pfSense Static Routes - Configuration and Management

Static routes in pfSense direct traffic to networks reachable through routers other than the default gateway. Without a static route, pfSense sends all traffic not destined for directly connected subnets through the default gateway, rendering remote networks behind internal routers unreachable.

Static routing is used in the following scenarios: connecting remote subnets behind an internal router, routing traffic to VPN networks, reaching branch office networks over dedicated links, and managing traffic between segments with multiple exit points.

Prerequisites

Before creating a static route, the following conditions must be met:

Gateway exists. The router through which the target network is reachable must be registered as a gateway under System > Routing > Gateways. pfSense does not allow creating a route that points to a nonexistent gateway.
Gateway IP is reachable. The gateway address must reside in the subnet of one of pfSense’s interfaces. A gateway at 10.0.1.1 requires an interface with an address in the 10.0.1.0/24 network.
Return path exists. The internal router serving as a gateway must have a route back to pfSense’s networks. Otherwise, packets reach the target network but responses are lost.

Creating a Gateway

Before adding a static route, a gateway must be created for the next-hop router. Gateways are managed under System > Routing > Gateways.

Gateway Parameters

To create a gateway, click Add and configure the following fields:

Interface - the pfSense interface through which the gateway router is reachable. For internal routers, this is typically LAN or an OPT interface. For external links, use WAN or an additional WAN interface.

Address Family - the address family: IPv4 or IPv6. Determined by the addressing of the target network.

Name - a unique gateway identifier. Only Latin letters, digits, and underscores are permitted. Spaces and special characters are not allowed. Use descriptive names that reflect the gateway’s purpose (for example, INTERNAL_ROUTER_DC1, VPN_GW_BRANCH).

Gateway - the IP address of the next-hop router. The address must belong to the subnet of the specified interface.

Gateway Monitoring - enables reachability monitoring. By default, pfSense checks gateway availability using ICMP requests through the dpinger daemon.

Monitor IP - an alternative IP address for reachability checks. By default, the gateway’s own address is used. Specifying an address beyond the gateway (for example, a public DNS server at 8.8.8.8) verifies not only the router’s availability but also upstream connectivity. For internal gateways, use the address of a host in the target network.

Description - a text description of the gateway’s purpose.

Advanced Monitoring Parameters

The Display Advanced button reveals additional dpinger settings:

Parameter	Default	Description
Weight	1	Gateway weight for load balancing in Gateway Groups (1-30)
Data Payload	1 byte	ICMP packet payload size
Latency Warning	200 ms	Latency threshold for warning state
Latency Down	500 ms	Latency threshold for marking gateway as down
Loss Warning	10%	Packet loss threshold for warning state
Loss Down	20%	Packet loss threshold for marking gateway as down
Probe Interval	500 ms	ICMP probe transmission interval
Time Period	60 sec	Monitoring result averaging window

Warning:
For internal gateways with stable connections, consider increasing the latency and loss thresholds to avoid false positives. For WAN gateways, the defaults are appropriate in most cases.

Example: Gateway for an Internal Router

Consider a router at 10.0.1.1 on the LAN interface (subnet 10.0.1.0/24). Behind this router are subnets 10.10.0.0/16 and 10.20.0.0/16.

Gateway parameters:

Field	Value
Interface	LAN
Address Family	IPv4
Name	INTERNAL_ROUTER_DC1
Gateway	10.0.1.1
Monitor IP	10.10.0.1
Description	Internal router to DC1 subnets

Creating a Static Route

Static routes are configured under System > Routing > Static Routes. Click Add to create a new route.

Route Parameters

Destination network - the target network in CIDR notation. Specify the network address and subnet mask. Examples: 10.10.0.0/16, 172.16.5.0/24, 192.168.100.0/24. IPv4 addresses, IPv6 addresses, and pfSense aliases are supported.

Gateway - the gateway through which the specified network is reachable. Selected from the list of previously created gateways. The gateway’s address family must match the destination network’s address family.

Disabled - a flag to deactivate the route. Allows preserving the route configuration without adding it to the routing table.

Description - a text description of the route’s purpose. It is advisable to note which services or departments rely on this route.

Example: Route to a Subnet Behind an Internal Router

Using the INTERNAL_ROUTER_DC1 gateway created in the previous section, configure a route to the server subnet 10.10.0.0/16:

Field	Value
Destination network	10.10.0.0/16
Gateway	INTERNAL_ROUTER_DC1 - 10.0.1.1
Disabled	unchecked
Description	DC1 server subnet via internal router

After saving and applying changes (Save, then Apply Changes), pfSense adds the route to the system routing table.

