5.6. Virtual Routers

In large networks, it often happens that multiple logical networks use the same network devices for their traffic. This traffic needs to be separated at the devices, first and foremost to reduce the risk of unauthorized cross-network access.

Virtual routers, or Virtual Routing and Forwarding (VRF) features, provide traffic separation by organizing network interfaces into independent groups. The traffic from one interface group cannot reach other interface groups.

Each virtual router has its own routing table. A virtual router's routing table can contain route records defined statically or obtained using dynamic routing protocols, such as BGP, OSPF, or RIP.

Different virtual routers are allowed to use the same IP networks (IP overlapping).

Network interfaces that have not been assigned explicitly to one of the virtual routers are automatically assigned to the Default virtual router.

Virtual routers have the following limitations:

  • These services can only be used in the default virtual router:

    • WCCP.

    • ICAP.

    • DNS.

    • Authorization.

    • Any network traffic that is generated by the device itself, such as license checks, update downloads, log uploads, sending email/SMS messages, SNMP traps, etc.

  • The NAT, DNAT, and port forwarding rules apply to all virtual routers.

  • The zones are global --- that is, the zone settings and interface-to-zone mappings apply to all virtual routers.


The default virtual router is required for the correct operation of UserGate. It is used to check licenses, download updates, and provide DNS services.

To add a virtual router, follow these steps:


The following prefixes cannot be used to specify virtual router name:port, gre, egress, ingress, tun, tap, erspan, ppp, bond, bridge, pimreg.



Step 1. Create a new virtual router.

In the Network --> Virtual routers section, click Add and provide a name and description for the new virtual router. Specify the name of the cluster node on which this virtual router is being created, if you have a cluster.

Step 2. Add network interfaces to the newly created virtual router.

On the Interfaces tab, select the network interfaces that should be added to this virtual router. Interfaces that are already added to other virtual routers are not available for selection; any single interface can only belong to one virtual router. All types of interfaces, including physical, virtual (VLAN), bond, VPN and others can be added to a virtual router.

Step 3. (Optional) Add static routes.

Add the routes (except the default route) that will be applied to the traffic in this virtual router. For more details, see the section Static Routes.

The default route is added in the Network --> Gateways section. For more details on configuring gateways, see the section Gateway Configuration.

Step 4. (Optional) Add dynamic routes obtained using the OSPF routing protocol.

Configure the OSPF protocol to build a dynamic route map. For more details, see the section OSPF.

Step 5. (Optional) Add dynamic routes obtained using the BGP routing protocol.

Configure the BGP protocol to build a dynamic route map. For more details, see the section BGP.

Step 6. (Optional) Add dynamic routes obtained using the RIP routing protocol.

Configure the RIP protocol to build a dynamic route map. For more details, see the section RIP.

Step 7. (Optional) Configure multicasting.

Configure the multicasting settings for this virtual router. For more details, see the section Multicasting.