13

Is a Gateway always a real computer or just a "logic" entity, which can be on any address, except the broadcast IP?

Semo
  • 271
  • 2
  • 9
  • 9
    The modern and arguably more correct term for a gateway is **[router](https://en.wikipedia.org/wiki/Router_(computing))**. Routers can exist purely in software, conventional computers such as PC's, laptops and server systems can be used as routers but generally dedicated hardware devices are used – HBruijn Jan 29 '19 at 08:11
  • 2
    What do you mean by "logic entity"? – Barmar Jan 29 '19 at 17:50
  • 2
    @HBruijn, in most cases a gateway is a router. The general term is that a gateway is the host on the network to which other hosts send traffic that it destined for a different network. That doesn't mean that is must be a router. It could be a proxy, ALG, etc. Also, there may be a corner case where any traffic destined for a different network needs to be trapped and not forwarded by the gateway, in which case it is not a router because it is not routing packets between networks. – Ron Maupin Jan 29 '19 at 18:58
  • I'd wager that a system that is capable of making forwarding decisions based on destination ip addresses does not have to be Turing complete ... so, no, a router need not be a computer (same applies one level below for bridges and one level high for gateways, though possible to different extents. Nevertheless, each such system is *typically* a device (or collection of devices) that can be configured administratively or by additional applications (such as routing protocols) - and to even be able to process a configuration, these things tend to be (specialized) computers. – Hagen von Eitzen Jan 29 '19 at 21:45
  • @Barmar I mean if a Gateway must be a specialized hardware device like a Bridge or Router, or if it could be just a piece of information like a setting in a server, which is kind of mutable, if you think in terms of programming languages. – Semo Jan 30 '19 at 05:38
  • It's very common to use Linux machines as routers. And many SOHO routers are Linux under the covers. – Barmar Jan 30 '19 at 07:28

4 Answers4

29

Default route (aka gateway address) has to be owned by something that is capable of forwarding packets to the rest of the internet, and which is willing to do so. It doesn't have to be the "principal" IP address of the thing that owns it (whatever that means). It can be a logical address that floats between two or more devices, and in high-availability setups it often is.

The only requirement, in order that routing works, is that whatever device currently owns and advertises the address, that device can and will route traffic.

MadHatter
  • 78,442
  • 20
  • 178
  • 229
  • 6
    ... Or at least pretend to. – Shadur Jan 29 '19 at 09:57
  • 2
    @Shadur I'm interested in how routing can work if default route only pretends to actually, y'know, route traffic. – MadHatter Jan 29 '19 at 10:06
  • 1
    Routing itself won't work, but if all you want to allow is browsing you could have the "gateway" intercept and run a transparent proxy on ports 53, 80 and 443, and keep the system itself as isolated as possible. – Shadur Jan 29 '19 at 10:09
  • 7
    OK. I don't disagree, but that's not routing. I stand by my assertion that in order for *routing* to work, the router must actually route, and it sounds like you wouldn't disagree with that. – MadHatter Jan 29 '19 at 10:31
  • Not every gateway is a gateway to the internet. It is possible for a privately owned network not connected to the internet to be big enough to have subnets with gateways to the backbone of that system. The internet isn't necessarily the only large, internet-like network. (It is the largest such network, but smaller ones of similar layout can still have gateways on them, and a computer on one of those isn't likely to know the difference, nor would you want it to.) – Matthew Najmon Jan 29 '19 at 20:28
  • 1
    Fair point, but "gateway" as it's used in this question is default route, ie next-hop-of-last-resort. That has to be able to get you not only to any internal subnets that you don't have specific routes for, but to everything else *as well*. – MadHatter Jan 29 '19 at 20:36
  • @MadHatter: Not if you're content with seeing "Error: You don't have internet" when trying to visit google.com. Most people are not fine with that, but for high-security airgapped systems, it may be desirable. – Kevin Jan 29 '19 at 22:51
  • As long as we are talking about IPv4, the gateway doesn't advertise the gateway address, it's enough that it responds to ARP requests for that address: the gateway address has to be in the same subnet as the "clients" (End Systems, I think they are officially called), because otherwise the clients wouldn't be able to reach it. – Bass Jan 30 '19 at 07:01
  • @MadHatter It doesn't have to send your packets out to the Internet. It can simulate a small part of the Internet. Or it could be a transparent proxy for example. Remember the upside-down-ternet? – user253751 Jan 31 '19 at 04:36
  • @immibis proxies I've already discussed, above. I accept there are networks from which only a subset of the internet-at-large, or even none of it, is directly routable, but those are not mentioned in the question so I see no personal need to bring them up. Feel free to write your own answer should you wish to discuss it at length. – MadHatter Jan 31 '19 at 06:58
15

The IP address of the gateway can be any valid host IP address in the subnet, i.e. not the network address itself nor the broadcast address. This IP address does not need to belong to a single computer or router, it can be a "floating" IP address used by several gateways. Check out the Wikipedia articles on HSRP, VRRP, GLBP, or CARP.

