Networking Deep Dive
by Sergey Okinchuk
The Routing Table and Longest-Prefix MatchStatic vs Dynamic Routing
Default Gateways and Next-Hop Forwarding
Topic 19

Default Gateways and Next-Hop Forwarding

Forwarding

A host can only put a frame directly onto its own local segment — it speaks layer 2 to the machines that share its wire and no further. For any destination off its subnet, it has no MAC address to send to and no link to reach. So it does the only thing it can: it hands the packet to its default gateway, a router sitting on the same wire, and lets that router carry it onward. The packet's IP destination stays the distant server; only the layer-2 frame is addressed to the gateway.

From there, routing is a hop-by-hop relay. Each router along the way knows exactly one thing about your packet: which neighbor to hand it to next. No single device knows the whole path, and none needs to — the destination IP plus each router's local table is enough to inch the packet forward one hop at a time until it lands on the segment where the destination actually lives.

Destination is on-link (same subnet by the mask test)ARP for the destination — deliver directly
Destination is off-link (network portions differ)ARP for the gateway — send to 0.0.0.0/0 next-hop

On-Link versus Off-Link

Before a host sends any packet, it makes one decision: is the destination on-link (on my own subnet) or off-link (somewhere else)? It answers by applying its subnet mask to both its own address and the destination. If the network portions match, the destination is on the local wire and the host delivers the frame directly — it ARPs for the destination's own MAC and sends straight to it.

If the network portions differ, the destination is off-link. Now the host cannot send directly; it ARPs for the gateway's MAC instead and sends the frame there, with the IP header still addressed to the far destination. This is a per-packet decision driven entirely by the mask — get the mask wrong and a host will try to ARP directly for addresses it should have sent to the gateway, and the traffic simply fails.

The Default Gateway

The default gateway is the exit door for everything off-subnet. In the routing table it is just the next-hop of the default route 0.0.0.0/0 — the route that matches any destination with no more specific entry. A host typically has exactly one: it knows its own subnet as a connected route and sends literally everything else to the gateway. DHCP usually supplies the gateway address along with the lease, which is why a host with an IP but a missing or wrong gateway can ping its neighbors and nothing beyond.

The gateway must live on the host's own subnet — that is the whole point. The host has to reach it with a single layer-2 frame, so the gateway's address has to be on-link by the same mask test. A gateway configured outside the local subnet is unreachable at layer 2, and the host has no way to send to it at all, no matter how correct the rest of the configuration looks.

Next-Hop Forwarding

Each hop rewrites the layer-2 header and leaves the layer-3 addresses alone. A router receives the frame, strips the Ethernet header, reads the destination IP, consults its own table for the next hop, and builds a fresh Ethernet header addressed to that next router's MAC. The source and destination IP never change under normal routing; only the TTL drops by one to catch loops. The frame's MACs are local and disposable; the packet's IPs are end-to-end and durable.

# trace the hop-by-hop relay: each line is one router's next-hop decision
traceroute -n 93.184.216.34
# 1  10.0.0.1     0.4 ms     <- this host's default gateway
# 2  100.64.0.1   3.1 ms     <- ISP edge, knew the next hop, not the path
# 3  203.0.113.9  9.8 ms
# 4  93.184.216.34 11.2 ms   <- arrived; no router ever knew the whole route

Asymmetric Routing

Nothing forces the return path to mirror the forward path. The packet to the server and the reply coming back are routed independently, each hop by hop, and they can traverse entirely different routers — this is asymmetric routing, and on the wider internet it is the norm, not the exception. For plain forwarding it is harmless: the packet still arrives either way.

It stops being harmless the moment a stateful device sits in the path. A stateful firewall or NAT must see both directions of a flow to track its state; if the forward packets pass through it but the replies take a different path that bypasses it, it sees half a conversation, decides the return traffic is unsolicited, and drops it. Asymmetry is one of the most common silent causes of "the connection establishes and then hangs."

Host Decision vs Router Decision

A host asks one question per packet: "is this destination local?" If yes, it sends the frame directly; if no, it sends to the default gateway. It rarely needs more than its own subnet plus a default route, because every off-link destination gets the same answer.

A router asks "which next-hop?" — it runs longest-prefix match across a full table of prefixes and picks the most specific one. Same table mechanism, vastly larger scale: a host has a handful of routes, a core router carries the internet's full table of over a million prefixes.

Common Mistakes
  • A missing or wrong default gateway, leaving a host able to reach its own subnet but nothing off it. The symptom is classic: local pings succeed, everything remote times out, and the IP and mask both look fine.
  • Setting a gateway address outside the host's own subnet. The host cannot reach it at layer 2 at all, so no off-link traffic ever leaves — the config looks plausible but is unreachable by the mask test.
  • Assuming the source picks the whole path. It does not — it picks only the first hop (the gateway), and every router after that makes its own independent next-hop choice. There is no end-to-end path baked into the packet.
  • Ignoring asymmetric routing in front of a stateful firewall. Forward traffic through the firewall and return traffic around it, and the firewall drops the replies as unsolicited — the flow establishes and then silently stalls.
  • A wrong subnet mask flipping the on-link decision. Too broad a mask makes a host try to ARP directly for off-subnet addresses instead of using the gateway, so traffic to those addresses fails while the gateway sits unused.
Best Practices
  • When remote connectivity fails but local pings work, check the default gateway first with ip route — a missing or off-subnet default route is the single most common cause of "can't reach anything beyond my LAN."
  • Always place the gateway address inside the host's own subnet, since the host must reach it with one layer-2 frame; verify it passes the same mask test the host applies to every destination.
  • Pin both directions of a flow to the same path through any stateful device — use symmetric routing, source-based policy, or sticky NAT — so a firewall or NAT always sees both halves of the conversation.
  • Diagnose hop-by-hop with traceroute to see where forwarding stops, remembering each line is one router's independent next-hop choice, not a path the source planned.
  • Double-check the subnet mask whenever on-link versus off-link behavior looks wrong, because the mask alone decides whether a host sends directly or hands the packet to the gateway.
Comparable conceptsSource routing (mostly disabled)ECMP (multiple next-hops)

Knowledge Check

How does a host decide whether to deliver a frame directly or hand it to its default gateway?

  • It applies its subnet mask to compare network portions; on-link goes direct, off-link goes to the gateway
  • It asks the gateway for explicit permission before sending out each individual packet onto the wire itself
  • It does a DNS lookup to learn which router owns the destination address
  • It reads the packet's TTL to choose between direct delivery and the gateway

As a packet crosses each router on its way to the destination, what changes and what stays the same?

  • The layer-2 header is rewritten and TTL drops each hop; the source and destination IP stay constant
  • The destination IP is rewritten toward the next hop at each router while the MAC header is preserved
  • Both the source IP and the MAC header are kept identical across every hop
  • Everything is forwarded unchanged so the destination sees the original frame

Why does asymmetric routing break a stateful firewall when plain forwarding tolerates it fine?

  • The firewall needs both directions to track state; return traffic that bypasses it gets dropped as unsolicited
  • Asymmetric paths corrupt the IP header in transit, so the stateful firewall can no longer parse the packet at all
  • The return path rewrites the destination IP, so replies arrive at the wrong host
  • It forces a routing loop that the firewall must break by discarding packets

You got correct