From b031725dfe968e06fc58a44820b69c903e14bd37 Mon Sep 17 00:00:00 2001
From: Debian <linux@myhorse.netcell-it.de>
Date: Tue, 12 May 2026 23:50:26 +0200
Subject: [PATCH] feat(routes): Static-Routes-Management + Live-View
 (Networks-Tab)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Migration 0019: static_routes (id, destination, gateway, dev, metric,
table_name, active, comment).

internal/services/staticroutes/:
  - CRUD-Repo
  - Generator schreibt /etc/edgeguard/routes.conf (pipe-format) und
    triggert `sudo systemctl restart edgeguard-routes.service`
  - LiveAll() ruft `ip -j route show table all` und parsed JSON

internal/handlers/routes.go:
  GET /api/v1/routes           — managed (DB)
  POST/PUT/DELETE              — CRUD (re-render + apply on mutate)
  GET /api/v1/routes/live      — kernel-state via ip(8)

postinst:
  - /usr/sbin/edgeguard-apply-routes (root-owned shell-script). Liest
    routes.conf, flusht `proto 250` (= edgeguard), setzt neue Routen
    mit proto 250. Andere Quellen (kernel/dhcp/manuell) bleiben
    unangetastet.
  - /etc/systemd/system/edgeguard-routes.service (Type=oneshot,
    After=network-online.target). Beim Boot automatisch via
    multi-user.target.
  - /etc/iproute2/rt_protos.d/edgeguard.conf — Symbol "edgeguard" =
    250 damit `ip route show proto edgeguard` funktioniert.
    (Debian 13 hat kein /etc/iproute2 default → .d-Pattern statt
    rt_protos-Anhängen.)
  - sudoers: edgeguard ALL=(root) NOPASSWD: /usr/bin/systemctl
    restart edgeguard-routes.service

UI: Networks-Page jetzt mit Tabs (Interfaces + Routen). Routes-Tab
hat zwei Cards:
  - Live-Routen (read-only, 30s refresh, `proto edgeguard` farblich
    hervorgehoben)
  - Verwaltete Routen (CRUD-Tabelle, Add/Edit-Modal mit destination/
    gateway/dev/metric/table/active/comment)

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 VERSION                                       |   2 +-
 cmd/edgeguard-api/main.go                     |   5 +-
 cmd/edgeguard-ctl/main.go                     |   2 +-
 cmd/edgeguard-scheduler/main.go               |   2 +-
 .../migrations/0019_static_routes.sql         |  39 +++
 internal/handlers/routes.go                   | 128 ++++++++
 .../services/staticroutes/staticroutes.go     | 280 ++++++++++++++++++
 .../src/components/Layout/Sidebar.tsx         |   2 +-
 management-ui/src/i18n/locales/de/common.json |  38 ++-
 management-ui/src/i18n/locales/en/common.json |  38 ++-
 .../src/pages/Networks/Interfaces.tsx         | 277 +++++++++++++++++
 management-ui/src/pages/Networks/Routes.tsx   | 274 +++++++++++++++++
 management-ui/src/pages/Networks/index.tsx    | 275 +----------------
 .../debian/edgeguard-api/DEBIAN/postinst      |  75 +++++
 14 files changed, 1162 insertions(+), 275 deletions(-)
 create mode 100644 internal/database/migrations/0019_static_routes.sql
 create mode 100644 internal/handlers/routes.go
 create mode 100644 internal/services/staticroutes/staticroutes.go
 create mode 100644 management-ui/src/pages/Networks/Interfaces.tsx
 create mode 100644 management-ui/src/pages/Networks/Routes.tsx

diff --git a/VERSION b/VERSION
index 7b8d6b7..c8b4742 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-1.0.65
+1.0.67
diff --git a/cmd/edgeguard-api/main.go b/cmd/edgeguard-api/main.go
index 3b2621d..f873893 100644
--- a/cmd/edgeguard-api/main.go
+++ b/cmd/edgeguard-api/main.go
@@ -45,13 +45,14 @@ import (
 	ntpsvc "git.netcell-it.de/projekte/edgeguard-native/internal/services/ntp"
 	"git.netcell-it.de/projekte/edgeguard-native/internal/services/routingrules"
 	"git.netcell-it.de/projekte/edgeguard-native/internal/services/secrets"
+	"git.netcell-it.de/projekte/edgeguard-native/internal/services/staticroutes"
 	"git.netcell-it.de/projekte/edgeguard-native/internal/services/session"
 	"git.netcell-it.de/projekte/edgeguard-native/internal/services/setup"
 	"git.netcell-it.de/projekte/edgeguard-native/internal/services/tlscerts"
 	wgsvc "git.netcell-it.de/projekte/edgeguard-native/internal/services/wireguard"
 )
 
-var version = "1.0.65"
+var version = "1.0.67"
 
 func main() {
 	addr := os.Getenv("EDGEGUARD_API_ADDR")
@@ -183,6 +184,8 @@ func main() {
 		handlers.NewRoutingRulesHandler(routingRepo, auditRepo, nodeID, haproxyReloader).Register(authed)
 		handlers.NewNetworksHandler(ifsRepo, ipsRepo, fwZones, auditRepo, nodeID).Register(authed)
 		handlers.NewIPAddressesHandler(ipsRepo, auditRepo, nodeID).Register(authed)
+		handlers.NewRoutesHandler(staticroutes.New(pool), staticroutes.NewGenerator(pool),
+			auditRepo, nodeID).Register(authed)
 		handlers.NewClusterHandler(clusterStore, nodeID).Register(authed)
 		handlers.NewAuditHandler(auditRepo).Register(authed)
 		handlers.NewHAProxyStatsHandler().Register(authed)
diff --git a/cmd/edgeguard-ctl/main.go b/cmd/edgeguard-ctl/main.go
index c164e32..50193e5 100644
--- a/cmd/edgeguard-ctl/main.go
+++ b/cmd/edgeguard-ctl/main.go
@@ -9,7 +9,7 @@ import (
 	"os"
 )
 
-var version = "1.0.65"
+var version = "1.0.67"
 
 const usage = `edgeguard-ctl — EdgeGuard CLI
 
diff --git a/cmd/edgeguard-scheduler/main.go b/cmd/edgeguard-scheduler/main.go
index a4fce3d..d5caefa 100644
--- a/cmd/edgeguard-scheduler/main.go
+++ b/cmd/edgeguard-scheduler/main.go
@@ -25,7 +25,7 @@ import (
 	"git.netcell-it.de/projekte/edgeguard-native/internal/services/tlscerts"
 )
 
-var version = "1.0.65"
+var version = "1.0.67"
 
