Documentation
pfSense Documentation - Configuration and Administration Guides
pfSense Routing - Gateways and Static Routes

pfSense Routing - Gateways and Static Routes

Routing in pfSense governs how packets reach their destination networks. pfSense implements routing through the FreeBSD network stack and provides three mechanisms for route management: gateways, static routes, and policy-based routing (PBR) via firewall rules.

Routing Fundamentals

When a packet arrives, pfSense consults its routing table to determine the next hop. The table is populated automatically from interface addresses and supplemented by administrator-defined static routes. By default, all traffic not destined for directly connected networks is forwarded through the default gateway.

Routing decisions occur before firewall rule evaluation. A packet first undergoes NAT translation (if applicable), then a route is selected, and finally filtering rules are applied. This sequence is important when designing topologies with multiple gateways.

Gateways

Gateways are exit points through which pfSense forwards traffic. Each gateway represents the IP address of a next-hop router on a specific interface. pfSense automatically creates gateways for WAN interfaces when parameters are obtained via DHCP or PPPoE. Gateways for internal networks (LAN, OPT) must be created manually.

Gateway configuration is managed under System > Routing > Gateways. Each gateway is defined by a name, interface binding, IP address, and monitoring parameters. pfSense continuously monitors gateway reachability using the dpinger daemon, enabling automatic failover when a primary link goes down.

Default Gateway

The default gateway handles all traffic that does not match any explicit route in the table. In single-WAN configurations, the default gateway is assigned automatically. With multiple WAN connections, the administrator selects the default gateway explicitly under System > Routing > Gateways, on the Default Gateway tab.

Gateway Groups

Gateway Groups combine multiple gateways into logical groups for failover and load balancing. Each gateway within a group is assigned a priority (Tier) and a weight (Weight). Gateways sharing the same tier are used simultaneously for load distribution; gateways with a higher tier number activate only when all lower-tier gateways fail.

Static Routes

Static routes are required when a target network is reachable through a router other than the default gateway. Common scenarios include reaching remote subnets behind an internal router, routing VPN tunnel traffic, and connecting branch office networks over dedicated links.

Static routes are configured under System > Routing > Static Routes. Each route specifies a destination network and the gateway through which it is reachable. The gateway must already exist in the Gateways section.

Policy-Based Routing

Policy-based routing (PBR) in pfSense is implemented through the Gateway field in firewall rules. Unlike conventional routing, which relies solely on the destination address, PBR directs traffic through a specific gateway based on source address, protocol, destination port, and other criteria.

Typical use cases include forcing specific hosts through a particular WAN link, steering VoIP traffic over a low-latency connection, and segregating guest network traffic from the primary network across different ISPs.

In This Section

  • Static Routes - creating gateways, configuring static routes, viewing the routing table, and diagnostics
  • Policy Routing - routing traffic based on firewall rules, using Gateway Groups, and practical scenarios

Related Sections

  • pfSense Firewall - filtering rules, aliases, and security policy management
  • pfSense Multi-WAN - configuring multiple WAN connections with failover and load balancing
  • pfSense VLANs - network segmentation at the data link layer, requiring correct inter-VLAN routing
Last updated on