Chapter 12. Managing the default gateway


The default gateway is a router that forwards network packets when no other route matches the destination of a packet. In a local network, the default gateway is typically the host that is one hop closer to the internet.

12.1. Setting the default gateway on an existing connection by using nmcli

In most situations, administrators set the default gateway when they create a connection. However, you can also set or update the default gateway setting on a previously created connection by using the nmcli utility.

Prerequisites

  • At least one static IP address must be configured on the connection on which the default gateway will be set.
  • If the user is logged in on a physical console, user permissions are sufficient. Otherwise, user must have root permissions.

Procedure

  1. Set the IP addresses of the default gateway:

    To set the IPv4 default gateway, enter:

    # nmcli connection modify <connection_name> ipv4.gateway "<IPv4_gateway_address>"

    To set the IPv6 default gateway, enter:

    # nmcli connection modify <connection_name> ipv6.gateway "<IPv6_gateway_address>"
  2. Restart the network connection for changes to take effect:

    # nmcli connection up <connection_name>
    Warning

    All connections currently using this network connection are temporarily interrupted during the restart.

Verification

  • Verify that the route is active:

    1. To display the IPv4 default gateway, enter:

      # ip -4 route
      default via 192.0.2.1 dev example proto static metric 100
    2. To display the IPv6 default gateway, enter:

      # ip -6 route
      default via 2001:db8:1::1 dev example proto static metric 100 pref medium

12.2. Setting the default gateway on an existing connection by using nmstatectl

In most situations, administrators set the default gateway when they create a connection. However, you can also set or update the default gateway setting on a previously created connection by using the nmstatectl utility.

Use the nmstatectl utility to set the default gateway through the Nmstate API. The Nmstate API ensures that, after setting the configuration, the result matches the configuration file. If anything fails, nmstatectl automatically rolls back the changes to avoid leaving the system in an incorrect state.

Prerequisites

  • At least one static IP address must be configured on the connection on which the default gateway will be set.
  • The enp1s0 interface is configured, and the IP address of the default gateway is within the subnet of the IP configuration of this interface.
  • The nmstate package is installed.

Procedure

  1. Create a YAML file, for example ~/set-default-gateway.yml, with the following content:

    ---
    routes:
      config:
      - destination: 0.0.0.0/0
        next-hop-address: 192.0.2.1
        next-hop-interface: enp1s0

    These settings define 192.0.2.1 as the default gateway, and the default gateway is reachable through the enp1s0 interface.

  2. Apply the settings to the system:

    # nmstatectl apply ~/set-default-gateway.yml

Additional resources

  • nmstatectl(8) man page on your system
  • /usr/share/doc/nmstate/examples/ directory

12.3. Setting the default gateway on an existing connection by using the network RHEL system role

A host forwards a network packet to its default gateway if the packet’s destination can neither be reached through the directly-connected networks nor through any of the routes configured on the host. To configure the default gateway of a host, set it in the NetworkManager connection profile of the interface that is connected to the same network as the default gateway. By using Ansible and the network RHEL system role, you can automate this process and remotely configure connection profiles on the hosts defined in a playbook.

In most situations, administrators set the default gateway when they create a connection. However, you can also set or update the default gateway setting on a previously-created connection.

Warning

You cannot use the network RHEL system role to update only specific values in an existing connection profile. The role ensures that a connection profile exactly matches the settings in a playbook. If a connection profile with the same name already exists, the role applies the settings from the playbook and resets all other settings in the profile to their defaults. To prevent resetting values, always specify the whole configuration of the network connection profile in the playbook, including the settings that you do not want to change.