 const (
 	// renewTickInterval — how often we re-evaluate expiring certs.
diff --git a/internal/database/migrations/0019_static_routes.sql b/internal/database/migrations/0019_static_routes.sql
new file mode 100644
index 0000000..7f4759e
--- /dev/null
+++ b/internal/database/migrations/0019_static_routes.sql
@@ -0,0 +1,39 @@
+-- +goose Up
+-- +goose StatementBegin
+
+-- Static routes — managed durch EdgeGuard, geschrieben in
+-- /etc/edgeguard/routes.conf und appliziert via `ip route … proto
+-- edgeguard`. Markierung mit Protocol-ID 250 (in der apply-script
+-- gemappt) damit der Operator manuell-gesetzte Routen im Kernel
+-- erkennt und nicht beim flush wegradiert.
+--
+-- destination: CIDR ("10.0.5.0/24" oder "0.0.0.0/0").
+-- gateway:     IPv4/v6 oder NULL (für on-link via dev).
+-- dev:         interface name (optional; bei Gateway-only kann ip das
+--              selbst auflösen, aber explizit ist besser).
+-- metric:      Priorität — niedriger gewinnt (default 100).
+-- table:       routing table name oder "main" (default).
+
+CREATE TABLE IF NOT EXISTS static_routes (
+    id          BIGSERIAL PRIMARY KEY,
+    destination TEXT NOT NULL,
+    gateway     TEXT,
+    dev         TEXT,
+    metric      INTEGER NOT NULL DEFAULT 100,
+    table_name  TEXT NOT NULL DEFAULT 'main',
+    active      BOOLEAN NOT NULL DEFAULT TRUE,
+    comment     TEXT,
+    created_at  TIMESTAMPTZ NOT NULL DEFAULT NOW(),
+    updated_at  TIMESTAMPTZ NOT NULL DEFAULT NOW(),
+    CONSTRAINT static_routes_metric_check CHECK (metric >= 0 AND metric <= 65535)
+);
+
+CREATE INDEX IF NOT EXISTS idx_static_routes_active ON static_routes (active) WHERE active;
+CREATE INDEX IF NOT EXISTS idx_static_routes_dest   ON static_routes (destination);
+
+-- +goose StatementEnd
+
+-- +goose Down
+-- +goose StatementBegin
+DROP TABLE IF EXISTS static_routes;
+-- +goose StatementEnd
diff --git a/internal/handlers/routes.go b/internal/handlers/routes.go
new file mode 100644
index 0000000..93e5e33
--- /dev/null
+++ b/internal/handlers/routes.go
@@ -0,0 +1,128 @@
+package handlers
+
+import (
+	"context"
+	"errors"
+	"log/slog"
+	"strconv"
+
+	"github.com/gin-gonic/gin"
+
+	"git.netcell-it.de/projekte/edgeguard-native/internal/handlers/response"
+	"git.netcell-it.de/projekte/edgeguard-native/internal/services/audit"
+	"git.netcell-it.de/projekte/edgeguard-native/internal/services/staticroutes"
+)
+
+// RoutesHandler exposes:
+//
+//	GET    /api/v1/routes           — verwaltete Routen aus DB
+//	POST   /api/v1/routes           — anlegen
+//	PUT    /api/v1/routes/:id       — ändern
+//	DELETE /api/v1/routes/:id       — löschen
+//	GET    /api/v1/routes/live      — Live-Routen vom Kernel (ip -j route)
+type RoutesHandler struct {
+	Repo     *staticroutes.Repo
+	Renderer *staticroutes.Generator
+	Audit    *audit.Repo
+	NodeID   string
+}
+
+func NewRoutesHandler(repo *staticroutes.Repo, gen *staticroutes.Generator,
+	a *audit.Repo, nodeID string) *RoutesHandler {
+	return &RoutesHandler{Repo: repo, Renderer: gen, Audit: a, NodeID: nodeID}
+}
+
+func (h *RoutesHandler) Register(rg *gin.RouterGroup) {
+	g := rg.Group("/routes")
+	g.GET("", h.List)
+	g.POST("", h.Create)
+	g.PUT("/:id", h.Update)
+	g.DELETE("/:id", h.Delete)
+	g.GET("/live", h.Live)
+}
+
+func (h *RoutesHandler) reload(ctx context.Context, op string) {
+	if h.Renderer == nil {
+		return
+	}
+	if err := h.Renderer.Render(ctx); err != nil {
+		slog.Warn("routes: render+apply failed", "op", op, "error", err)
+	}
+}
+
+func (h *RoutesHandler) List(c *gin.Context) {
+	out, err := h.Repo.List(c.Request.Context())
+	if err != nil {
+		response.Internal(c, err)
+		return
+	}
+	response.OK(c, gin.H{"routes": out})
+}
+
+func (h *RoutesHandler) Create(c *gin.Context) {
+	var req staticroutes.Route
+	if err := c.ShouldBindJSON(&req); err != nil {
+		response.BadRequest(c, err)
+		return
+	}
+	out, err := h.Repo.Create(c.Request.Context(), req)
+	if err != nil {
+		response.Internal(c, err)
+		return
+	}
+	_ = h.Audit.Log(c.Request.Context(), actorOf(c), "route.create", out.Destination, out, h.NodeID)
+	response.Created(c, out)
+	h.reload(c.Request.Context(), "create")
+}
+
+func (h *RoutesHandler) Update(c *gin.Context) {
+	id, ok := parseID(c)
+	if !ok {
+		return
+	}
+	var req staticroutes.Route
+	if err := c.ShouldBindJSON(&req); err != nil {
+		response.BadRequest(c, err)
+		return
+	}
+	out, err := h.Repo.Update(c.Request.Context(), id, req)
+	if err != nil {
+		if errors.Is(err, staticroutes.ErrNotFound) {
+			response.NotFound(c, err)
+			return
+		}
+		response.Internal(c, err)
+		return
+	}
+	_ = h.Audit.Log(c.Request.Context(), actorOf(c), "route.update", out.Destination, out, h.NodeID)
+	response.OK(c, out)
+	h.reload(c.Request.Context(), "update")
+}
+
+func (h *RoutesHandler) Delete(c *gin.Context) {
+	id, ok := parseID(c)
+	if !ok {
+		return
+	}
+	if err := h.Repo.Delete(c.Request.Context(), id); err != nil {
+		if errors.Is(err, staticroutes.ErrNotFound) {
+			response.NotFound(c, err)
+			return
+		}
+		response.Internal(c, err)
+		return
+	}
+	_ = h.Audit.Log(c.Request.Context(), actorOf(c), "route.delete",
+		strconv.FormatInt(id, 10), gin.H{"id": id}, h.NodeID)
+	response.NoContent(c)
+	h.reload(c.Request.Context(), "delete")
+}
+
+func (h *RoutesHandler) Live(c *gin.Context) {
+	routes, err := staticroutes.LiveAll(c.Request.Context())
+	if err != nil {
+		response.Internal(c, err)
+		return
+	}
+	response.OK(c, gin.H{"routes": routes})
+}
diff --git a/internal/services/staticroutes/staticroutes.go b/internal/services/staticroutes/staticroutes.go
new file mode 100644
index 0000000..db2de63
--- /dev/null
+++ b/internal/services/staticroutes/staticroutes.go
@@ -0,0 +1,280 @@
+// Package staticroutes verwaltet die static_routes-Tabelle, schreibt
+// /etc/edgeguard/routes.conf und triggert das Apply-Skript via
+// `sudo systemctl reload-or-restart edgeguard-routes.service`.
+//
+// Live-Routen (was der Kernel aktuell hat) liest /api/v1/routes/live
+// direkt via `ip -j route` — kein DB-Roundtrip nötig.
+package staticroutes
+
+import (
+	"bytes"
+	"context"
+	"encoding/json"
+	"errors"
+	"fmt"
+	"os/exec"
+	"strings"
+
+	"github.com/jackc/pgx/v5"
+	"github.com/jackc/pgx/v5/pgxpool"
+
+	"git.netcell-it.de/projekte/edgeguard-native/internal/configgen"
+)
+
+var ErrNotFound = errors.New("route not found")
+
+// ConfPath ist der Pfad der vom apply-Skript gelesen wird. Postinst
+// erzeugt das Skript (/usr/sbin/edgeguard-apply-routes) und die
+// systemd-Unit (edgeguard-routes.service Type=oneshot).
+const ConfPath = "/etc/edgeguard/routes.conf"
+
+type Repo struct {
+	Pool *pgxpool.Pool
+}
+
+func New(pool *pgxpool.Pool) *Repo { return &Repo{Pool: pool} }
+
+type Route struct {
+	ID          int64   `json:"id"`
+	Destination string  `json:"destination"`
+	Gateway     *string `json:"gateway,omitempty"`
+	Dev         *string `json:"dev,omitempty"`
+	Metric      int     `json:"metric"`
+	TableName   string  `json:"table_name"`
+	Active      bool    `json:"active"`
+	Comment     *string `json:"comment,omitempty"`
+}
+
+const baseSelect = `
+SELECT id, destination, gateway, dev, metric, table_name, active, comment
+FROM static_routes
+`
+
+func (r *Repo) List(ctx context.Context) ([]Route, error) {
+	rows, err := r.Pool.Query(ctx, baseSelect+
+		" ORDER BY metric ASC, destination ASC, id ASC")
+	if err != nil {
+		return nil, err
+	}
+	defer rows.Close()
+	out := []Route{}
+	for rows.Next() {
+		var x Route
+		if err := rows.Scan(&x.ID, &x.Destination, &x.Gateway, &x.Dev,
+			&x.Metric, &x.TableName, &x.Active, &x.Comment); err != nil {
+			return nil, err
+		}
+		out = append(out, x)
+	}
+	return out, rows.Err()
+}
+
+func (r *Repo) Get(ctx context.Context, id int64) (*Route, error) {
+	row := r.Pool.QueryRow(ctx, baseSelect+" WHERE id = $1", id)
+	var x Route
+	if err := row.Scan(&x.ID, &x.Destination, &x.Gateway, &x.Dev,
+		&x.Metric, &x.TableName, &x.Active, &x.Comment); err != nil {
+		if errors.Is(err, pgx.ErrNoRows) {
+			return nil, ErrNotFound
+		}
+		return nil, err
+	}
+	return &x, nil
+}
+
+func (r *Repo) Create(ctx context.Context, x Route) (*Route, error) {
+	if x.Metric == 0 {
+		x.Metric = 100
+	}
+	if x.TableName == "" {
+		x.TableName = "main"
+	}
+	row := r.Pool.QueryRow(ctx, `
+INSERT INTO static_routes (destination, gateway, dev, metric, table_name, active, comment)
+VALUES ($1, $2, $3, $4, $5, $6, $7)
+RETURNING id, destination, gateway, dev, metric, table_name, active, comment`,
+		x.Destination, x.Gateway, x.Dev, x.Metric, x.TableName, x.Active, x.Comment)
+	var out Route
+	if err := row.Scan(&out.ID, &out.Destination, &out.Gateway, &out.Dev,
+		&out.Metric, &out.TableName, &out.Active, &out.Comment); err != nil {
+		return nil, err
+	}
+	return &out, nil
+}
+
+func (r *Repo) Update(ctx context.Context, id int64, x Route) (*Route, error) {
+	if x.Metric == 0 {
+		x.Metric = 100
+	}
+	if x.TableName == "" {
+		x.TableName = "main"
+	}
+	row := r.Pool.QueryRow(ctx, `
+UPDATE static_routes SET
+   destination = $1, gateway = $2, dev = $3, metric = $4,
+   table_name = $5, active = $6, comment = $7, updated_at = NOW()
+WHERE id = $8
+RETURNING id, destination, gateway, dev, metric, table_name, active, comment`,
+		x.Destination, x.Gateway, x.Dev, x.Metric, x.TableName, x.Active, x.Comment, id)
+	var out Route
+	if err := row.Scan(&out.ID, &out.Destination, &out.Gateway, &out.Dev,
+		&out.Metric, &out.TableName, &out.Active, &out.Comment); err != nil {
+		if errors.Is(err, pgx.ErrNoRows) {
+			return nil, ErrNotFound
+		}
+		return nil, err
+	}
+	return &out, nil
+}
+
+func (r *Repo) Delete(ctx context.Context, id int64) error {
+	tag, err := r.Pool.Exec(ctx, `DELETE FROM static_routes WHERE id = $1`, id)
+	if err != nil {
+		return err
+	}
+	if tag.RowsAffected() == 0 {
+		return ErrNotFound
+	}
+	return nil
+}
+
+// Render schreibt /etc/edgeguard/routes.conf und triggert das
+// apply-Skript via sudo. Aufruf-Pattern wie andere Renderer
+// (configgen.AtomicWrite + ReloadService).
+type Generator struct {
+	Pool *pgxpool.Pool
+	Repo *Repo
+	Out  string
+}
+
+func NewGenerator(pool *pgxpool.Pool) *Generator {
+	return &Generator{Pool: pool, Repo: New(pool), Out: ConfPath}
+}
+
+func (g *Generator) Render(ctx context.Context) error {
+	routes, err := g.Repo.List(ctx)
+	if err != nil {
+		return fmt.Errorf("list: %w", err)
+	}
+	var buf bytes.Buffer
+	buf.WriteString("# Generated by edgeguard-api — DO NOT EDIT.\n")
+	buf.WriteString("# Read by /usr/sbin/edgeguard-apply-routes on `systemctl restart\n")
+	buf.WriteString("# edgeguard-routes.service`. Format: destination|gateway|dev|metric|table\n")
+	buf.WriteString("# (pipe-delimited; empty fields stay empty). Lines beginning with '#'\n")
+	buf.WriteString("# are ignored. proto edgeguard → safe für `ip route flush proto edgeguard`.\n")
+	for _, r := range routes {
+		if !r.Active {
+			continue
+		}
+		gw := ""
+		if r.Gateway != nil {
+			gw = *r.Gateway
+		}
+		dev := ""
+		if r.Dev != nil {
+			dev = *r.Dev
+		}
+		fmt.Fprintf(&buf, "%s|%s|%s|%d|%s\n",
+			sanitize(r.Destination), sanitize(gw), sanitize(dev),
+			r.Metric, sanitize(r.TableName))
+	}
+	if err := configgen.AtomicWrite(g.Out, buf.Bytes(), 0o644); err != nil {
+		return fmt.Errorf("write %s: %w", g.Out, err)
+	}
+	// Apply — sudo systemctl restart edgeguard-routes.service. Failures
+	// loggen wir; das File ist geschrieben, ein retry über die UI ist
+	// trivial.
+	if err := applyRoutes(ctx); err != nil {
+		return fmt.Errorf("apply: %w", err)
+	}
+	return nil
+}
+
+func applyRoutes(_ context.Context) error {
+	// Whitelist in postinst: sudo -n /usr/bin/systemctl restart
+	// edgeguard-routes.service
+	cmd := exec.Command("sudo", "-n", "/usr/bin/systemctl",
+		"restart", "edgeguard-routes.service")
+	out, err := cmd.CombinedOutput()
+	if err != nil {
+		return fmt.Errorf("systemctl restart edgeguard-routes.service: %s: %w",
+			strings.TrimSpace(string(out)), err)
+	}
+	return nil
+}
+
+// sanitize verhindert dass ein Operator-eingegebenes Feld den Pipe-
+// Separator brechen kann. Bei legitimen IP/CIDR-Strings kein Effekt.
+func sanitize(s string) string {
+	s = strings.ReplaceAll(s, "|", "")
+	s = strings.ReplaceAll(s, "\n", "")
+	return strings.TrimSpace(s)
+}
+
+// LiveRoute ist die UI-Sicht auf `ip -j route show`. Wir parsen das
+// JSON da rein damit das Frontend nicht selbst regex'en muss.
+type LiveRoute struct {
+	Destination string `json:"destination"`
+	Gateway     string `json:"gateway,omitempty"`
+	Dev         string `json:"dev,omitempty"`
+	Protocol    string `json:"protocol,omitempty"`
+	Scope       string `json:"scope,omitempty"`
+	Source      string `json:"src,omitempty"`
+	Metric      int    `json:"metric,omitempty"`
+	Table       string `json:"table,omitempty"`
+	Flags       []string `json:"flags,omitempty"`
+}
+
+// ipRouteRaw mirrors `ip -j route`'s shape. Felder die uns nicht
+// interessieren ignoriert der JSON-Decoder.
+type ipRouteRaw struct {
+	Dst      string   `json:"dst"`
+	Gateway  string   `json:"gateway"`
+	Dev      string   `json:"dev"`
+	Protocol string   `json:"protocol"`
+	Scope    string   `json:"scope"`
+	PrefSrc  string   `json:"prefsrc"`
+	Metric   int      `json:"metric"`
+	Table    string   `json:"table"`
+	Flags    []string `json:"flags"`
+}
+
+// LiveAll ruft `ip -j route show table all` auf und gibt die geparste
+// Liste zurück. Liest stdout direkt — kein File-Buffering.
+func LiveAll(ctx context.Context) ([]LiveRoute, error) {
+	cmd := exec.CommandContext(ctx, "/usr/sbin/ip", "-j", "route", "show", "table", "all")
+	out, err := cmd.Output()
+	if err != nil {
+		// Manche Distros haben ip in /sbin oder /bin — fallback via PATH.
+		cmd = exec.CommandContext(ctx, "ip", "-j", "route", "show", "table", "all")
+		out, err = cmd.Output()
+		if err != nil {
+			return nil, fmt.Errorf("ip -j route: %w", err)
+		}
+	}
+	// Wenn ip -j leeres Array liefert kommt "[]" — sauber parsen.
+	out = bytes.TrimSpace(out)
+	if len(out) == 0 || bytes.Equal(out, []byte("[]")) {
+		return []LiveRoute{}, nil
+	}
+	var raw []ipRouteRaw
+	if err := json.Unmarshal(out, &raw); err != nil {
+		return nil, fmt.Errorf("parse ip -j: %w", err)
+	}
+	res := make([]LiveRoute, 0, len(raw))
+	for _, r := range raw {
+		res = append(res, LiveRoute{
+			Destination: r.Dst,
+			Gateway:     r.Gateway,
+			Dev:         r.Dev,
+			Protocol:    r.Protocol,
+			Scope:       r.Scope,
+			Source:      r.PrefSrc,
+			Metric:      r.Metric,
+			Table:       r.Table,
+			Flags:       r.Flags,
+		})
+	}
+	return res, nil
+}
+
diff --git a/management-ui/src/components/Layout/Sidebar.tsx b/management-ui/src/components/Layout/Sidebar.tsx
index 6f5a54c..2d3531a 100644
--- a/management-ui/src/components/Layout/Sidebar.tsx
+++ b/management-ui/src/components/Layout/Sidebar.tsx
@@ -78,7 +78,7 @@ const NAV: NavSection[] = [
   },
 ]
 
