distance setting replaces the Metric setting.
  6. Click OK to close the Add Route dialog box.
    The configured network route appears in the Setup Routes dialog box.

Add an IPv6 Static Route

When you add an IPv6 route, you can optionally specify which IPv6-enabled interface to use for the route. Specify an interface if you want to control which interface is used in the route. For example:

  • If more than one interface can reach the gateway, and you want to route traffic to the gateway through a specific interface, select the interface that you want this route to use.
  • If there are two gateways with the same IPv6 link local address on different connected networks, select the interface that connects to the gateway you want to route to.

You can add an IPv6 static route to a network, or a single host IP address

  1. Select Network > Routes.
    The Routes page opens.
  2. Click Add.
    The Route dialog box opens.

Screen shot of the Route dialog box

  1. From the Route Type drop-down list, select Static Route.
  2. From the Destination Type drop-down list, select an option:
    • Host IPv6 — Select this option if only one IPv6 host is behind the router or you want traffic to go to only one host.
    • Network IPv6 — Select this option if you have a full IPv6 network behind a router on your local network.
  3. In the Route To text box, type the host address or network address. If you type a network address, use slash notation.
    For more information about slash notation, go to About Slash Notation.
  4. In the Gateway text box, type the IP address of the router.
    Make sure that you type an IP address that is on one of the same networks as the Firebox.
  5. In the Distance text box, type or select a value for the route. Routes with lower distances have higher priority. In Fireware v12.9 or higher, the Distance setting replaces the Metric setting.
  6. If you want this route to use a specific interface, select the Specify interface check box. From the adjacent drop-down list, select an IPv6-enabled interface that can access the specified gateway.
  7. Click OK to close the Route dialog box.
    The configured network route appears in the Routes page.
  8. Click Save to save the change to the configuration.
  1. Select Network > Routes.
    The Setup Routes dialog box opens.
  2. Click Add.
    The Add Route dialog box opens.

Screenshot of the Add Route dialog box

  1. From the Route Type drop-down list, select Static Route.
  2. From the Destination Type drop-down list, select an option:
    • Host IPv6 — Select this option if only one IPv6 host is behind the router or you want traffic to go to only one host.
    • Network IPv6 — Select this option if you have a full IPv6 network behind a router on your local network.
  3. In the Route To text box, type the network address or host address. If you type a network address, use slash notation.
    For more information about slash notation, go to About Slash Notation.
  4. In the Gateway text box, type the IP address of the router. Make sure that you type an IP address that is on one of the same networks as the Firebox.
  5. In the Metric or Distance text box, type or select a value for the route. Routes with lower distances have higher priority. In Fireware v12.9 or higher, the Distance setting replaces the Metric setting.
  6. If you want this route to use a specific interface, select the Specify interface check box. From the adjacent drop-down list, select an IPv6-enabled interface that can get access to the specified gateway.
  7. Click OK to close the Add Route dialog box.
    The configured network route appears in the Setup Routes dialog box.

Add a BOVPN Virtual Interface Route

If you have configured a BOVPN virtual interface, you can also add and edit BOVPN virtual interface routes here. This option is available only after you configure at least one BOVPN virtual interface. For more information, go to Configure a BOVPN Virtual Interface.

In Fireware v12.4 or higher, you can configure IPv6 BOVPN virtual interface gateway endpoints. These route types are supported:

6in4 Routes

If you have internal IPv6 networks and external IPv4 networks, you can send traffic between the internal IPv6 networks with 6in4 tunnel routes. You must configure an IPv4 BOVPN virtual interface gateway endpoint and IPv6 tunnel routes. The tunnel routes are 6in4 routes, which means traffic is routed through a GRE tunnel within the IPv4 IPSec tunnel.

6in6 Routes

In Fireware v12.4 or higher, if you have internal IPv6 networks and an external IPv6 networks, you can send traffic between the internal IPv6 networks with 6in6 tunnel routes. You must configure an IPv6 BOVPN virtual interface gateway endpoint and IPv6 tunnel routes. The tunnel routes are 6in6 routes, which means traffic is routed through an IPv6 IPSec tunnel. You can use 6in6 routes only if the internal and external networks are IPv6. If you have an internal IPv6 network and an external IPv4 network, you must configure 6in4 routes.

In Fireware v12.3.1 or lower, IPv6 is not supported for BOVPN virtual interface gateway endpoints. 6in6 tunnel routes are not supported.

4in6 tunnels are not supported. This means you cannot configure a BOVPN virtual interface tunnel to send traffic between IPv4 internal networks if you have IPv6 external networks.

  1. Select Network > Routes.
    The Routes page opens.
  2. Click Add.
    The Route dialog box opens.

Screen shot of the Route dialog box for a BOVPN Virtual Interface Route

  1. From the Route Type drop-down list, select BOVPN Virtual Interface Route.
  2. From the Choose Type drop-down list, select an option:
    • Host IPv4 — Select this option if only one IPv4 host is behind the router or you want traffic to go to only one host.
    • Network IPv4 — Select this option if you have a full IPv4 network behind a router on your local network.
    • Host IPv6 — Select this option if only one IPv6 host is behind the router or you want traffic to go to only one host.
    • Network IPv6 — Select this option if you have a full IPv6 network behind a router on your local network.
  3. In the Route To text box, type the network address or host address. If you type a network address, use slash notation.
    For more information about slash notation, go to About Slash Notation.
  4. In the Distance text box, type or select a value for the route. Routes with lower distances have higher priority. In Fireware v12.9 or higher, the Distance setting replaces the Metric setting.
  5. From the Interface drop-down list, select the BOVPN virtual interface you want to use for this route.
  6. Click Save changes to close the Route dialog box.
    The configured network route appears in the Routes page.
  7. Click Save to save the change to the configuration.
  1. Select Network > Routes.
    The Setup Routes dialog box opens.
  2. Click Add.
    The Add Route dialog box opens.

Screen shot of the Add Route dialog box for a BOVPN Virtual Interface Route

  1. From the Route Type drop-down list, select BOVPN Virtual Interface Route.
  2. From the Choose Type drop-down list, select an option:
    • Host IPv4 — Select this option if only one IPv4 host is behind the router or you want traffic to go to only one host.
    • Network IPv4 — Select this option if you have a full IPv4 network behind a router on your local network.
    • Host IPv6 — Select this option if only one IPv6 host is behind the router or you want traffic to go to only one host.
    • Network IPv6 — Select this option if you have a full IPv6 network behind a router on your local network.
  3. In the Route To text box, type the network address or host address. If you type a network address, use slash notation.
    For more information about slash notation, go to About Slash Notation.
  4. In the Metric or Distance text box, type or select a metric value for the route. Routes with lower metrics have higher priority. In Fireware v12.9 or higher, the Distance setting replaces the Metric setting.
  5. From the Interface drop-down list, select the BOVPN virtual interface you want to use for this route.
  6. Click OK to close the Add Route dialog box.
    The configured network route appears in the Setup Routes dialog box.

The BOVPN virtual interface routes you configure here also appears in the VPN Routes tab in the BOVPN virtual interface configuration

If the Firebox is configured in drop-in mode, the route table on the Firebox might or might not immediately show the correct interface for a static route after you restart the device, or after you move the gateway associated with a static route to a different interface. The Firebox cannot update the route table with the correct interface for a static route until it receives network traffic through the gateway for that static route. The Firebox updates the internal route table on demand when traffic is received from the gateway.

Related Topics

Routes and Routing