Prerequisites

Procedure

  1. Create a playbook file, for example ~/playbook.yml, with the following content:

    ---
    - name: Configure the network
      hosts: managed-node-01.example.com
      tasks:
        - name: Ethernet connection profile with static IP address settings
          ansible.builtin.include_role:
            name: rhel-system-roles.network
          vars:
            network_connections:
              - name: enp1s0
                type: ethernet
                autoconnect: yes
                ip:
                  address:
                    - 198.51.100.20/24
                    - 2001:db8:1::1/64
                  gateway4: 198.51.100.254
                  gateway6: 2001:db8:1::fffe
                  dns:
                    - 198.51.100.200
                    - 2001:db8:1::ffbb
                  dns_search:
                    - example.com
                state: up

    For details about all variables used in the playbook, see the /usr/share/ansible/roles/rhel-system-roles.network/README.md file on the control node.

  2. Validate the playbook syntax:

    $ ansible-playbook --syntax-check ~/playbook.yml

    Note that this command only validates the syntax and does not protect against a wrong but valid configuration.

  3. Run the playbook:

    $ ansible-playbook ~/playbook.yml

Verification

  • Query the Ansible facts of the managed node and verify the active network settings:

    # ansible managed-node-01.example.com -m ansible.builtin.setup
    ...
            "ansible_default_ipv4": {
    	    ...
                "gateway": "198.51.100.254",
                "interface": "enp1s0",
    	    ...
            },
            "ansible_default_ipv6": {
    	    ...
                "gateway": "2001:db8:1::fffe",
                "interface": "enp1s0",
    	    ...
    	}
    ...

Additional resources

  • /usr/share/ansible/roles/rhel-system-roles.network/README.md file
  • /usr/share/doc/rhel-system-roles/network/ directory

12.4. How NetworkManager manages multiple default gateways

In certain situations, for example for fallback reasons, you set multiple default gateways on a host. However, to avoid asynchronous routing issues, each default gateway of the same protocol requires a separate metric value. Note that RHEL only uses the connection to the default gateway that has the lowest metric set.

You can set the metric for both the IPv4 and IPv6 gateway of a connection using the following command:

# nmcli connection modify <connection_name> ipv4.route-metric <value> ipv6.route-metric <value>
Important

Do not set the same metric value for the same protocol in multiple connection profiles to avoid routing issues.

If you set a default gateway without a metric value, NetworkManager automatically sets the metric value based on the interface type. For that, NetworkManager assigns the default value of this network type to the first connection that is activated, and sets an incremented value to each other connection of the same type in the order they are activated. For example, if two Ethernet connections with a default gateway exist, NetworkManager sets a metric of 100 on the route to the default gateway of the connection that you activate first. For the second connection, NetworkManager sets 101.

The following is an overview of frequently-used network types and their default metrics:

Connection typeDefault metric value

VPN

50

Ethernet

100

MACsec

125

InfiniBand

150

Bond

300

VLAN

400

Bridge

425

TUN

450

Wi-Fi

600

IP tunnel

675

12.5. Configuring NetworkManager to avoid using a specific profile to provide a default gateway

You can configure that NetworkManager never uses a specific profile to provide the default gateway. Follow this procedure for connection profiles that are not connected to the default gateway.

Prerequisites

  • The NetworkManager connection profile for the connection that is not connected to the default gateway exists.

Procedure

  1. If the connection uses a dynamic IP configuration, configure that NetworkManager does not use the connection as the default route for IPv4 and IPv6 connections:

    # nmcli connection modify <connection_name> ipv4.never-default yes ipv6.never-default yes

    Note that setting ipv4.never-default and ipv6.never-default to yes, automatically removes the default gateway’s IP address for the corresponding protocol from the connection profile.

  2. Activate the connection:

    # nmcli connection up <connection_name>

Verification

  • Use the ip -4 route and ip -6 route commands to verify that RHEL does not use the network interface for the default route for the IPv4 and IPv6 protocol.

12.6. Fixing unexpected routing behavior due to multiple default gateways

There are only a few scenarios, such as when using Multipath TCP, in which you require multiple default gateways on a host. In most cases, you configure only a single default gateway to avoid unexpected routing behavior or asynchronous routing issues.

Note

To route traffic to different internet providers, use policy-based routing instead of multiple default gateways.

Prerequisites

  • The host uses NetworkManager to manage network connections, which is the default.
  • The host has multiple network interfaces.
  • The host has multiple default gateways configured.