-const VERSION = '1.0.65'
+const VERSION = '1.0.67'
 
 // Sidebar-Pattern 1:1 aus netcell-webpanel (enconf) übernommen:
 // - <nav> als root, dunkler Gradient + Teal/Blue-Accent
diff --git a/management-ui/src/i18n/locales/de/common.json b/management-ui/src/i18n/locales/de/common.json
index 9d6fa75..f25cb7b 100644
--- a/management-ui/src/i18n/locales/de/common.json
+++ b/management-ui/src/i18n/locales/de/common.json
@@ -114,8 +114,12 @@
     }
   },
   "networks": {
-    "title": "Netzwerk-Interfaces",
-    "intro": "Verwalte WAN-, LAN-, VLAN- und Bond-Interfaces. Read-only-Discovery der Kernel-Interfaces oben; deklarierte Konfiguration unten — runtime-Apply via systemd-networkd folgt in einem späteren Release.",
+    "title": "Netzwerk",
+    "intro": "Interfaces (Ethernet/VLAN/Bond/Bridge) und Static-Routes. Live-Discovery + deklarative Konfiguration aus der DB.",
+    "tabs": {
+      "interfaces": "Interfaces",
+      "routes": "Routen"
+    },
     "systemDiscovered": "System-Interfaces (read-only)",
     "addInterface": "Interface hinzufügen",
     "editInterface": "Interface bearbeiten",
@@ -622,6 +626,36 @@
     "cta": "Jetzt aktivieren →",
     "openPage": "Lizenz-Seite öffnen →"
   },
+  "routes": {
+    "liveTitle": "Live-Routen (Kernel)",
+    "liveIntro": "Aktueller Zustand aus `ip -j route show table all`. proto edgeguard markiert von EdgeGuard verwaltete Routen — andere Quellen (kernel/static/dhcp) bleiben unberührt.",
+    "liveEmpty": "Keine Routen im Kernel.",
+    "managedTitle": "Verwaltete Routen",
+    "managedIntro": "Statische Routen, die EdgeGuard via `ip route … proto edgeguard` beim Boot setzt. Änderung hier triggert sofort `systemctl restart edgeguard-routes.service`.",
+    "add": "Route hinzufügen",
+    "addTitle": "Statische Route anlegen",
+    "editTitle": "Statische Route bearbeiten",
+    "empty": "Keine verwalteten Routen.",
+    "confirmDelete": "Route nach {{dest}} wirklich löschen?",
+    "refreshTooltip": "Live-Routen neu laden",
+    "destExtra": "CIDR — z.B. 10.0.5.0/24 oder 0.0.0.0/0 für Default-Route.",
+    "gatewayExtra": "Optional. Leer = on-link via dev.",
+    "devExtra": "Output-Interface. Bei Gateway-only kann ip das auflösen, explizit ist aber stabiler.",
+    "metricExtra": "Niedriger gewinnt. Default 100. Standard-Linux-Defaults: dhcp 1024, kernel-link 0.",
+    "tableExtra": "Routing-Table. main = Standard. Custom-Tables via /etc/iproute2/rt_tables.",
+    "col": {
+      "destination": "Ziel",
+      "gateway": "Gateway",
+      "dev": "Interface",
+      "metric": "Metric",
+      "table": "Table",
+      "active": "Aktiv",
+      "comment": "Kommentar",
+      "proto": "Protokoll",
+      "scope": "Scope",
+      "src": "Quell-IP"
+    }
+  },
   "backups": {
     "title": "Backups",
     "intro": "Sicherungen der PostgreSQL-Datenbank + /var/lib/edgeguard (Setup, License, JWT, ACME-Account). Täglicher Auto-Job + manueller Trigger.",
diff --git a/management-ui/src/i18n/locales/en/common.json b/management-ui/src/i18n/locales/en/common.json
index bf6ec81..c3400f9 100644
--- a/management-ui/src/i18n/locales/en/common.json
+++ b/management-ui/src/i18n/locales/en/common.json
@@ -114,8 +114,12 @@
     }
   },
   "networks": {
-    "title": "Network interfaces",
-    "intro": "Manage WAN, LAN, VLAN and bond interfaces. Read-only kernel discovery above; declared configuration below — runtime apply via systemd-networkd lands in a later release.",
+    "title": "Network",
+    "intro": "Interfaces (Ethernet / VLAN / bond / bridge) and static routes. Live kernel discovery + declared configuration from the DB.",
+    "tabs": {
+      "interfaces": "Interfaces",
+      "routes": "Routes"
+    },
     "systemDiscovered": "System interfaces (read-only)",
     "addInterface": "Add interface",
     "editInterface": "Edit interface",
@@ -622,6 +626,36 @@
     "cta": "Activate now →",
     "openPage": "Open license page →"
   },
+  "routes": {
+    "liveTitle": "Live routes (kernel)",
+    "liveIntro": "Current state from `ip -j route show table all`. proto edgeguard marks routes managed by EdgeGuard — other sources (kernel/static/dhcp) are left untouched.",
+    "liveEmpty": "No routes in kernel.",
+    "managedTitle": "Managed routes",
+    "managedIntro": "Static routes EdgeGuard installs via `ip route … proto edgeguard` on boot. Changes here trigger `systemctl restart edgeguard-routes.service` immediately.",
+    "add": "Add route",
+    "addTitle": "Add static route",
+    "editTitle": "Edit static route",
+    "empty": "No managed routes yet.",
+    "confirmDelete": "Really delete route to {{dest}}?",
+    "refreshTooltip": "Reload live routes",
+    "destExtra": "CIDR — e.g. 10.0.5.0/24 or 0.0.0.0/0 for the default route.",
+    "gatewayExtra": "Optional. Empty = on-link via dev.",
+    "devExtra": "Output interface. Optional if gateway resolves; explicit is more stable.",
+    "metricExtra": "Lower wins. Default 100. Linux defaults: dhcp 1024, kernel-link 0.",
+    "tableExtra": "Routing table. main = default. Custom tables via /etc/iproute2/rt_tables.",
+    "col": {
+      "destination": "Destination",
+      "gateway": "Gateway",
+      "dev": "Interface",
+      "metric": "Metric",
+      "table": "Table",
+      "active": "Active",
+      "comment": "Comment",
+      "proto": "Protocol",
+      "scope": "Scope",
+      "src": "Source IP"
+    }
+  },
   "backups": {
     "title": "Backups",
     "intro": "Snapshots of the PostgreSQL database + /var/lib/edgeguard (setup, license, JWT, ACME account). Daily auto job + manual trigger.",
diff --git a/management-ui/src/pages/Networks/Interfaces.tsx b/management-ui/src/pages/Networks/Interfaces.tsx
new file mode 100644
index 0000000..9196c12
--- /dev/null
+++ b/management-ui/src/pages/Networks/Interfaces.tsx
@@ -0,0 +1,277 @@
+import { useState } from 'react'
+import { Button, Card, Form, Input, InputNumber, Modal, Select, Space, Switch, Tag, Tooltip, Typography, message } from 'antd'
+import type { ColumnsType } from 'antd/es/table'
+import { PlusOutlined } from '@ant-design/icons'
+import { useMutation, useQuery, useQueryClient } from '@tanstack/react-query'
+import { useTranslation } from 'react-i18next'
+import DataTable from '../../components/DataTable'
+import ActionButtons from '../../components/ActionButtons'
+import StatusDot from '../../components/StatusDot'
+
+import apiClient, { isEnvelope } from '../../api/client'
+
+interface NetworkInterface {
+  id: number
+  name: string
+  type: 'ethernet' | 'vlan' | 'bond' | 'bridge' | 'wireguard'
+  parent?: string | null
+  vlan_id?: number | null
+  members: string[]
+  role: string
+  mtu?: number | null
+  active: boolean
+  description?: string | null
+  created_at: string
+  updated_at: string
+}
+
+interface IfaceFormValues {
+  name: string
+  type: NetworkInterface['type']
+  parent?: string
+  vlan_id?: number
+  members?: string[]
+  role: string
+  mtu?: number
+  active: boolean
+  description?: string
+}
+
+interface SystemInterface {
+  ifname: string
+  link_type?: string
+  address?: string
+  flags?: string[]
+  addr_info?: Array<{ family: 'inet' | 'inet6'; local: string; prefixlen: number }>
+}
+
+async function listInterfaces(): Promise<NetworkInterface[]> {
+  const r = await apiClient.get('/network-interfaces')
+  if (!isEnvelope(r.data)) return []
+  return (r.data.data as { interfaces?: NetworkInterface[] }).interfaces ?? []
+}
+
+async function listSystemInterfaces(): Promise<SystemInterface[]> {
+  const r = await apiClient.get('/system/interfaces')
+  if (!isEnvelope(r.data)) return []
+  return (r.data.data as { interfaces?: SystemInterface[] }).interfaces ?? []
+}
+
+interface FwZone { id: number; name: string; description?: string | null; builtin: boolean }
+async function listZones(): Promise<FwZone[]> {
+  const r = await apiClient.get('/firewall/zones')
+  if (!isEnvelope(r.data)) return []
+  return (r.data.data as { zones?: FwZone[] }).zones ?? []
+}
+
+export default function InterfacesTab() {
+  const { t } = useTranslation()
+  const qc = useQueryClient()
+
+  const { data: ifs, isLoading } = useQuery({ queryKey: ['network-interfaces'], queryFn: listInterfaces })
+  const { data: sys } = useQuery({ queryKey: ['system', 'interfaces'], queryFn: listSystemInterfaces, refetchInterval: 60_000 })
+  const { data: zones } = useQuery({ queryKey: ['fw-zones'], queryFn: listZones })
+
+  const [editing, setEditing] = useState<NetworkInterface | null>(null)
+  const [creating, setCreating] = useState(false)
+  const [form] = Form.useForm<IfaceFormValues>()
+
+  const create = useMutation({
+    mutationFn: async (v: IfaceFormValues) => { await apiClient.post('/network-interfaces', v) },
+    onSuccess: () => {
+      message.success(t('common.save'))
+      setCreating(false); form.resetFields()
+      void qc.invalidateQueries({ queryKey: ['network-interfaces'] })
+    },
+  })
+  const update = useMutation({
+    mutationFn: async ({ id, v }: { id: number; v: IfaceFormValues }) => { await apiClient.put(`/network-interfaces/${id}`, v) },
+    onSuccess: () => {
+      message.success(t('common.save'))
+      setEditing(null); form.resetFields()
+      void qc.invalidateQueries({ queryKey: ['network-interfaces'] })
+    },
+  })
+  const del = useMutation({
+    mutationFn: async (id: number) => { await apiClient.delete(`/network-interfaces/${id}`) },
+    onSuccess: () => { void qc.invalidateQueries({ queryKey: ['network-interfaces'] }) },
+  })
+
+  // Stable colour palette for role tags. Builtin zones get a fixed
+  // colour; custom zones cycle through the palette by name hash so
+  // the same custom zone always shows up in the same shade.
+  const PALETTE = ['blue', 'green', 'orange', 'purple', 'magenta', 'cyan', 'gold', 'volcano', 'geekblue']
+  const FIXED: Record<string, string> = { wan: 'blue', lan: 'green', dmz: 'orange', mgmt: 'purple', cluster: 'magenta' }
