Red Hat Training

A Red Hat training course is available for RHEL 8

Chapter 20. Configuring static routes

Routing ensures that you can send and receive traffic between mutually-connected networks. In larger environments, administrators typically configure services so that routers can dynamically learn about other routers. In smaller environments, administrators often configure static routes to ensure that traffic can reach from one network to the next.

You need static routes to achieve a functioning communication among multiple networks if all of these conditions apply:

  • The traffic has to pass multiple networks.
  • The exclusive traffic flow through the default gateways is not sufficient.

Section 20.1, “Example of a network that requires static routes” describes scenarios and how the traffic flows between different networks when you do not configure static routes.

20.1. Example of a network that requires static routes

You require static routes in this example because not all IP networks are directly connected through one router. Without the static routes, some networks cannot communicate with each other. Additionally, traffic from some networks flows only in one direction.

Note

The network topology in this example is artificial and only used to explain the concept of static routing. It is not a recommended topology in production environments.

For a functioning communication among all networks in this example, configure a static route to Raleigh (198.51.100.0/24) with next the hop Router 2 (203.0.113.10). The IP address of the next hop is the one of Router 2 in the data center network (203.0.113.0/24).

You can configure the static route as follows:

  • For a simplified configuration, set this static route only on Router 1. However, this increases the traffic on Router 1 because hosts from the data center (203.0.113.0/24) send traffic to Raleigh (198.51.100.0/24) always through Router 1 to Router 2.
  • For a more complex configuration, configure this static route on all hosts in the data center (203.0.113.0/24). All hosts in this subnet then send traffic directly to Router 2 (203.0.113.10) that is closer to Raleigh (198.51.100.0/24).

For more details between which networks traffic flows or not, see the explanations below the diagram.

routing example

In case that the required static routes are not configured, the following are the situations in which the communication works and when it does not:

  • Hosts in the Berlin network (192.0.2.0/24):

    • Can communicate with other hosts in the same subnet because they are directly connected.
    • Can communicate with the internet because Router 1 is in the Berlin network (192.0.2.0/24) and has a default gateway, which leads to the internet.
    • Can communicate with the data center network (203.0.113.0/24) because Router 1 has interfaces in both the Berlin (192.0.2.0/24) and the data center (203.0.113.0/24) networks.
    • Cannot communicate with the Raleigh network (198.51.100.0/24) because Router 1 has no interface in this network. Therefore, Router 1 sends the traffic to its own default gateway (internet).
  • Hosts in the data center network (203.0.113.0/24):

    • Can communicate with other hosts in the same subnet because they are directly connected.
    • Can communicate with the internet because they have their default gateway set to Router 1, and Router 1 has interfaces in both networks, the data center (203.0.113.0/24) and to the internet.
    • Can communicate with the Berlin network (192.0.2.0/24) because they have their default gateway set to Router 1, and Router 1 has interfaces in both the data center (203.0.113.0/24) and the Berlin (192.0.2.0/24) networks.
    • Cannot communicate with the Raleigh network (198.51.100.0/24) because the data center network has no interface in this network. Therefore, hosts in the data center (203.0.113.0/24) send traffic to their default gateway (Router 1). Router 1 also has no interface in the Raleigh network (198.51.100.0/24) and, as a result, Router 1 sends this traffic to its own default gateway (internet).
  • Hosts in the Raleigh network (198.51.100.0/24):

    • Can communicate with other hosts in the same subnet because they are directly connected.
    • Cannot communicate with hosts on the internet. Router 2 sends the traffic to Router 1 because of the default gateway settings. The actual behavior of Router 1 depends on the reverse path filter (rp_filter) system control (sysctl) setting. By default on RHEL, Router 1 drops the outgoing traffic instead of routing it to the internet. However, regardless of the configured behavior, communication is not possible without the static route.
    • Cannot communicate with the data center network (203.0.113.0/24). The outgoing traffic reaches the destination through Router 2 because of the default gateway setting. However, replies to packets do not reach the sender because hosts in the data center network (203.0.113.0/24) send replies to their default gateway (Router 1). Router 1 then sends the traffic to the internet.
    • Cannot communicate with the Berlin network (192.0.2.0/24). Router 2 sends the traffic to Router 1 because of the default gateway settings. The actual behavior of Router 1 depends on the rp_filter sysctl setting. By default on RHEL, Router 1 drops the outgoing traffic instead of sending it to the Berlin network (192.0.2.0/24). However, regardless of the configured behavior, communication is not possible without the static route.
Note

In addition to configuring the static routes, you must enable IP forwarding on both routers.

