TroutTrout
All docs

Configuring Overlay Routes

Set up routes so traffic flows through Access Gate without changing your existing network.

2 min read · Last updated 2026-05-02

Configuring Overlay Routes

Access Gate relies on routing to steer overlay traffic through the appliance while keeping the existing network (underlay) unchanged. This requires a small number of explicit routes on the router and a gateway configuration on Access Gate.

Configure Routes on the Router

Add routes so that overlay traffic is sent to Access Gate:

# Route overlay network through Access Gate
ip route add 100.64.0.0/16 via <access-gate-ip> # Overlay network
ip route add 100.65.0.6/29 via <access-gate-ip> # Access Gate interface

These routes ensure that any traffic destined for overlay IPs is forwarded to Access Gate.

Configure Access Gate Overlay Interface

In the Access Gate UI, on the overlay port:

  • IP address: 100.65.0.6/29
  • Gateway: 100.65.0.1

This allows Access Gate to send proxied traffic back to the underlay network via the existing router.

Resulting Traffic Flow

With these routes in place, every protected session has two legs — one in the overlay, one in the underlay — and Access Gate translates between them. One leg is always still in the existing network, which is what lets Access Gate protect assets without re-IP'ing them.

Suppose a client at underlay 192.168.10.50 wants to reach a protected HMI whose underlay IP is 192.168.30.20. Access Gate exposes that HMI at overlay 100.64.1.20.

  1. Inbound from the client. The client sends a packet with source 192.168.10.50 and destination 100.64.1.20. The router matches the 100.64.0.0/16 route and forwards the packet to Access Gate.
  2. Policy + NAT at Access Gate. Access Gate authenticates the session, applies policy, and opens a new connection to the HMI on the underlay. The forwarded packet has source 100.65.0.6 (Access Gate's own underlay IP, a NAT) and destination 192.168.30.20. The HMI never sees the overlay address.
  3. Outbound from the HMI. The HMI replies to 100.65.0.6. Access Gate matches the reply against the original overlay session and returns it to the client with source 100.64.1.20 and destination 192.168.10.50.

Because the asset-side leg always stays in the underlay, no VLAN changes or IP reassignments are required. Access Gate is the only device on the network that needs to know the overlay exists.

Previous
Configure NTP