+  const roleColor = (r: string): string => {
+    if (FIXED[r]) return FIXED[r]
+    let h = 0
+    for (let i = 0; i < r.length; i++) h = (h * 31 + r.charCodeAt(i)) >>> 0
+    return PALETTE[h % PALETTE.length]
+  }
+
+  const columns: ColumnsType<NetworkInterface> = [
+    { title: t('networks.name'), dataIndex: 'name', key: 'name', render: (s: string) => <code>{s}</code> },
+    { title: t('networks.type'), dataIndex: 'type', key: 'type' },
+    {
+      title: t('networks.composition'), key: 'composition',
+      render: (_, row) => {
+        if (row.type === 'vlan')                       return <span><code>{row.parent}</code>.{row.vlan_id}</span>
+        if (row.type === 'bridge' || row.type === 'bond') {
+          return <Space size={4} wrap>{(row.members ?? []).map((m) => <Tag key={m}>{m}</Tag>)}</Space>
+        }
+        return '—'
+      },
+    },
+    {
+      title: t('networks.role'), dataIndex: 'role', key: 'role',
+      render: (r: string) => <Tag color={roleColor(r)}>{r.toUpperCase()}</Tag>,
+    },
+    { title: t('networks.mtu'), dataIndex: 'mtu', key: 'mtu', render: (v?: number) => v ?? '—' },
+    { title: t('networks.active'), dataIndex: 'active', key: 'active', render: (v: boolean) => <StatusDot active={v} /> },
+    {
+      title: t('common.actions'), key: 'actions',
+      render: (_, row) => (
+        <ActionButtons
+          onEdit={() => {
+            setEditing(row)
+            form.setFieldsValue({
+              name: row.name, type: row.type, parent: row.parent ?? undefined,
+              vlan_id: row.vlan_id ?? undefined, members: row.members ?? [],
+              role: row.role,
+              mtu: row.mtu ?? undefined, active: row.active,
+              description: row.description ?? undefined,
+            })
+          }}
+          onDelete={() => del.mutate(row.id)}
+          deleteConfirm={t('networks.deleteConfirm', { name: row.name })}
+        />
+      ),
+    },
+  ]
+
+  return (
+    <div>
+      <Card title={t('networks.systemDiscovered')} className="mb-12" size="small">
+        <Space wrap>
+          {(sys ?? []).map((i) => {
+            const v4 = (i.addr_info ?? []).filter((a) => a.family === 'inet').map((a) => `${a.local}/${a.prefixlen}`)
+            const v6 = (i.addr_info ?? []).filter((a) => a.family === 'inet6').map((a) => `${a.local}/${a.prefixlen}`)
+            return (
+              <Tooltip key={i.ifname} title={[...v4, ...v6].join(' · ') || '—'}>
+                <Tag>{i.ifname}{v4[0] ? ` · ${v4[0]}` : ''}</Tag>
+              </Tooltip>
+            )
+          })}
+          {(sys ?? []).length === 0 && <Typography.Text type="secondary">—</Typography.Text>}
+        </Space>
+      </Card>
+
+      <DataTable
+        rowKey="id"
+        loading={isLoading}
+        dataSource={ifs ?? []}
+        columns={columns}
+        extraActions={
+          <Button type="primary" icon={<PlusOutlined />} onClick={() => {
+            setCreating(true); form.resetFields()
+            form.setFieldsValue({ type: 'ethernet', role: 'lan', active: true })
+          }}>
+            {t('networks.addInterface')}
+          </Button>
+        }
+      />
+
+      <Modal
+        title={editing ? t('networks.editInterface') : t('networks.addInterface')}
+        open={editing !== null || creating}
+        onCancel={() => { setEditing(null); setCreating(false) }}
+        onOk={() => { void form.submit() }}
+        confirmLoading={create.isPending || update.isPending}
+        width={560}
+      >
+        <Form
+          form={form}
+          layout="vertical"
+          onFinish={(v) => {
+            if (editing) update.mutate({ id: editing.id, v })
+            else create.mutate(v)
+          }}
+        >
+          <Form.Item label={t('networks.name')} name="name" rules={[{ required: true }]}>
+            <Input placeholder="eth0 / eth0.100 / bond0" />
+          </Form.Item>
+          <Form.Item label={t('networks.type')} name="type" rules={[{ required: true }]}>
+            <Select options={[
+              { value: 'ethernet', label: 'ethernet' },
+              { value: 'vlan',     label: 'vlan' },
+              { value: 'bond',     label: 'bond' },
+              { value: 'bridge',   label: 'bridge' },
+              { value: 'wireguard',label: 'wireguard' },
+            ]} />
+          </Form.Item>
+          <Form.Item noStyle shouldUpdate={(p, c) => p.type !== c.type}>
+            {({ getFieldValue }) => {
+              const tp = getFieldValue('type') as NetworkInterface['type'] | undefined
+              const sysOptions = (sys ?? [])
+                .filter((i) => i.ifname !== 'lo')
+                .map((i) => ({ value: i.ifname, label: i.ifname }))
+              if (tp === 'vlan') {
+                return (
+                  <>
+                    <Form.Item label={t('networks.parent')} name="parent" rules={[{ required: true }]}>
+                      <Select placeholder={t('networks.selectParent')} showSearch options={sysOptions} />
+                    </Form.Item>
+                    <Form.Item label={t('networks.vlanId')} name="vlan_id" rules={[{ required: true }]}>
+                      <InputNumber min={1} max={4094} style={{ width: '100%' }} />
+                    </Form.Item>
+                  </>
+                )
+              }
+              if (tp === 'bridge' || tp === 'bond') {
+                return (
+                  <Form.Item
+                    label={t('networks.members')}
+                    name="members"
+                    rules={[{ required: true, type: 'array', min: 1, message: t('networks.membersRequired') }]}
+                    extra={tp === 'bridge' ? t('networks.membersHintBridge') : t('networks.membersHintBond')}
+                  >
+                    <Select
+                      mode="multiple"
+                      placeholder={t('networks.selectMembers')}
+                      showSearch
+                      options={sysOptions}
+                    />
+                  </Form.Item>
+                )
+              }
+              return null
+            }}
+          </Form.Item>
+          <Form.Item
+            label={t('networks.role')}
+            name="role"
+            rules={[{ required: true }]}
+            extra={t('networks.roleHint')}
+          >
+            <Select
+              showSearch
+              options={(zones ?? []).map(z => ({
+                value: z.name,
+                label: z.builtin ? z.name.toUpperCase() : `${z.name.toUpperCase()} (custom)`,
+              }))}
+            />
+          </Form.Item>
+          <Form.Item label={t('networks.mtu')} name="mtu">
+            <InputNumber min={68} max={9216} style={{ width: '100%' }} placeholder="1500" />
+          </Form.Item>
+          <Form.Item label={t('networks.description')} name="description">
+            <Input.TextArea rows={2} />
+          </Form.Item>
+          <Form.Item label={t('networks.active')} name="active" valuePropName="checked">
+            <Switch />
+          </Form.Item>
+        </Form>
+      </Modal>
+    </div>
+  )
+}
diff --git a/management-ui/src/pages/Networks/Routes.tsx b/management-ui/src/pages/Networks/Routes.tsx
new file mode 100644
index 0000000..a1d5736
--- /dev/null
+++ b/management-ui/src/pages/Networks/Routes.tsx
@@ -0,0 +1,274 @@
+import { useState } from 'react'
+import {
+  Button, Card, Form, Input, InputNumber, Modal, Popconfirm, Space, Switch, Table, Tag, Tooltip, Typography, message,
+} from 'antd'
+import type { ColumnsType } from 'antd/es/table'
+import {
+  EnvironmentOutlined, PlusOutlined, ReloadOutlined,
+} from '@ant-design/icons'
+import { useMutation, useQuery, useQueryClient } from '@tanstack/react-query'
+import { useTranslation } from 'react-i18next'
+
+import apiClient, { isEnvelope } from '../../api/client'
+
+const { Text } = Typography
+
+interface ManagedRoute {
+  id: number
+  destination: string
+  gateway?: string | null
+  dev?: string | null
+  metric: number
+  table_name: string
+  active: boolean
+  comment?: string | null
+}
+
+interface LiveRoute {
+  destination: string
+  gateway?: string
+  dev?: string
+  protocol?: string
+  scope?: string
+  src?: string
+  metric?: number
+  table?: string
+  flags?: string[]
+}
+
+interface RouteFormValues {
+  destination: string
+  gateway?: string
+  dev?: string
+  metric: number
+  table_name: string
+  active: boolean
+  comment?: string
+}
+
+export default function RoutesTab() {
+  const { t } = useTranslation()
+  const qc = useQueryClient()
+
+  const managed = useQuery({
+    queryKey: ['routes', 'managed'],
+    queryFn: async () => {
+      const r = await apiClient.get('/routes')
+      return isEnvelope(r.data) ? (r.data.data as { routes: ManagedRoute[] }).routes : []
+    },
+  })
+
+  const live = useQuery({
+    queryKey: ['routes', 'live'],
+    queryFn: async () => {
+      const r = await apiClient.get('/routes/live')
+      return isEnvelope(r.data) ? (r.data.data as { routes: LiveRoute[] }).routes : []
+    },
+    refetchInterval: 30_000,
+  })
+
+  const [edit, setEdit] = useState<ManagedRoute | null>(null)
+  const [creating, setCreating] = useState(false)
+  const [form] = Form.useForm<RouteFormValues>()
+
+  const create = useMutation({
+    mutationFn: async (v: RouteFormValues) => { await apiClient.post('/routes', v) },
+    onSuccess: () => {
+      message.success(t('common.save'))
+      setCreating(false); form.resetFields()
+      qc.invalidateQueries({ queryKey: ['routes'] })
+    },
+    onError: (e: Error) => message.error(e.message),
+  })
+
+  const update = useMutation({
+    mutationFn: async ({ id, v }: { id: number; v: RouteFormValues }) => {
+      await apiClient.put(`/routes/${id}`, v)
+    },
+    onSuccess: () => {
+      message.success(t('common.save'))