20.2. How to use the nmcli command to configure a static route

To configure a static route, use the nmcli utility with the following syntax:

$ nmcli connection modify connection_name ipv4.routes "ip[/prefix] [next_hop] [metric] [attribute=value] [attribute=value] ..."

The command supports the following route attributes:

  • cwnd=n: Sets the congestion window (CWND) size, defined in number of packets.
  • lock-cwnd=true|false: Defines whether or not the kernel can update the CWND value.
  • lock-mtu=true|false: Defines whether or not the kernel can update the MTU to path MTU discovery.
  • lock-window=true|false: Defines whether or not the kernel can update the maximum window size for TCP packets.
  • mtu=n: Sets the maximum transfer unit (MTU) to use along the path to the destination.
  • onlink=true|false: Defines whether the next hop is directly attached to this link even if it does not match any interface prefix.
  • scope=n: For an IPv4 route, this attribute sets the scope of the destinations covered by the route prefix. Set the value as an integer (0-255).
  • src=address: Sets the source address to prefer when sending traffic to the destinations covered by the route prefix.
  • table=table_id: Sets the ID of the table the route should be added to. If you omit this parameter, NetworkManager uses the main table.
  • tos=n: Sets the type of service (TOS) key. Set the value as an integer (0-255).
  • type=value: Sets the route type. NetworkManager supports the unicast, local, blackhole, unreachable, prohibit, and throw route types. The default is unicast.
  • window=n: Sets the maximal window size for TCP to advertise to these destinations, measured in bytes.

If you use the ipv4.routes sub-command, nmcli overrides all current settings of this parameter.

To add a route:

$ nmcli connection modify connection_name +ipv4.routes "<route>"

Similarly, to remove a specific route:

$ nmcli connection modify connection_name -ipv4.routes "<route>"

20.3. Configuring a static route by using nmcli

You can add a static route to an existing NetworkManager connection profile using the nmcli connection modify command.

The procedure below configures the following routes:

  • An IPv4 route to the remote 198.51.100.0/24 network. The corresponding gateway with the IP address 192.0.2.10 is reachable through the example connection.
  • An IPv6 route to the remote 2001:db8:2::/64 network. The corresponding gateway with the IP address 2001:db8:1::10 is reachable through the example connection.

Prerequisites

  • The example connection profile exists and it configures this host to be in the same IP subnet as the gateways.

Procedure

  1. Add the static IPv4 route to the example connection profile:

    # nmcli connection modify example +ipv4.routes "198.51.100.0/24 192.0.2.10"

    To set multiple routes in one step, pass the individual routes comma-separated to the command. For example, to add a route to the 198.51.100.0/24 and 203.0.113.0/24 networks, both routed through the 192.0.2.10 gateway, enter:

    # nmcli connection modify example +ipv4.routes "198.51.100.0/24 192.0.2.10, 203.0.113.0/24 192.0.2.10"
  2. Add the static IPv6 route to the example connection profile:

    # nmcli connection modify example +ipv6.routes "2001:db8:2::/64 2001:db8:1::10"
  3. Re-activate the connection:

    # nmcli connection up example

Verification

  1. Display the IPv4 routes:

    # ip -4 route
    ...
    198.51.100.0/24 via 192.0.2.10 dev enp1s0
  2. Display the IPv6 routes:

    # ip -6 route
    ...
    2001:db8:2::/64 via 2001:db8:1::10 dev enp1s0 metric 1024 pref medium

Additional resources

  • nmcli(1) man page
  • nm-settings-nmcli(5) man page

20.4. Configuring a static route by using nmtui

The nmtui application provides a text-based user interface for NetworkManager. You can use nmtui to configure static routes on a host without a graphical interface.