For example, when the subnet is 172.16.23.0/25, then:

  • the network address is 172.16.23.0,
  • the broadcast address is 172.16.23.127, and
  • the range of valid host addresses is from 172.16.23.1 till 172.16.23.126, inclusive.

The gateway must be any of these valid host addresses, e.g. 172.16.23.65. The settings of your computer would then be, e.g.:

  • IP address: 172.16.23.5
  • Subnet mask: 255.255.255.128
  • Default gateway: 172.16.23.65

Now adding in one of the first-hop redundancy protocols, the actual gateways (routers) can have the IP address 172.16.23.1 and 172.16.23.2 but use the virtual IP address of 172.16.23.65 to present themselves as the default gateway to the subnet.

Tommiie
  • 5,547
  • 2
  • 11
  • 45
9

"Logical entity" in your usage is a tiny bit confusing. But I'll try to answer it best I can.

From my experience, a gateway in an IP configuration is usually a physical device. While it doesn't have to be a computer in the traditional sense (it can also be a network appliance) it does have to be device.

As you may know, the purpose that a default gateway serves is to act as a forwarding entity for all requests that a.) the computer doesn't already have in its routing table or has an entry instructing the system to forward the request to an IP that happens to be the gateway and/or b.) that are outside of the broadcast domain. The default gateway is never used in situations where two hosts are on the same broadcast domain (i.e. a network topology created by a switch) because the system can use the subnet's broadcast address to find the MAC address of a system owning a particular IP address.

In short, to answer your question, technically, you can set your default gateway as any IP address on a connected network. Windows or most other OSs for that matter won't stop you because they often don't perform verification of TCP/IP details. If you're setting it, you're most likely technically-savvy enough to understand the distinction. However, if it is the IP address of a device that is unable to forward, then it will result in errors in applications reliant on routing (i.e. a web browser) because the device won't be prepared with a routing table or a routing service to forward the request.

Someone much more experienced than myself, however, should be able to easily correct me if I am wrong.

TL;DR - A physical device, most likely.

Alex Hajnal
  • 103
  • 3
kelvintechie
  • 373
  • 1
  • 10
  • You can have multiple different IP subnets on the same broadcast domain. In such cases traffic between those hosts will flow via their default gateways unless extra entries are added to the hosts routing tables or ICMP redirects are in use. – Peter Green Jan 29 '19 at 16:29
  • @PeterGreen Yea, there are a lot of odd edge cases. For example, say 192.168.0.0/24 and 10.0.0.0/24 are on the same physical Ethernet LAN with the gateway for both being the same physical router at 192.168.0.1 and 10.0.0.1 respectively. If 192.168.0.100 pings 10.0.0.100 the first round-trip will be relayed through the gateway. The gateway may also send ICMP redirects to each host telling them they're on the same LAN. If so, each host will then then send ARP requests to get their peer's MAC addresses and all further communication will then occur directly between the peers (not via the gateway). – Alex Hajnal Jan 30 '19 at 14:30
  • Note that with the above example, hosts need to be prodded (via an ICMP redirect) to broadcast an ARP request for the MAC address of a peer on a foreign network. Absent a redirect hosts won't make foreign-network ARP requests. – Alex Hajnal Jan 30 '19 at 14:44
5

Routing table entries resolve a subnet to either a gateway or a network adapter.

A typical routing table for a device on a private network might, if you leave out the unnecessary stuff, look like

0.0.0.0/0 via 192.168.0.1
192.168.0.0/24 dev eth0

The most specific route wins for each destination, so the subnet route takes precedence over the default route for addresses in the subnet.

The gateway address is, in turn, resolved through the routing table, which determines the network interface it is given to as well as addressing on the lower layer.

So, for a packet to 1.1.1.1, the destination is looked up in the routing table, returning the default route, which has a gateway. The gateway is looked up again, returning the Ethernet interface.

Ethernet has MAC addresses, so an ARP lookup is done for the gateway address, and the MAC address for the gateway is used for the outgoing packet (which still uses the proper destination address in its IP header).

Other lower-level transports work differently, for example PPP links have a "peer address", so their device route uses a netmask of /32, and they skip ARP resolution and just send packets as "broadcast" over the PPP link.

Some IP stacks require manual creation of the device route, which makes this a bit more obvious:

ifconfig eth0 192.168.0.2 netmask 255.255.255.0 broadcast 192.168.0.255 up
route add -net 192.168.0.0 netmask 255.255.255.0 dev eth0
route add default via 192.168.0.1
Simon Richter
  • 3,209
  • 17
  • 17