+      setEdit(null); form.resetFields()
+      qc.invalidateQueries({ queryKey: ['routes'] })
+    },
+    onError: (e: Error) => message.error(e.message),
+  })
+
+  const del = useMutation({
+    mutationFn: async (id: number) => { await apiClient.delete(`/routes/${id}`) },
+    onSuccess: () => { qc.invalidateQueries({ queryKey: ['routes'] }) },
+    onError: (e: Error) => message.error(e.message),
+  })
+
+  const managedColumns: ColumnsType<ManagedRoute> = [
+    {
+      title: t('routes.col.destination'), dataIndex: 'destination',
+      render: (v: string) => <Text style={{ fontFamily: 'monospace' }}>{v}</Text>,
+    },
+    {
+      title: t('routes.col.gateway'), dataIndex: 'gateway',
+      render: (v?: string) => v
+        ? <Text style={{ fontFamily: 'monospace' }}>{v}</Text>
+        : <Text type="secondary">on-link</Text>,
+    },
+    { title: t('routes.col.dev'), dataIndex: 'dev', width: 110,
+      render: (v?: string) => v ? <Tag>{v}</Tag> : '—' },
+    { title: t('routes.col.metric'), dataIndex: 'metric', width: 80 },
+    { title: t('routes.col.table'), dataIndex: 'table_name', width: 90 },
+    { title: t('routes.col.active'), dataIndex: 'active', width: 80,
+      render: (v: boolean) => v ? <Tag color="green">on</Tag> : <Tag>off</Tag> },
+    { title: t('routes.col.comment'), dataIndex: 'comment',
+      render: (v?: string) => v || <Text type="secondary">—</Text> },
+    {
+      title: t('common.actions'), key: 'a', width: 160,
+      render: (_, r) => (
+        <Space size={4}>
+          <Button size="small" onClick={() => {
+            setEdit(r)
+            form.setFieldsValue({
+              destination: r.destination,
+              gateway: r.gateway ?? undefined,
+              dev: r.dev ?? undefined,
+              metric: r.metric,
+              table_name: r.table_name,
+              active: r.active,
+              comment: r.comment ?? undefined,
+            })
+          }}>{t('common.edit')}</Button>
+          <Popconfirm title={t('routes.confirmDelete', { dest: r.destination })}
+            onConfirm={() => del.mutate(r.id)}>
+            <Button size="small" danger>{t('common.delete')}</Button>
+          </Popconfirm>
+        </Space>
+      ),
+    },
+  ]
+
+  const liveColumns: ColumnsType<LiveRoute> = [
+    { title: t('routes.col.destination'), dataIndex: 'destination',
+      render: (v?: string) => (
+        <Text style={{ fontFamily: 'monospace' }}>{v || 'default'}</Text>
+      ) },
+    { title: t('routes.col.gateway'), dataIndex: 'gateway',
+      render: (v?: string) => v
+        ? <Text style={{ fontFamily: 'monospace' }}>{v}</Text>
+        : <Text type="secondary">—</Text> },
+    { title: t('routes.col.dev'), dataIndex: 'dev', width: 110,
+      render: (v?: string) => v ? <Tag>{v}</Tag> : '—' },
+    { title: t('routes.col.proto'), dataIndex: 'protocol', width: 110,
+      render: (v?: string) => v
+        ? <Tag color={v === 'edgeguard' ? 'cyan' : 'default'}>{v}</Tag>
+        : '—' },
+    { title: t('routes.col.scope'), dataIndex: 'scope', width: 90,
+      render: (v?: string) => v ? <Tag>{v}</Tag> : '—' },
+    { title: t('routes.col.src'), dataIndex: 'src', width: 130,
+      render: (v?: string) => v
+        ? <Text style={{ fontFamily: 'monospace', fontSize: 11 }}>{v}</Text>
+        : <Text type="secondary">—</Text> },
+    { title: t('routes.col.metric'), dataIndex: 'metric', width: 80,
+      render: (v?: number) => v ?? '—' },
+  ]
+
+  return (
+    <div>
+      <Card
+        size="small"
+        title={
+          <Space>
+            <EnvironmentOutlined />
+            {t('routes.liveTitle')}
+            <Text type="secondary" style={{ fontSize: 12 }}>
+              ({(live.data ?? []).length})
+            </Text>
+          </Space>
+        }
+        extra={
+          <Tooltip title={t('routes.refreshTooltip')}>
+            <Button size="small" icon={<ReloadOutlined />}
+              loading={live.isFetching}
+              onClick={() => live.refetch()}>{t('common.refresh')}</Button>
+          </Tooltip>
+        }
+        className="mb-16"
+      >
+        <Text type="secondary">{t('routes.liveIntro')}</Text>
+        <Table
+          rowKey={(r, idx) => `${r.destination}-${r.dev}-${r.metric}-${idx}`}
+          size="small"
+          dataSource={live.data ?? []}
+          columns={liveColumns}
+          pagination={{ pageSize: 25, showSizeChanger: true, pageSizeOptions: [25, 50, 100] }}
+          locale={{ emptyText: t('routes.liveEmpty') }}
+          style={{ marginTop: 12 }}
+        />
+      </Card>
+
+      <Card
+        size="small"
+        title={t('routes.managedTitle')}
+        extra={
+          <Button type="primary" size="small" icon={<PlusOutlined />}
+            onClick={() => {
+              setCreating(true); form.resetFields()
+              form.setFieldsValue({
+                metric: 100, table_name: 'main', active: true,
+                destination: '', gateway: '', dev: '',
+              })
+            }}>
+            {t('routes.add')}
+          </Button>
+        }
+      >
+        <Text type="secondary">{t('routes.managedIntro')}</Text>
+        <Table
+          rowKey="id"
+          size="small"
+          loading={managed.isFetching}
+          dataSource={managed.data ?? []}
+          columns={managedColumns}
+          pagination={false}
+          locale={{ emptyText: t('routes.empty') }}
+          style={{ marginTop: 12 }}
+        />
+      </Card>
+
+      <Modal
+        title={edit ? t('routes.editTitle') : t('routes.addTitle')}
+        open={edit !== null || creating}
+        onCancel={() => { setEdit(null); setCreating(false); form.resetFields() }}
+        onOk={() => form.submit()}
+        confirmLoading={create.isPending || update.isPending}
+        width={560}
+      >
+        <Form form={form} layout="vertical"
+          onFinish={(v) => edit ? update.mutate({ id: edit.id, v }) : create.mutate(v)}>
+          <Form.Item label={t('routes.col.destination')} name="destination"
+            rules={[{ required: true }]} extra={t('routes.destExtra')}>
+            <Input placeholder="10.0.5.0/24" />
+          </Form.Item>
+          <Form.Item label={t('routes.col.gateway')} name="gateway"
+            extra={t('routes.gatewayExtra')}>
+            <Input placeholder="192.168.1.1" />
+          </Form.Item>
+          <Form.Item label={t('routes.col.dev')} name="dev"
+            extra={t('routes.devExtra')}>
+            <Input placeholder="ens18" />
+          </Form.Item>
+          <Form.Item label={t('routes.col.metric')} name="metric"
+            extra={t('routes.metricExtra')}>
+            <InputNumber min={0} max={65535} style={{ width: '100%' }} />
+          </Form.Item>
+          <Form.Item label={t('routes.col.table')} name="table_name"
+            extra={t('routes.tableExtra')}>
+            <Input placeholder="main" />
+          </Form.Item>
+          <Form.Item label={t('routes.col.comment')} name="comment">
+            <Input.TextArea rows={2} />
+          </Form.Item>
+          <Form.Item label={t('routes.col.active')} name="active" valuePropName="checked">
+            <Switch />
+          </Form.Item>
+        </Form>
+      </Modal>
+    </div>
+  )
+}
diff --git a/management-ui/src/pages/Networks/index.tsx b/management-ui/src/pages/Networks/index.tsx
index 37de8be..7cbd0bf 100644
--- a/management-ui/src/pages/Networks/index.tsx
+++ b/management-ui/src/pages/Networks/index.tsx
@@ -1,153 +1,17 @@
-import { useState } from 'react'
-import { Button, Card, Form, Input, InputNumber, Modal, Select, Space, Switch, Tag, Tooltip, Typography, message } from 'antd'
-import type { ColumnsType } from 'antd/es/table'
-import { ClusterOutlined, PlusOutlined } from '@ant-design/icons'
-import { useMutation, useQuery, useQueryClient } from '@tanstack/react-query'
+import { Tabs } from 'antd'
+import { ClusterOutlined } from '@ant-design/icons'
 import { useTranslation } from 'react-i18next'
-import DataTable from '../../components/DataTable'
+
 import PageHeader from '../../components/PageHeader'
-import ActionButtons from '../../components/ActionButtons'
-import StatusDot from '../../components/StatusDot'
-
-import apiClient, { isEnvelope } from '../../api/client'
-
-interface NetworkInterface {
-  id: number
-  name: string
-  type: 'ethernet' | 'vlan' | 'bond' | 'bridge' | 'wireguard'
-  parent?: string | null
-  vlan_id?: number | null
-  members: string[]
-  role: string
-  mtu?: number | null
-  active: boolean
-  description?: string | null
-  created_at: string
-  updated_at: string
-}
-
-interface IfaceFormValues {
-  name: string
-  type: NetworkInterface['type']
-  parent?: string
-  vlan_id?: number
-  members?: string[]
-  role: string
-  mtu?: number
-  active: boolean
-  description?: string
-}
-
-interface SystemInterface {
-  ifname: string
-  link_type?: string
-  address?: string
-  flags?: string[]
-  addr_info?: Array<{ family: 'inet' | 'inet6'; local: string; prefixlen: number }>
-}
-
-async function listInterfaces(): Promise<NetworkInterface[]> {
-  const r = await apiClient.get('/network-interfaces')
-  if (!isEnvelope(r.data)) return []
-  return (r.data.data as { interfaces?: NetworkInterface[] }).interfaces ?? []
-}
-
-async function listSystemInterfaces(): Promise<SystemInterface[]> {
-  const r = await apiClient.get('/system/interfaces')
-  if (!isEnvelope(r.data)) return []
-  return (r.data.data as { interfaces?: SystemInterface[] }).interfaces ?? []
-}
-
-interface FwZone { id: number; name: string; description?: string | null; builtin: boolean }
-async function listZones(): Promise<FwZone[]> {
-  const r = await apiClient.get('/firewall/zones')
-  if (!isEnvelope(r.data)) return []
-  return (r.data.data as { zones?: FwZone[] }).zones ?? []
-}
+import InterfacesTab from './Interfaces'
+import RoutesTab from './Routes'
 