For example, the procedure below adds a route to the 192.0.2.0/24 network that uses the gateway running on 198.51.100.1, which is reachable through an existing connection profile.

Note

In nmtui:

  • Navigate by using the cursor keys.
  • Press a button by selecting it and hitting Enter.
  • Select and deselect checkboxes by using Space.

Prerequisites

  • The network is configured.
  • The gateway for the static route must be directly reachable on the interface.
  • If the user is logged in on a physical console, user permissions are sufficient. Otherwise, the command requires root permissions.

Procedure

  1. Start nmtui:

    # nmtui
  2. Select Edit a connection, and press Enter.
  3. Select the connection profile through which you can reach the next hop to the destination network, and press Enter.
  4. Depending on whether it is an IPv4 or IPv6 route, press the Show button next to the protocol’s configuration area.
  5. Press the Edit button next to Routing. This opens a new window where you configure static routes:

    1. Press the Add button and fill in:

      • The destination network, including the prefix in Classless Inter-Domain Routing (CIDR) format
      • The IP address of the next hop
      • A metric value, if you add multiple routes to the same network and want to prioritize the routes by efficiency
    2. Repeat the previous step for every route you want to add and that is reachable through this connection profile.
    3. Press the OK button to return to the window with the connection settings.

      Figure 20.1. Example of a static route without metric

      nmtui add static route
  6. Press the OK button to return to the nmtui main menu.
  7. Select Activate a connection and press Enter.
  8. Select the connection profile that you edited, and press Enter twice to deactivate and activate it again.

    Important

    Skip this step if you run nmtui over a remote connection, such as SSH, that uses the connection profile you want to reactivate. In this case, if you would deactivate it in nmtui, the connection is terminated and, consequently, you cannot activate it again. To avoid this problem, use the nmcli connection connection_profile_name up command to reactivate the connection in the mentioned scenario.

  9. Press the Back button to return to the main menu.
  10. Select Quit, and press Enter to close the nmtui application.

Verification

  • Verify that the route is active:

    $ ip route
    ...
    192.0.2.0/24 via 198.51.100.1 dev example proto static metric 100

20.5. Configuring a static route by using control-center

You can use control-center in GNOME to add a static route to the configuration of a network connection.

The procedure below configures the following routes:

  • An IPv4 route to the remote 198.51.100.0/24 network. The corresponding gateway has the IP address 192.0.2.10.
  • An IPv6 route to the remote 2001:db8:2::/64 network. The corresponding gateway has the IP address 2001:db8:1::10.

Prerequisites

Procedure

  1. On the IPv4 tab:

    1. Optional: Disable automatic routes by clicking the On button in the Routes section of the IPv4 tab to use only static routes. If automatic routes are enabled, Red Hat Enterprise Linux uses static routes and routes received from a DHCP server.
    2. Enter the address, netmask, gateway, and optionally a metric value of the IPv4 route:

      IPv4 static route in control center

  2. On the IPv6 tab:

    1. Optional: Disable automatic routes by clicking the On button i the Routes section of the IPv4 tab to use only static routes.
    2. Enter the address, netmask, gateway, and optionally a metric value of the IPv6 route:

      IPv6 static route in control center

  3. Click Apply.
  4. Back in the Network window, disable and re-enable the connection by switching the button for the connection to Off and back to On for changes to take effect.

    Warning

    Restarting the connection briefly disrupts connectivity on that interface.

Verification

  1. Display the IPv4 routes:

    # ip -4 route
    ...
    198.51.100.0/24 via 192.0.2.10 dev enp1s0
  2. Display the IPv6 routes:

    # ip -6 route
    ...
    2001:db8:2::/64 via 2001:db8:1::10 dev enp1s0 metric 1024 pref medium

20.6. Configuring a static route by using nm-connection-editor

You can use the nm-connection-editor application to add a static route to the configuration of a network connection.

The procedure below configures the following routes:

  • An IPv4 route to the remote 198.51.100.0/24 network. The corresponding gateway with the IP address 192.0.2.10 is reachable through the example connection.
  • An IPv6 route to the remote 2001:db8:2::/64 network. The corresponding gateway with the IP address 2001:db8:1::10 is reachable through the example connection.

