DevOpsNetworkingRouting

Routing: Routers, Gateways and the Routing Table

K
Kai··5 min read
Computer Networking for Developers and DevOpsPart 5 of 14
PreviousThe Link Layer: MAC, ARP and SwitchesNextNAT and Private/Public IPs

Article 3 showed that within a LAN, machines talk directly via MAC. But when the destination is on another network — a server on the Internet — the packet has to leave the LAN and travel through many networks. That's called routing, and this article explains how it works.

Router: the device that connects networks

A router is a layer 3 (network) device that connects different networks together and moves packets between them. Unlike a switch (layer 2, forwarding frames within one LAN based on MAC), a router looks at the destination IP address and decides which direction the packet goes next.

The Internet is really a giant network of countless small networks, connected through routers. Your packet doesn't go straight to the destination — it's passed hand to hand through a chain of routers.

Default gateway: the way out of the local network

Your machine knows how to deliver directly to machines on the same LAN (via ARP/MAC). But for any address outside the LAN, it needs a "way out" — that's the default gateway, usually the network's router.

View it on your machine:

netstat -rn | grep default      # macOS
# (on Linux: ip route | grep default)

default   192.168.71.1   ...   en0

192.168.71.1 is the gateway — the home network's router. Your machine's rule is dead simple: "Destination on the same LAN? Send directly. Destination somewhere else? Hand it to the gateway and let it deal with it." (And to send to the gateway, your machine uses its MAC — exactly the ARP line 192.168.71.1 we saw in Article 3.)

The routing table: deciding where to send

Every machine (and every router) has a routing table — a list of rules "if the destination falls in this range, go via this path." View the table on your machine:

netstat -rn       # macOS

Destination     Gateway          Netif
default         192.168.71.1     en0      ← everything else → gateway
10.50/16        utun6            utun6    ← the 10.50.x.x range → via VPN
192.168.71/24   link#... (local) en0      ← same LAN → send directly

How the machine reads the table: for each packet, it finds the line that matches most specifically against the destination IP.

  • Destination 192.168.71.50? Matches the 192.168.71/24 line → same LAN, send directly.
  • Destination 10.50.x.x? Matches the VPN line → go via the tunnel (the example above is a machine with a VPN).
  • Destination 1.1.1.1? Matches no specific line → falls into default → hand it to gateway 192.168.71.1.

The default line (also written 0.0.0.0/0) is the "catch-all" — every destination that matches nothing else goes through here. This is why "no default route" means a machine can't reach the Internet (remember Article 13 of the Linux series).

Hop: the packet jumps across each leg

A router doesn't know the whole path to the destination — it only knows the next hop. Each router along the way receives the packet, looks at the destination IP, consults its own routing table, then pushes it on to the next router. And so on, until the destination. Each pass through a router is called a hop.

   Your machine     home router      ISP router        ...        destination server
   192.168.71.168 ─► 192.168.71.1 ─► 113.22.0.116 ─► ... ─►  (public IP)
        │             hop 1            hop 3
        └─ source/destination IP STAYS THE SAME the whole journey
           MAC is REWRITTEN at each hop (for the next internal leg — Article 3)

The subtle point (linking to Article 3): the source and destination IP don't change the whole journey (they identify the two endpoints), but the MAC changes at each hop (each leg is a "LAN" between two routers, needing that leg's MAC).

Observe it for real: traceroute

traceroute lets you see the hops to a destination, using a clever trick with the TTL (Time To Live) field in the IP header — each router decrements TTL by 1, and when TTL hits 0 that router reports an error back, revealing its identity.

traceroute 1.1.1.1

 1  192.168.71.1               120 ms     ← home router (gateway)
 2  192.168.1.1                 27 ms     ← second-tier modem/router
 3  113.22.0.116                 5 ms     ← entering the ISP's network
 4  42.114.245.145               4 ms
 5  *                                     ← hop didn't reply (normal)
 6  118.68.199.231              14 ms     ← deeper into the ISP infrastructure
 ...

There's a lot to read here: hop 1 is the home gateway, the later hops move out to the ISP and then the Internet. The time column (ms) tells you the latency to each leg. A * is a hop that didn't reply (many routers ignore it, which is normal). traceroute is the gold-standard tool when troubleshooting "the network is slow" or "can't reach the destination" — you see which leg the packet stalls at.

On Windows the command is tracert. macOS/Linux is traceroute. Same TTL principle.

Routing at Internet scale (good to know so it's not jarring)

In your home, routing is simple: anything not local gets pushed to the gateway. But between large ISPs, routers need to know the path to hundreds of thousands of networks. They exchange routing information using BGP (Border Gateway Protocol) — the Internet's "road map." You won't configure BGP unless you work on large network infrastructure, but knowing that these huge routing tables are maintained automatically via BGP is enough.

Wrap-up

A router connects networks and moves packets based on the destination IP. Your machine sends everything outside the LAN to the default gateway, based on the routing table (netstat -rn / ip route) — picking the most specific matching line, falling back to default if nothing else matches. The packet travels across many hops, each router only knowing the next leg; the end-to-end IP stays the same while the MAC is rewritten at each hop. traceroute shows you the real path leg by leg.

In traceroute, your machine appears with the private IP 192.168.71.168, but to the destination server it shows up as your public IP. That transformation is NAT — the subject of Article 5.

Computer Networking for Developers and DevOpsPart 5 of 14
PreviousThe Link Layer: MAC, ARP and SwitchesNextNAT and Private/Public IPs

Related Posts

Writing a tc Program Yourself: __sk_buff...
NetworkingLinux

Writing a tc Program Yourself: __sk_buff and the tcx Chain

Article 12 read Cilium's tc datapath from the outside. This article writes a tc program ourselves — counting egress packets by protocol — to understand __sk_buff from the inside. The core difference from XDP: tc sees the sk_buff with metadata already filled in (skb->protocol, skb->len), not the raw packet. We attach it with tcx on a real interface, get correct counts, then hit a lesson: attached after Cilium on the NIC it never runs, because of how the tcx chain terminates.

K
KaiMay 24, 2026
eBPF From Scratch: Running Programs Insi...
NetworkingLinux

eBPF From Scratch: Running Programs Inside the Linux Kernel

Right now, on a worker of the Kubernetes cluster we built in the previous series, 140 eBPF programs are running inside the Linux kernel — routing every packet, controlling device access, collecting metrics. eBPF lets you load code into the kernel and run it safely at hooks, without changing kernel source and without loading a module. This opening article explains what eBPF is, why it changes how the kernel is extended, and how a program goes from code to native machine code.

K
KaiMay 24, 2026