 export default function NetworksPage() {
   const { t } = useTranslation()
-  const qc = useQueryClient()
 
-  const { data: ifs, isLoading } = useQuery({ queryKey: ['network-interfaces'], queryFn: listInterfaces })
-  const { data: sys } = useQuery({ queryKey: ['system', 'interfaces'], queryFn: listSystemInterfaces, refetchInterval: 60_000 })
-  const { data: zones } = useQuery({ queryKey: ['fw-zones'], queryFn: listZones })
-
-  const [editing, setEditing] = useState<NetworkInterface | null>(null)
-  const [creating, setCreating] = useState(false)
-  const [form] = Form.useForm<IfaceFormValues>()
-
-  const create = useMutation({
-    mutationFn: async (v: IfaceFormValues) => { await apiClient.post('/network-interfaces', v) },
-    onSuccess: () => {
-      message.success(t('common.save'))
-      setCreating(false); form.resetFields()
-      void qc.invalidateQueries({ queryKey: ['network-interfaces'] })
-    },
-  })
-  const update = useMutation({
-    mutationFn: async ({ id, v }: { id: number; v: IfaceFormValues }) => { await apiClient.put(`/network-interfaces/${id}`, v) },
-    onSuccess: () => {
-      message.success(t('common.save'))
-      setEditing(null); form.resetFields()
-      void qc.invalidateQueries({ queryKey: ['network-interfaces'] })
-    },
-  })
-  const del = useMutation({
-    mutationFn: async (id: number) => { await apiClient.delete(`/network-interfaces/${id}`) },
-    onSuccess: () => { void qc.invalidateQueries({ queryKey: ['network-interfaces'] }) },
-  })
-
-  // Stable colour palette for role tags. Builtin zones get a fixed
-  // colour; custom zones cycle through the palette by name hash so
-  // the same custom zone always shows up in the same shade.
-  const PALETTE = ['blue', 'green', 'orange', 'purple', 'magenta', 'cyan', 'gold', 'volcano', 'geekblue']
-  const FIXED: Record<string, string> = { wan: 'blue', lan: 'green', dmz: 'orange', mgmt: 'purple', cluster: 'magenta' }
-  const roleColor = (r: string): string => {
-    if (FIXED[r]) return FIXED[r]
-    let h = 0
-    for (let i = 0; i < r.length; i++) h = (h * 31 + r.charCodeAt(i)) >>> 0
-    return PALETTE[h % PALETTE.length]
-  }
-
-  const columns: ColumnsType<NetworkInterface> = [
-    { title: t('networks.name'), dataIndex: 'name', key: 'name', render: (s: string) => <code>{s}</code> },
-    { title: t('networks.type'), dataIndex: 'type', key: 'type' },
-    {
-      title: t('networks.composition'), key: 'composition',
-      render: (_, row) => {
-        if (row.type === 'vlan')                       return <span><code>{row.parent}</code>.{row.vlan_id}</span>
-        if (row.type === 'bridge' || row.type === 'bond') {
-          return <Space size={4} wrap>{(row.members ?? []).map((m) => <Tag key={m}>{m}</Tag>)}</Space>
-        }
-        return '—'
-      },
-    },
-    {
-      title: t('networks.role'), dataIndex: 'role', key: 'role',
-      render: (r: string) => <Tag color={roleColor(r)}>{r.toUpperCase()}</Tag>,
-    },
-    { title: t('networks.mtu'), dataIndex: 'mtu', key: 'mtu', render: (v?: number) => v ?? '—' },
-    { title: t('networks.active'), dataIndex: 'active', key: 'active', render: (v: boolean) => <StatusDot active={v} /> },
-    {
-      title: t('common.actions'), key: 'actions',
-      render: (_, row) => (
-        <ActionButtons
-          onEdit={() => {
-            setEditing(row)
-            form.setFieldsValue({
-              name: row.name, type: row.type, parent: row.parent ?? undefined,
-              vlan_id: row.vlan_id ?? undefined, members: row.members ?? [],
-              role: row.role,
-              mtu: row.mtu ?? undefined, active: row.active,
-              description: row.description ?? undefined,
-            })
-          }}
-          onDelete={() => del.mutate(row.id)}
-          deleteConfirm={t('networks.deleteConfirm', { name: row.name })}
-        />
-      ),
-    },
+  const tabs = [
+    { key: 'interfaces', label: t('networks.tabs.interfaces'), children: <InterfacesTab /> },
+    { key: 'routes',     label: t('networks.tabs.routes'),     children: <RoutesTab /> },
   ]
 