Prerequisites

  • The network is configured.
  • This host is in the same IP subnet as the gateways.

Procedure

  1. Open a terminal, and enter nm-connection-editor:

    $ nm-connection-editor
  2. Select the example connection profile, and click the gear wheel icon to edit the existing connection.
  3. On the IPv4 Settings tab:

    1. Click the Routes button.
    2. Click the Add button and enter the address, netmask, gateway, and optionally a metric value.

      IPv4 static route in nm connection editor

    3. Click OK.
  4. On the IPv6 Settings tab:

    1. Click the Routes button.
    2. Click the Add button and enter the address, netmask, gateway, and optionally a metric value.

      IPv6 static route in nm connection editor

    3. Click OK.
  5. Click Save.
  6. Restart the network connection for changes to take effect. For example, to restart the example connection using the command line:

    # nmcli connection up example

Verification

  1. Display the IPv4 routes:

    # ip -4 route
    ...
    198.51.100.0/24 via 192.0.2.10 dev enp1s0
  2. Display the IPv6 routes:

    # ip -6 route
    ...
    2001:db8:2::/64 via 2001:db8:1::10 dev enp1s0 metric 1024 pref medium

20.7. Configuring a static route by using the nmcli interactive mode

You can use the interactive mode of the nmcli utility to add a static route to the configuration of a network connection.

The procedure below configures the following routes:

  • An IPv4 route to the remote 198.51.100.0/24 network. The corresponding gateway with the IP address 192.0.2.10 is reachable through the example connection.
  • An IPv6 route to the remote 2001:db8:2::/64 network. The corresponding gateway with the IP address 2001:db8:1::10 is reachable through the example connection.

Prerequisites

  • The example connection profile exists and it configures this host to be in the same IP subnet as the gateways.

Procedure

  1. Open the nmcli interactive mode for the example connection:

    # nmcli connection edit example
  2. Add the static IPv4 route:

    nmcli> set ipv4.routes 198.51.100.0/24 192.0.2.10
  3. Add the static IPv6 route:

    nmcli> set ipv6.routes 2001:db8:2::/64 2001:db8:1::10
  4. Optionally, verify that the routes were added correctly to the configuration:

    nmcli> print
    ...
    ipv4.routes:    { ip = 198.51.100.0/24, nh = 192.0.2.10 }
    ...
    ipv6.routes:    { ip = 2001:db8:2::/64, nh = 2001:db8:1::10 }
    ...

    The ip attribute displays the network to route and the nh attribute the gateway (next hop).

  5. Save the configuration:

    nmcli> save persistent
  6. Restart the network connection:

    nmcli> activate example
  7. Leave the nmcli interactive mode:

    nmcli> quit

Verification

  1. Display the IPv4 routes:

    # ip -4 route
    ...
    198.51.100.0/24 via 192.0.2.10 dev enp1s0
  2. Display the IPv6 routes:

    # ip -6 route
    ...
    2001:db8:2::/64 via 2001:db8:1::10 dev enp1s0 metric 1024 pref medium

Additional resources

  • nmcli(1) man page
  • nm-settings-nmcli(5) man page

20.8. Configuring a static route by using nmstatectl

Use the nmstatectl utility to configure a static route through the Nmstate API. The Nmstate API ensures that, after setting the configuration, the result matches the configuration file. If anything fails, nmstatectl automatically rolls back the changes to avoid leaving the system in an incorrect state.

Prerequisites

  • The enp1s0 network interface is configured and is in the same IP subnet as the gateways.
  • The nmstate package is installed.

Procedure

  1. Create a YAML file, for example ~/add-static-route-to-enp1s0.yml, with the following content:

    ---
    routes:
      config:
      - destination: 198.51.100.0/24
        next-hop-address: 192.0.2.10
        next-hop-interface: enp1s0
      - destination: 2001:db8:2::/64
        next-hop-address: 2001:db8:1::10
        next-hop-interface: enp1s0

    These settings define the following static routes:

    • An IPv4 route to the remote 198.51.100.0/24 network. The corresponding gateway with the IP address 192.0.2.10 is reachable through the enp1s0 interface.
    • An IPv6 route to the remote 2001:db8:2::/64 network. The corresponding gateway with the IP address 2001:db8:1::10 is reachable through the enp1s0 interface.
  2. Apply the settings to the system:

