Why does this ROUTE ADD command fail?

I am trying to block access to a single IP address by adding a specific route that leads "nowhere" (instead of the default gateway):

route ADD 199.239.136.200 MASK 255.255.255.255 127.0.0.1 METRIC 10

The problem is that this command fails with the following error:

The route addition failed: The parameter is incorrect.

It doesn't say which parameter is incorrect. I probably violated an implied rule of networking basics but I don't know what it is. Any idea which parameter is incorrect and, more importantly, why?

Thanks.

Android Eve

Posted 2010-10-17T22:03:10.083

Reputation: 687

Answers

You cannot have the loopback device (127.0.0.1) be the gateway. It doesn't make sense.

What you are saying with this command is "route all traffic that goes to this address(es) through this gateway". Because loopback does not route to any network, it does not work.

Find out which gateway you want this traffic to go through and use that instead. In a comment you mentioned using your own IP address. That might work because your IP would just fail routing the traffic. I have not tested this so ymmv:

route ADD 199.239.136.200 MASK 255.255.255.255 <OWN_IP> METRIC 10

Might be worth for you to check out Wikipedia's article on loopback for more information. Also, check out this superuser question for information on the gateway's role in routing.

Belmin Fernandez

Posted 2010-10-17T22:03:10.083

Reputation: 2 691

Yes, I realized that I cannot have 127.0.0.1 be the router for a non 127.0.0.0 destination. The example you gave, however, doesn't make sense either. In fact, I just tried it with ROUTE ADD and it fails because ROUTE ADD is smart enough to notice that "The route addition failed: Either the interface index is wrong or the gateway does not lie on the same network as the interface". At least that. If it were smarter and told me what and why that would've been so much better. In the meanwhile I found a ROUTE ADD variation that does work. See my comment to Nick below. – Android Eve – 2010-10-17T22:36:46.223

1My apologies. I'll edit my example. I was merely trying to help you figure out why 127.0.0.1 won't work. The problem is not about "cannot have 127.0.0.1 be the router for a non 127.0.0.0 destination". Has to do with loopback being a virtual device. Using your own IP address as the gateway could possibly work. – Belmin Fernandez – 2010-10-17T23:09:49.637

No problem. I already gave you +1 for the part that says "You cannot have the loopback device (127.0.0.1) be the gateway". Unlike Nick's answer which pointed at the mask, you correctly pointed at the gateway part of the ROUTE ADD command. I am still not sure, however, that I understand all the rules about what constitutes a valid gateway. I am going to accept your answer, though, because I have at least one version of the ROUTE ADD command that works for me. :) – Android Eve – 2010-10-18T00:11:18.190

You're trying to add your own device as the gateway, for every port on your computer I can come up with a reason to do this. The issues, is that windows will not let you set 127.0.0.1 as the gateway. This might be due to the fact that it is not defined by windows ipconfig. So, instead of using 127.0.0.1 as the gateway, Windows has re-defined it as "On-Link" :

Destination    Netmask     Gateway    Interface    Metric 
127.0.0.0      255.0.0.0   On-link    10.10.2.210  11

To set an On-Link gateway you have to specify it as 0.0.0.0 . My guess is that Microsoft knew that this gateway is impossible, so they internally defined it as the local address gateway.

To set this simply use:

C:\Windows\system32>route add 127.0.0.0 mask 255.0.0.0 0.0.0.0
 OK!

C:\Windows\system32>route add 127.0.0.1 mask 255.255.255.255 0.0.0.0
 OK!

Make sure you specify your own metric and interface as Windows might not pick the one you intended on using.

Patrick

Posted 2010-10-17T22:03:10.083

Reputation: 11

With the subnet mask set to 255.255.255.255 you are masking every single bit of the address, that sounds like an issue to me

Nick

Posted 2010-10-17T22:03:10.083

Reputation: 626

That's exactly the intent. I want to mask a single IP address only, not a range. BTW, I just experimented with ROUTE ADD a little more and discovered that if I change the 3rd parameter from 127.0.0.1 to the IP address of my PC, everything works properly. That is, ROUTE ADD succeeds and the destination IP address is indeed blocked. Now I need to understand why. Any idea? – Android Eve – 2010-10-17T22:12:46.690