   return (
@@ -157,128 +21,7 @@ export default function NetworksPage() {
         title={t('networks.title')}
         subtitle={t('networks.intro')}
       />
-
-      <Card title={t('networks.systemDiscovered')} className="mb-12" size="small">
-        <Space wrap>
-          {(sys ?? []).map((i) => {
-            const v4 = (i.addr_info ?? []).filter((a) => a.family === 'inet').map((a) => `${a.local}/${a.prefixlen}`)
-            const v6 = (i.addr_info ?? []).filter((a) => a.family === 'inet6').map((a) => `${a.local}/${a.prefixlen}`)
-            return (
-              <Tooltip key={i.ifname} title={[...v4, ...v6].join(' · ') || '—'}>
-                <Tag>{i.ifname}{v4[0] ? ` · ${v4[0]}` : ''}</Tag>
-              </Tooltip>
-            )
-          })}
-          {(sys ?? []).length === 0 && <Typography.Text type="secondary">—</Typography.Text>}
-        </Space>
-      </Card>
-
-      <DataTable
-        rowKey="id"
-        loading={isLoading}
-        dataSource={ifs ?? []}
-        columns={columns}
-        extraActions={
-          <Button type="primary" icon={<PlusOutlined />} onClick={() => {
-            setCreating(true); form.resetFields()
-            form.setFieldsValue({ type: 'ethernet', role: 'lan', active: true })
-          }}>
-            {t('networks.addInterface')}
-          </Button>
-        }
-      />
-
-      <Modal
-        title={editing ? t('networks.editInterface') : t('networks.addInterface')}
-        open={editing !== null || creating}
-        onCancel={() => { setEditing(null); setCreating(false) }}
-        onOk={() => { void form.submit() }}
-        confirmLoading={create.isPending || update.isPending}
-        width={560}
-      >
-        <Form
-          form={form}
-          layout="vertical"
-          onFinish={(v) => {
-            if (editing) update.mutate({ id: editing.id, v })
-            else create.mutate(v)
-          }}
-        >
-          <Form.Item label={t('networks.name')} name="name" rules={[{ required: true }]}>
-            <Input placeholder="eth0 / eth0.100 / bond0" />
-          </Form.Item>
-          <Form.Item label={t('networks.type')} name="type" rules={[{ required: true }]}>
-            <Select options={[
-              { value: 'ethernet', label: 'ethernet' },
-              { value: 'vlan',     label: 'vlan' },
-              { value: 'bond',     label: 'bond' },
-              { value: 'bridge',   label: 'bridge' },
-              { value: 'wireguard',label: 'wireguard' },
-            ]} />
-          </Form.Item>
-          <Form.Item noStyle shouldUpdate={(p, c) => p.type !== c.type}>
-            {({ getFieldValue }) => {
-              const tp = getFieldValue('type') as NetworkInterface['type'] | undefined
-              const sysOptions = (sys ?? [])
-                .filter((i) => i.ifname !== 'lo')
-                .map((i) => ({ value: i.ifname, label: i.ifname }))
-              if (tp === 'vlan') {
-                return (
-                  <>
-                    <Form.Item label={t('networks.parent')} name="parent" rules={[{ required: true }]}>
-                      <Select placeholder={t('networks.selectParent')} showSearch options={sysOptions} />
-                    </Form.Item>
-                    <Form.Item label={t('networks.vlanId')} name="vlan_id" rules={[{ required: true }]}>
-                      <InputNumber min={1} max={4094} style={{ width: '100%' }} />
-                    </Form.Item>
-                  </>
-                )
-              }
-              if (tp === 'bridge' || tp === 'bond') {
-                return (
-                  <Form.Item
-                    label={t('networks.members')}
-                    name="members"
-                    rules={[{ required: true, type: 'array', min: 1, message: t('networks.membersRequired') }]}
-                    extra={tp === 'bridge' ? t('networks.membersHintBridge') : t('networks.membersHintBond')}
-                  >
-                    <Select
-                      mode="multiple"
-                      placeholder={t('networks.selectMembers')}
-                      showSearch
-                      options={sysOptions}
-                    />
-                  </Form.Item>
-                )
-              }
-              return null
-            }}
-          </Form.Item>
-          <Form.Item
-            label={t('networks.role')}
-            name="role"
-            rules={[{ required: true }]}
-            extra={t('networks.roleHint')}
-          >
-            <Select
-              showSearch
-              options={(zones ?? []).map(z => ({
-                value: z.name,
-                label: z.builtin ? z.name.toUpperCase() : `${z.name.toUpperCase()} (custom)`,
-              }))}
-            />
-          </Form.Item>
-          <Form.Item label={t('networks.mtu')} name="mtu">
-            <InputNumber min={68} max={9216} style={{ width: '100%' }} placeholder="1500" />
-          </Form.Item>
-          <Form.Item label={t('networks.description')} name="description">
-            <Input.TextArea rows={2} />
-          </Form.Item>
-          <Form.Item label={t('networks.active')} name="active" valuePropName="checked">
-            <Switch />
-          </Form.Item>
-        </Form>
-      </Modal>
+      <Tabs items={tabs} defaultActiveKey="interfaces" />
     </div>
   )
 }
diff --git a/packaging/debian/edgeguard-api/DEBIAN/postinst b/packaging/debian/edgeguard-api/DEBIAN/postinst
index eadc8e0..f3bc917 100755
--- a/packaging/debian/edgeguard-api/DEBIAN/postinst
+++ b/packaging/debian/edgeguard-api/DEBIAN/postinst
@@ -93,6 +93,9 @@ edgeguard ALL=(root) NOPASSWD: /usr/bin/apt-get update
 # Backup-Pfad: pg_dump als postgres-User. Whitelist exakt mit
 # --clean --if-exists --no-owner --no-acl + dem festen DB-Namen.
 edgeguard ALL=(postgres) NOPASSWD: /usr/bin/pg_dump --clean --if-exists --no-owner --no-acl edgeguard
+# Static-Routes: API ruft `sudo systemctl restart edgeguard-routes.service`
+# nach jedem Mutate, damit das apply-Skript die neue routes.conf anwendet.
+edgeguard ALL=(root) NOPASSWD: /usr/bin/systemctl restart edgeguard-routes.service
 # Self-Upgrade-Pfad (handlers/system.go → /system/upgrade). Whitelist
 # nur die exakte Unit-Form, damit edgeguard NICHT beliebige systemd-
 # Units anlegen darf.
@@ -297,6 +300,78 @@ LOGROTATE
             echo "postinst: ulogd2.service not installed — install ulogd2 to enable firewall log" >&2
         fi
 
