Chapter 12. Managing the default gateway
The default gateway is a router that forwards network packets when no other route matches the destination of a packet. In a local network, the default gateway is typically the host that is one hop closer to the internet.
12.1. Setting the default gateway on an existing connection by using nmcli
In most situations, administrators set the default gateway when they create a connection. However, you can also set or update the default gateway setting on a previously created connection by using the nmcli
utility.
Prerequisites
- At least one static IP address must be configured on the connection on which the default gateway will be set.
-
If the user is logged in on a physical console, user permissions are sufficient. Otherwise, user must have
root
permissions.
Procedure
Set the IP addresses of the default gateway:
To set the IPv4 default gateway, enter:
# nmcli connection modify <connection_name> ipv4.gateway "<IPv4_gateway_address>"
To set the IPv6 default gateway, enter:
# nmcli connection modify <connection_name> ipv6.gateway "<IPv6_gateway_address>"
Restart the network connection for changes to take effect:
# nmcli connection up <connection_name>
WarningAll connections currently using this network connection are temporarily interrupted during the restart.
Verification
Verify that the route is active:
To display the IPv4 default gateway, enter:
# ip -4 route default via 192.0.2.1 dev example proto static metric 100
To display the IPv6 default gateway, enter:
# ip -6 route default via 2001:db8:1::1 dev example proto static metric 100 pref medium
12.2. Setting the default gateway on an existing connection by using nmstatectl
In most situations, administrators set the default gateway when they create a connection. However, you can also set or update the default gateway setting on a previously created connection by using the nmstatectl
utility.
Use the nmstatectl
utility to set the default gateway through the Nmstate API. The Nmstate API ensures that, after setting the configuration, the result matches the configuration file. If anything fails, nmstatectl
automatically rolls back the changes to avoid leaving the system in an incorrect state.
Prerequisites
- At least one static IP address must be configured on the connection on which the default gateway will be set.
-
The
enp1s0
interface is configured, and the IP address of the default gateway is within the subnet of the IP configuration of this interface. -
The
nmstate
package is installed.
Procedure
Create a YAML file, for example
~/set-default-gateway.yml
, with the following content:--- routes: config: - destination: 0.0.0.0/0 next-hop-address: 192.0.2.1 next-hop-interface: enp1s0
These settings define
192.0.2.1
as the default gateway, and the default gateway is reachable through theenp1s0
interface.Apply the settings to the system:
# nmstatectl apply ~/set-default-gateway.yml
Additional resources
-
nmstatectl(8)
man page on your system -
/usr/share/doc/nmstate/examples/
directory
12.3. Setting the default gateway on an existing connection by using the network
RHEL system role
A host forwards a network packet to its default gateway if the packet’s destination can neither be reached through the directly-connected networks nor through any of the routes configured on the host. To configure the default gateway of a host, set it in the NetworkManager connection profile of the interface that is connected to the same network as the default gateway. By using Ansible and the network
RHEL system role, you can automate this process and remotely configure connection profiles on the hosts defined in a playbook.
In most situations, administrators set the default gateway when they create a connection. However, you can also set or update the default gateway setting on a previously-created connection.
You cannot use the network
RHEL system role to update only specific values in an existing connection profile. The role ensures that a connection profile exactly matches the settings in a playbook. If a connection profile with the same name already exists, the role applies the settings from the playbook and resets all other settings in the profile to their defaults. To prevent resetting values, always specify the whole configuration of the network connection profile in the playbook, including the settings that you do not want to change.
Prerequisites
- You have prepared the control node and the managed nodes
- You are logged in to the control node as a user who can run playbooks on the managed nodes.
-
The account you use to connect to the managed nodes has
sudo
permissions on them.
Procedure
Create a playbook file, for example
~/playbook.yml
, with the following content:--- - name: Configure the network hosts: managed-node-01.example.com tasks: - name: Ethernet connection profile with static IP address settings ansible.builtin.include_role: name: rhel-system-roles.network vars: network_connections: - name: enp1s0 type: ethernet autoconnect: yes ip: address: - 198.51.100.20/24 - 2001:db8:1::1/64 gateway4: 198.51.100.254 gateway6: 2001:db8:1::fffe dns: - 198.51.100.200 - 2001:db8:1::ffbb dns_search: - example.com state: up
For details about all variables used in the playbook, see the
/usr/share/ansible/roles/rhel-system-roles.network/README.md
file on the control node.Validate the playbook syntax:
$ ansible-playbook --syntax-check ~/playbook.yml
Note that this command only validates the syntax and does not protect against a wrong but valid configuration.
Run the playbook:
$ ansible-playbook ~/playbook.yml
Verification
Query the Ansible facts of the managed node and verify the active network settings:
# ansible managed-node-01.example.com -m ansible.builtin.setup ... "ansible_default_ipv4": { ... "gateway": "198.51.100.254", "interface": "enp1s0", ... }, "ansible_default_ipv6": { ... "gateway": "2001:db8:1::fffe", "interface": "enp1s0", ... } ...
Additional resources
-
/usr/share/ansible/roles/rhel-system-roles.network/README.md
file -
/usr/share/doc/rhel-system-roles/network/
directory
12.4. How NetworkManager manages multiple default gateways
In certain situations, for example for fallback reasons, you set multiple default gateways on a host. However, to avoid asynchronous routing issues, each default gateway of the same protocol requires a separate metric value. Note that RHEL only uses the connection to the default gateway that has the lowest metric set.
You can set the metric for both the IPv4 and IPv6 gateway of a connection using the following command:
# nmcli connection modify <connection_name> ipv4.route-metric <value> ipv6.route-metric <value>
Do not set the same metric value for the same protocol in multiple connection profiles to avoid routing issues.
