Routing is one of the core features of your firewall, which is responsible for forwarding packets over the network based on (predefined) paths.

Within the routing section of your firewall you can keep track of configured routes and define static routes yourself to teach your firewall which path it should take when forwarding packets to a specific network.

When a client sends a packet to the firewall for a network not directly attached to it, the firewall would normally check its routing table to determine to which gateway (see Gateways) it should be send.


Use traceroute (Interfaces ‣ Diagnostics ‣ Trace Route) to verify which path traffic would follow to reach its destination.


This is where you can setup static routes, looking at the diagram in the previous chapter, here you would define how [1] would access [2] using router [3].

The number of settings are obviously limited, we need to know the gateway and the target network.

Disabled (temporary) disable this item
Network Address Destination network to reach
Gateway The gateway to use.
Description Optional description for this item


Some services are known to update the routing table themselves, in which case you shouldn’t add static routes manually (OpenVPN manages its own routes for example).


The status page shows the current active content of the routing table.

Proto Protocol (IPv4 or IPv6)
Destination Destination network
Gateway Where to send the packet for this destination network
Flags Routes have associated flags which influence operation of the protocols when sending to destinations matched by the routes. See the Flags table below for details.
Use Counts the number of packets sent via this route
MTU The MTU set for this route
Netif Interface to use for this route
Netif (name) Name of the interface if found
Expire The time at which this route should expire, or zero if it should never expire. It is the responsibility of individual protocol suites to ensure that routes are actually deleted once they expire.


The following flags are supported by the kernel.

Letter / Flag Description
1 [RTF_PROTO1] Protocol specific routing flag
2 [RTF_PROTO2] Protocol specific routing flag
3 [RTF_PROTO3] Protocol specific routing flag
B [RTF_BLACKHOLE] Just discard pkts (during updates)
b [RTF_BROADCAST] The route represents a broadcast address
C [RTF_CLONING] Generate new routes on use
c [RTF_PRCLONING] Protocol-specified generate new routes on use
D [RTF_DYNAMIC] Created dynamically (by redirect)
d [RTF_DONE] Message confirmed
G [RTF_GATEWAY] Destination is a gateway
H [RTF_HOST] Host entry (net otherwise)
L [RTF_LLINFO] Valid protocol to link address translation
M [RTF_MODIFIED] Modified dynamically (by redirect)
R [RTF_REJECT] Host or net unreachable
S [RTF_STATIC] Manually added
U [RTF_UP] Route usable
X [RTF_XRESOLVE] External daemon resolves name


Route related logging, like radvd and rtsold for IPv6 write messages to this logging section which can be used for debugging purposes.