+        # ── Static-routes apply-script + systemd unit ────────────────
+        # Verwaltet aus /etc/edgeguard/routes.conf. `proto edgeguard`
+        # markiert die Routen damit das flush keine fremden Routen
+        # tötet (kernel/dhcp/static manuell gesetzt).
+        cat > /usr/sbin/edgeguard-apply-routes <<'APPLYROUTES'
+#!/bin/bash
+# Managed by edgeguard — DO NOT EDIT.
+# Reads /etc/edgeguard/routes.conf (pipe-format) and applies via ip(8).
+set -e
+CONF=/etc/edgeguard/routes.conf
+
+# Existierende edgeguard-Routen weg, bevor wir neue setzen. Andere
+# Quellen (kernel/dhcp/manuell ohne proto) bleiben intakt.
+ip route flush proto 250 2>/dev/null || true
+
+[ -f "$CONF" ] || exit 0
+
+while IFS='|' read -r dest gw dev metric table; do
+    [ -z "$dest" ] && continue
+    case "$dest" in '#'*) continue;; esac
+    args=("$dest")
+    [ -n "$gw" ]    && args+=("via" "$gw")
+    [ -n "$dev" ]   && args+=("dev" "$dev")
+    [ -n "$metric" ] && args+=("metric" "$metric")
+    if [ -n "$table" ] && [ "$table" != "main" ]; then
+        args+=("table" "$table")
+    fi
+    args+=("proto" "250")
+    if ! ip route add "${args[@]}"; then
+        echo "edgeguard-routes: failed to add: ip route add ${args[*]}" >&2
+        # weitermachen — eine fehlende Route soll nicht alle anderen
+        # blockieren.
+    fi
+done < "$CONF"
+APPLYROUTES
+        chmod 0755 /usr/sbin/edgeguard-apply-routes
+        chown root:root /usr/sbin/edgeguard-apply-routes
+
+        # rt_protos-Eintrag für `proto edgeguard` (Symbolname statt
+        # numerisch). Debian 13 hat /etc/iproute2 nicht als Default,
+        # also conf.d-Pattern: /etc/iproute2/rt_protos.d/edgeguard.conf
+        # überlagert die /usr/share/iproute2/rt_protos.
+        install -d /etc/iproute2/rt_protos.d
+        echo "250	edgeguard" > /etc/iproute2/rt_protos.d/edgeguard.conf
+        chmod 0644 /etc/iproute2/rt_protos.d/edgeguard.conf
+
+        cat > /etc/systemd/system/edgeguard-routes.service <<'ROUTESUNIT'
+[Unit]
+Description=EdgeGuard static-routes apply
+After=network-online.target
+Wants=network-online.target
+
+[Service]
+Type=oneshot
+ExecStart=/usr/sbin/edgeguard-apply-routes
+RemainAfterExit=yes
+
+[Install]
+WantedBy=multi-user.target
+ROUTESUNIT
+        systemctl daemon-reload
+        systemctl enable edgeguard-routes.service >/dev/null 2>&1 || true
+        # Initialer Apply — leere /etc/edgeguard/routes.conf ist ok
+        # (Skript exitet einfach ohne irgendwas zu tun).
+        systemctl start edgeguard-routes.service 2>/dev/null || true
+
+        # Initialer Stub damit `cat` im Skript nicht klagt
+        if [ ! -f /etc/edgeguard/routes.conf ]; then
+            : > /etc/edgeguard/routes.conf
+            chown "$EG_USER":"$EG_USER" /etc/edgeguard/routes.conf
+        fi
+
         # ── Self-signed default cert so HAProxy starts cleanly ───────
         # HAProxy `bind :443 ssl crt /etc/edgeguard/tls/` needs at least
         # one PEM in the directory to come up. Operator runs certbot