    # nmstatectl apply ~/add-static-route-to-enp1s0.yml

Verification

  1. Display the IPv4 routes:

    # ip -4 route
    ...
    198.51.100.0/24 via 192.0.2.10 dev enp1s0
  2. Display the IPv6 routes:

    # ip -6 route
    ...
    2001:db8:2::/64 via 2001:db8:1::10 dev enp1s0 metric 1024 pref medium

Additional resources

  • nmstatectl(8) man page
  • /usr/share/doc/nmstate/examples/ directory

20.9. Configuring a static route by using the network RHEL System Role

You can use the network RHEL System Role to configure static routes.

Important

When you run a play that uses the network RHEL System Role and if the setting values do not match the values specified in the play, the role overrides the existing connection profile with the same name. To prevent resetting these values to their defaults, always specify the whole configuration of the network connection profile in the play, even if the configuration, for example the IP configuration, already exists.

Perform this procedure on the Ansible control node.

Prerequisites

  • You have prepared the control node and the managed nodes
  • You are logged in to the control node as a user who can run playbooks on the managed nodes.
  • The account you use to connect to the managed nodes has sudo permissions on them.
  • The managed nodes or groups of managed nodes on which you want to run this playbook are listed in the Ansible inventory file.

Procedure

  1. Create a playbook file, for example ~/add-static-routes.yml, with the following content:

    ---
    - name: Configure the network
      hosts: managed-node-01.example.com
      tasks:
      - name: Configure an Ethernet connection with static IP and additional routes
        include_role:
          name: rhel-system-roles.network
    
        vars:
          network_connections:
            - name: enp7s0
              type: ethernet
              autoconnect: yes
              ip:
                address:
                  - 192.0.2.1/24
                  - 2001:db8:1::1/64
                gateway4: 192.0.2.254
                gateway6: 2001:db8:1::fffe
                dns:
                  - 192.0.2.200
                  - 2001:db8:1::ffbb
                dns_search:
                  - example.com
                route:
                  - network: 198.51.100.0
                    prefix: 24
                    gateway: 192.0.2.10
                  - network: 2001:db8:2::
                    prefix: 64
                    gateway: 2001:db8:1::10
              state: up

    Depending on whether it already exists, the procedure creates or updates the enp7s0 connection profile with the following settings:

    • A static IPv4 address - 192.0.2.1 with a /24 subnet mask
    • A static IPv6 address - 2001:db8:1::1 with a /64 subnet mask
    • An IPv4 default gateway - 192.0.2.254
    • An IPv6 default gateway - 2001:db8:1::fffe
    • An IPv4 DNS server - 192.0.2.200
    • An IPv6 DNS server - 2001:db8:1::ffbb
    • A DNS search domain - example.com
    • Static routes:

      • 198.51.100.0/24 with gateway 192.0.2.10
      • 2001:db8:2::/64 with gateway 2001:db8:1::10
  2. Validate the playbook syntax:

    # ansible-playbook ~/add-static-routes.yml --syntax-check

    Note that this command only validates the syntax and does not protect against a wrong but valid configuration.

  3. Run the playbook:

    # ansible-playbook ~/add-static-routes.yml

Verification

  1. On the managed nodes:

    1. Display the IPv4 routes:

      # ip -4 route
      ...
      198.51.100.0/24 via 192.0.2.10 dev enp7s0
    2. Display the IPv6 routes:

      # ip -6 route
      ...
      2001:db8:2::/64 via 2001:db8:1::10 dev enp7s0 metric 1024 pref medium

Additional resources

  • /usr/share/ansible/roles/rhel-system-roles.network/README.md file

20.10. Creating static routes configuration files in key-value format when using the legacy network scripts

The legacy network scripts support setting statics routes in key-value format.

The procedure below configures an IPv4 route to the remote 198.51.100.0/24 network. The corresponding gateway with the IP address 192.0.2.10 is reachable through the enp1s0 interface.

Note

The legacy network scripts support the key-value format only for static IPv4 routes. For IPv6 routes, use the ip-command format. See Creating static routes configuration files in ip-command format when using the legacy network scripts.