If you set a default gateway without a metric value, NetworkManager automatically sets the metric value based on the interface type. For that, NetworkManager assigns the default value of this network type to the first connection that is activated, and sets an incremented value to each other connection of the same type in the order they are activated. For example, if two Ethernet connections with a default gateway exist, NetworkManager sets a metric of 100
on the route to the default gateway of the connection that you activate first. For the second connection, NetworkManager sets 101
.
The following is an overview of frequently-used network types and their default metrics:
Connection type | Default metric value |
---|---|
VPN | 50 |
Ethernet | 100 |
MACsec | 125 |
InfiniBand | 150 |
Bond | 300 |
VLAN | 400 |
Bridge | 425 |
TUN | 450 |
Wi-Fi | 600 |
IP tunnel | 675 |
Additional resources
12.5. Configuring NetworkManager to avoid using a specific profile to provide a default gateway
You can configure that NetworkManager never uses a specific profile to provide the default gateway. Follow this procedure for connection profiles that are not connected to the default gateway.
Prerequisites
- The NetworkManager connection profile for the connection that is not connected to the default gateway exists.
Procedure
If the connection uses a dynamic IP configuration, configure that NetworkManager does not use the connection as the default route for IPv4 and IPv6 connections:
# nmcli connection modify <connection_name> ipv4.never-default yes ipv6.never-default yes
Note that setting
ipv4.never-default
andipv6.never-default
toyes
, automatically removes the default gateway’s IP address for the corresponding protocol from the connection profile.Activate the connection:
# nmcli connection up <connection_name>
Verification
-
Use the
ip -4 route
andip -6 route
commands to verify that RHEL does not use the network interface for the default route for the IPv4 and IPv6 protocol.
12.6. Fixing unexpected routing behavior due to multiple default gateways
There are only a few scenarios, such as when using Multipath TCP, in which you require multiple default gateways on a host. In most cases, you configure only a single default gateway to avoid unexpected routing behavior or asynchronous routing issues.
To route traffic to different internet providers, use policy-based routing instead of multiple default gateways.
Prerequisites
- The host uses NetworkManager to manage network connections, which is the default.
- The host has multiple network interfaces.
- The host has multiple default gateways configured.
Procedure
Display the routing table:
For IPv4, enter:
# ip -4 route default via 192.0.2.1 dev enp1s0 proto static metric 101 default via 198.51.100.1 dev enp7s0 proto static metric 102 ...
For IPv6, enter:
# ip -6 route default via 2001:db8:1::1 dev enp1s0 proto static metric 101 pref medium default via 2001:db8:2::1 dev enp7s0 proto static metric 102 pref medium ...
Entries starting with
default
indicate a default route. Note the interface names of these entries displayed next todev
.Use the following commands to display the NetworkManager connections that use the interfaces you identified in the previous step:
# nmcli -f GENERAL.CONNECTION,IP4.GATEWAY,IP6.GATEWAY device show enp1s0 GENERAL.CONNECTION: Corporate-LAN IP4.GATEWAY: 192.0.2.1 IP6.GATEWAY: 2001:db8:1::1 # nmcli -f GENERAL.CONNECTION,IP4.GATEWAY,IP6.GATEWAY device show enp7s0 GENERAL.CONNECTION: Internet-Provider IP4.GATEWAY: 198.51.100.1 IP6.GATEWAY: 2001:db8:2::1
In these examples, the profiles named
Corporate-LAN
andInternet-Provider
have the default gateways set. Because, in a local network, the default gateway is typically the host that is one hop closer to the internet, the rest of this procedure assumes that the default gateways in theCorporate-LAN
are incorrect.Configure that NetworkManager does not use the
Corporate-LAN
connection as the default route for IPv4 and IPv6 connections:# nmcli connection modify Corporate-LAN ipv4.never-default yes ipv6.never-default yes
Note that setting
ipv4.never-default
andipv6.never-default
toyes
, automatically removes the default gateway’s IP address for the corresponding protocol from the connection profile.Activate the
Corporate-LAN
connection:# nmcli connection up Corporate-LAN
Verification
Display the IPv4 and IPv6 routing tables and verify that only one default gateway is available for each protocol:
For IPv4, enter:
# ip -4 route default via 192.0.2.1 dev enp1s0 proto static metric 101 ...
For IPv6, enter:
# ip -6 route default via 2001:db8:1::1 dev enp1s0 proto static metric 101 pref medium ...
Additional resources
12.7. Configuring flowtable in nftables by using firewalld
The firewalld
utility now supports configuration of the software fastpath flowtable
feature provided by the nftables
utility. flowtable
uses the connection tracking feature in the Netfilter
framework and nftables
to manage traffic rules. This collectively improve packet forwarding performance of established connections. By default, packet forwarding inside a zone is allowed. firewalld
by default provides two network zones: public
and internal
for public and private networks respectively.
Procedure
Assign a network interface to the
internal
zone:# firewall-cmd --permanent --zone=internal --add-interface=enp7s0
Assign a second network interface to the
internal
zone:# firewall-cmd --permanent --zone=internal --add-interface=enp7s1
Put in the
/etc/firewalld/firewalld.conf
file the following line, to enable flowtable support on network interfaces:NftablesFlowtable=enp7s0 enp7s1
Reload
firewalld
for rule changes to take effect:# firewall-cmd --reload
Verification
Check the configuration to ensure that the zones and rules are correctly applied:
# nft list chain inet firewalld filter_FORWARD table inet firewalld { flowtable fastpath { hook ingress priority filter + 10 devices = { enp7s0, enp7s1 } } ... chain filter_FORWARD { type filter hook forward priority filter + 10; policy accept; ct state { established, related } meta l4proto { tcp, udp } flow add @fastpath <--- new rule ct state { established, related } accept } ...
Additional resources
-
The
firewall-cmd(1)
man page