Example: Route to a VPN Network

When using a VPN concentrator separate from pfSense’s built-in VPN, traffic to remote VPN subnets must be directed through the VPN appliance address:

Field	Value
Destination network	172.16.0.0/12
Gateway	VPN_CONCENTRATOR - 10.0.1.5
Disabled	unchecked
Description	Remote office subnets via VPN concentrator

Default Gateway Selection

The default gateway handles all traffic that does not match explicit entries in the routing table. Configuration is performed on the Default Gateway tab under System > Routing > Gateways.

pfSense allows separate default gateways for IPv4 and IPv6. With multiple WAN interfaces, the primary gateway should be set explicitly. If no default gateway is assigned, pfSense uses the first available WAN gateway.

Warning:
Changing the default gateway affects all outbound traffic from pfSense, including package updates, the firewall’s own DNS queries, and management traffic. Verify that the new gateway is reachable before making the change.

Viewing the Routing Table

The current routing table is available under Diagnostics > Routes. The interface displays all active routes, including connected networks, static routes, and dynamically learned routes.

The table contains the following columns:

Column	Description
Destination	Target network
Gateway	Next-hop address or interface
Flags	Route flags (U - up, G - gateway, S - static, H - host)
Refs	Number of active references to the route
Use	Number of packets that used the route
Netif	Network interface through which traffic is forwarded

A search field is available for filtering the table by network address or interface. Filtering significantly speeds up diagnosis in environments with many routes.

Viewing the Table via Command Line

When accessing the pfSense console (SSH or physical console), the routing table can be viewed with:

netstat -rn

To display only IPv4 routes:

netstat -rn -f inet

To display only IPv6 routes:

netstat -rn -f inet6

The route get command determines the route for a specific destination:

route get 10.10.0.1

The output includes the gateway address, interface, route flags, and MTU.

Gateway Monitoring

pfSense continuously monitors gateway reachability using the dpinger daemon. Gateway status is displayed on the Gateways widget on the Dashboard and under Status > Gateways.

Each gateway reports the following metrics:

Metric	Description
RTT	Average round-trip time in milliseconds
RTTsd	Standard deviation of round-trip time
Loss	Percentage of lost packets
Status	Current state: Online, Warning, Down, Gathering Data

The Gathering Data status appears during the first 60 seconds after dpinger starts or restarts. During this period, insufficient monitoring data is available for state evaluation.

When latency or packet loss exceeds configured thresholds, the gateway transitions to Warning or Down status. A Down state affects Gateway Groups and may trigger automatic traffic failover to a backup gateway.

Troubleshooting

Route Not Working

If traffic does not reach the target network after creating a static route, verify the following in sequence:

Route is present in the table. Open Diagnostics > Routes and confirm that the route appears with the correct gateway and interface. If the route is missing, check whether changes have been applied (the Apply Changes button).
Gateway is reachable. Check the gateway status under Status > Gateways. If the status is Down or Gathering Data, ping the gateway from the pfSense console: Diagnostics > Ping, specifying the gateway address and source interface.
Return route exists. The internal router must have a route back to pfSense’s subnets. Without a return route, packets reach their destination but responses are lost.
Firewall rules permit the traffic. A static route provides network-layer delivery, but firewall rules may block the traffic. Review the rules on both the source and destination interfaces.
ARP table contains an entry for the gateway. Open Diagnostics > ARP Table and confirm that an entry with a valid MAC address exists for the gateway IP.

Asymmetric Routing

Asymmetric routing occurs when traffic from source to destination passes through pfSense, but return traffic takes a different path that bypasses the firewall. As a stateful firewall, pfSense drops the return packets because they do not match existing entries in the state table.

Symptoms of asymmetric routing:

One-way connectivity: ping succeeds in one direction but responses do not arrive
TCP connections establish but data transfer stalls
Firewall logs show blocked packets with TCP ACK flags without a preceding SYN

Solutions:

Fix the routing. The preferred approach is to adjust routes so that traffic in both directions passes through pfSense. Add routes on internal routers to direct return traffic through pfSense.
Enable same-interface bypass. Under System > Advanced > Firewall & NAT, enable Bypass firewall rules for traffic on the same interface. This disables stateful inspection for traffic entering and exiting through the same interface.
Use Sloppy State. On firewall rules affected by asymmetric routing, set the State Type to Sloppy State. This mode relaxes TCP connection state validation.