Prerequisites

  • The gateways for the static route must be directly reachable on the interface.
  • The NetworkManager package is not installed, or the NetworkManager service is disabled.
  • The network-scripts package is installed.
  • The network service is enabled.

Procedure

  1. Add the static IPv4 route to the /etc/sysconfig/network-scripts/route-enp0s1 file:

    ADDRESS0=198.51.100.0
    NETMASK0=255.255.255.0
    GATEWAY0=192.0.2.10
    • The ADDRESS0 variable defines the network of the first routing entry.
    • The NETMASK0 variable defines the netmask of the first routing entry.
    • The GATEWAY0 variable defines the IP address of the gateway to the remote network or host for the first routing entry.

      If you add multiple static routes, increase the number in the variable names. Note that the variables for each route must be numbered sequentially. For example, ADDRESS0, ADDRESS1, ADDRESS3, and so on.

  2. Restart the network:

    # systemctl restart network

Verification

  • Display the IPv4 routes:

    # ip -4 route
    ...
    198.51.100.0/24 via 192.0.2.10 dev enp1s0

Troubleshooting

  • Display the journal entries of the network unit:

    # journalctl -u network

    The following are possible error messages and their causes:

    • Error: Nexthop has invalid gateway: You specified an IPv4 gateway address in the route-enp1s0 file that is not in the same subnet as this router.
    • RTNETLINK answers: No route to host: You specified an IPv6 gateway address in the route6-enp1s0 file that is not in the same subnet as this router.
    • Error: Invalid prefix for given prefix length: You specified the remote network in the route-enp1s0 file by using an IP address within the remote network rather than the network address.

Additional resources

  • /usr/share/doc/network-scripts/sysconfig.txt file

20.11. Creating static routes configuration files in ip-command format when using the legacy network scripts

The legacy network scripts support setting statics routes.

The procedure below configures the following routes:

  • An IPv4 route to the remote 198.51.100.0/24 network. The corresponding gateway with the IP address 192.0.2.10 is reachable through the enp1s0 interface.
  • An IPv6 route to the remote 2001:db8:2::/64 network. The corresponding gateway with the IP address 2001:db8:1::10 is reachable through the enp1s0 interface.
Important

IP addresses of the gateways (next hop) must be in the same IP subnet as the host on which you configure the static routes.

The examples in this procedure use configuration entries in ip-command format.

Prerequisites

  • The gateways for the static route must be directly reachable on the interface.
  • The NetworkManager package is not installed, or the NetworkManager service is disabled.
  • The network-scripts package is installed.
  • The network service is enabled.

Procedure

  1. Add the static IPv4 route to the /etc/sysconfig/network-scripts/route-enp1s0 file:

    198.51.100.0/24 via 192.0.2.10 dev enp1s0

    Always specify the network address of the remote network, such as 198.51.100.0. Setting an IP address within the remote network, such as 198.51.100.1 causes that the network scripts fail to add this route.

  2. Add the static IPv6 route to the /etc/sysconfig/network-scripts/route6-enp1s0 file:

    2001:db8:2::/64 via 2001:db8:1::10 dev enp1s0
  3. Restart the network service:

    # systemctl restart network

Verification

  1. Display the IPv4 routes:

    # ip -4 route
    ...
    198.51.100.0/24 via 192.0.2.10 dev enp1s0
  2. Display the IPv6 routes:

    # ip -6 route
    ...
    2001:db8:2::/64 via 2001:db8:1::10 dev enp1s0 metric 1024 pref medium

Troubleshooting

  • Display the journal entries of the network unit:

    # journalctl -u network

    The following are possible error messages and their causes:

    • Error: Nexthop has invalid gateway: You specified an IPv4 gateway address in the route-enp1s0 file that is not in the same subnet as this router.
    • RTNETLINK answers: No route to host: You specified an IPv6 gateway address in the route6-enp1s0 file that is not in the same subnet as this router.
    • Error: Invalid prefix for given prefix length: You specified the remote network in the route-enp1s0 file by using an IP address within the remote network rather than the network address.

Additional Resources

  • /usr/share/doc/network-scripts/sysconfig.txt file