Procedure

  1. Display the routing table:

    • For IPv4, enter:

      # ip -4 route
      default via 192.0.2.1 dev enp1s0 proto static metric 101
      default via 198.51.100.1 dev enp7s0 proto static metric 102
      ...
    • For IPv6, enter:

      # ip -6 route
      default via 2001:db8:1::1 dev enp1s0 proto static metric 101 pref medium
      default via 2001:db8:2::1 dev enp7s0 proto static metric 102 pref medium
      ...

    Entries starting with default indicate a default route. Note the interface names of these entries displayed next to dev.

  2. Use the following commands to display the NetworkManager connections that use the interfaces you identified in the previous step:

    # nmcli -f GENERAL.CONNECTION,IP4.GATEWAY,IP6.GATEWAY device show enp1s0
    GENERAL.CONNECTION:      Corporate-LAN
    IP4.GATEWAY:             192.0.2.1
    IP6.GATEWAY:             2001:db8:1::1
    
    # nmcli -f GENERAL.CONNECTION,IP4.GATEWAY,IP6.GATEWAY device show enp7s0
    GENERAL.CONNECTION:      Internet-Provider
    IP4.GATEWAY:             198.51.100.1
    IP6.GATEWAY:             2001:db8:2::1

    In these examples, the profiles named Corporate-LAN and Internet-Provider have the default gateways set. Because, in a local network, the default gateway is typically the host that is one hop closer to the internet, the rest of this procedure assumes that the default gateways in the Corporate-LAN are incorrect.

  3. Configure that NetworkManager does not use the Corporate-LAN connection as the default route for IPv4 and IPv6 connections:

    # nmcli connection modify Corporate-LAN ipv4.never-default yes ipv6.never-default yes

    Note that setting ipv4.never-default and ipv6.never-default to yes, automatically removes the default gateway’s IP address for the corresponding protocol from the connection profile.

  4. Activate the Corporate-LAN connection:

    # nmcli connection up Corporate-LAN

Verification

  • Display the IPv4 and IPv6 routing tables and verify that only one default gateway is available for each protocol:

    • For IPv4, enter:

      # ip -4 route
      default via 192.0.2.1 dev enp1s0 proto static metric 101
      ...
    • For IPv6, enter:

      # ip -6 route
      default via 2001:db8:1::1 dev enp1s0 proto static metric 101 pref medium
      ...

12.7. Configuring flowtable in nftables by using firewalld

The firewalld utility now supports configuration of the software fastpath flowtable feature provided by the nftables utility. flowtable uses the connection tracking feature in the Netfilter framework and nftables to manage traffic rules. This collectively improve packet forwarding performance of established connections. By default, packet forwarding inside a zone is allowed. firewalld by default provides two network zones: public and internal for public and private networks respectively.

Procedure

  1. Assign a network interface to the internal zone:

    # firewall-cmd --permanent --zone=internal --add-interface=enp7s0
  2. Assign a second network interface to the internal zone:

    # firewall-cmd --permanent --zone=internal --add-interface=enp7s1
  3. Put in the /etc/firewalld/firewalld.conf file the following line, to enable flowtable support on network interfaces:

    NftablesFlowtable=enp7s0 enp7s1
  4. Reload firewalld for rule changes to take effect:

    # firewall-cmd --reload

Verification

  • Check the configuration to ensure that the zones and rules are correctly applied:

    # nft list chain inet firewalld filter_FORWARD
    
    table inet firewalld {
        	flowtable fastpath {
                	hook ingress priority filter + 10
                	devices = { enp7s0, enp7s1 }
        	}
    ...
        chain filter_FORWARD {
       	 type filter hook forward priority filter + 10; policy accept;
       	 ct state { established, related } meta l4proto { tcp, udp } flow add @fastpath  <--- new rule
       	 ct state { established, related } accept
    	}
    ...

Additional resources

  • The firewall-cmd(1) man page
Red Hat logoGithubRedditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

© 2024 Red Hat, Inc.