Warning:
Bypassing stateful inspection reduces security. Apply these solutions only when fixing asymmetric routing at the network topology level is not feasible.

Gateway Unreachable

If a gateway shows a Down status:

Verify the physical connection to the gateway router.
Confirm that the router responds to ICMP requests. Some devices block ping by default - in such cases, change the Monitor IP to a host that reliably responds to ICMP.
Check the ARP table for an entry corresponding to the gateway.
Verify that the gateway IP address is within the pfSense interface’s subnet.
Check for IP address conflicts with other devices on the network.

Route Management

The following actions are available under System > Routing > Static Routes:

Edit - modify an existing route’s parameters (pencil icon)
Clone - create a copy of a route with the option to change parameters (clone icon)
Delete - remove a route from the configuration (trash icon)
Disable - deactivate a route without deleting it (ban icon)
Enable - activate a previously disabled route (checkmark icon)

Warning:
When pfSense aliases are used in the Destination network field, editing the alias immediately updates the routing table without waiting for administrator confirmation. Keep this in mind when managing aliases referenced by routes.

Migration from Other Platforms

Cisco IOS

In Cisco IOS, static routes are added with the ip route command:

ip route 10.10.0.0 255.255.0.0 10.0.1.1
ip route 10.20.0.0 255.255.0.0 10.0.1.1

Equivalent in pfSense:

Create a gateway with address 10.0.1.1 under System > Routing > Gateways.
Create two static routes under System > Routing > Static Routes:
- Destination: 10.10.0.0/16, Gateway: the created gateway
- Destination: 10.20.0.0/16, Gateway: the created gateway

Key differences from Cisco IOS:

Aspect	Cisco IOS	pfSense
Gateway	Specified within the route command	Created separately, then selected in the route
Subnet mask	Wildcard or standard mask	CIDR notation (/16, /24)
Administrative distance	Configurable per route	Not supported
Interface binding	Optional via `ip route ... GigabitEthernet0/1`	Determined by the gateway’s interface
Application	Immediate (running-config)	Requires Apply Changes

MikroTik RouterOS

In MikroTik, routes are added via /ip route:

/ip route add dst-address=10.10.0.0/16 gateway=10.0.1.1
/ip route add dst-address=10.20.0.0/16 gateway=10.0.1.1 distance=10

The pfSense equivalent is the same as described above. Key differences:

Aspect	MikroTik RouterOS	pfSense
Gateway	Specified in the route, created automatically	Created manually in advance
Distance (metric)	Configurable per route	Not supported for static routes
Routing mark	Supported for PBR	Implemented through firewall rules
Gateway check	`check-gateway=ping`	Built-in dpinger monitoring
Routing domains	Routing tables and VRF	Not supported

FortiGate

In FortiGate, static routes are created under Network > Static Routes or via CLI:

config router static
    edit 1
        set dst 10.10.0.0 255.255.0.0
        set gateway 10.0.1.1
        set device "port2"
    next
end

Key differences:

Aspect	FortiGate	pfSense
Gateway	Specified in the route along with the interface	Created as a separate entity
Priority	Configurable per route	Not supported
Health check	Link monitor via ICMP/HTTP	dpinger via ICMP
ECMP	Multiple routes with equal priority	Gateway Groups
SD-WAN	Built-in SD-WAN support	Implemented through Gateway Groups and PBR

Design Recommendations

When planning static routing in pfSense, consider the following guidelines:

Use aggregate routes. Instead of many /24 routes to subnets in the same segment, create a single summary route. For example, instead of eight routes to 10.10.0.0/24 through 10.10.7.0/24, a single route to 10.10.0.0/21 suffices.
Document every route. Populate the Description field with information about the route’s purpose, associated services, and responsible team. This significantly simplifies troubleshooting in large deployments.
Verify return routes. Every static route assumes a corresponding return route on the target router. A missing return route is the most common cause of unreachability when the forward route is correctly configured.
Consider firewall rule implications. A static route determines the packet’s path but does not authorize traffic. For each new route, verify that appropriate firewall rules exist on the interfaces through which the traffic flows.
Plan monitoring. For critical routes, configure the Monitor IP to an address in the target network rather than the intermediate router’s address. This detects issues not only with the nearest gateway but also with end-to-end reachability.

Related Sections

Policy Routing - routing traffic based on firewall rules, using Gateway Groups
pfSense Multi-WAN - configuring multiple WAN connections with failover and load balancing
pfSense Firewall - filtering rules that affect traffic flow over static routes

Last updated on 7, April 2026

pfSense Policy Routing - Rule-Based Traffic Steering