I have two kludgy (and untested) ideas if per gateway functionality is required.
1) Disable gateway monitoring for your VPN gateway so pfSense always considers it ‘up’. Your traffic wouldn’t flow to the default gateway, but you also wouldn’t know the VPN gateway was down. (in pfSense at least) You’d need to rely on an external tool to check if the real gateway/subnet was still available. 2) Activate a new interface (real or virtual) and define a new gateway for that interface. As above, disable gateway monitoring to this ‘gateway to nowhere’ (GWTN), but leave gateway monitoring on (as-is) for your VPN gateway. Create a new fail-over gateway group with your real VPN gateway as Tier 1, and your GWTN as Tier 2. In an actual failover situation, your VPN GW would show offline, and your traffic should failover to the GWTN. Prevent leaking by defining block rules to your subnet(s) on the new interface. Again – these are untested ideas which came to me when you mentioned the desire to do what you wanted on a per gateway basis. I don’t know what your application is or how secure you need this to be, but it might be a better option for you than the global one currently available. Moving forward, an option to null route traffic should the GW go down on a per interface basis would be great as an enhancement. Steve From: List [mailto:[email protected]] On Behalf Of Moshe Katz Sent: Sunday, January 11, 2015 10:41 PM To: pfSense Support and Discussion Mailing List Subject: Re: [pfSense] Enforcing policy routing gateway On Fri, Jan 9, 2015 at 11:07 PM, Tim Eggleston <[email protected]<mailto:[email protected]>> wrote: On 2015-01-09 19:45, Chris Bagnall wrote: Check the setting of System -> Advanced -> Miscellaneous -> Skip rules when gateway is down. Nice! That sounds like exactly what I'm after. Shame it's global and not a per-policy-route or per-gateway setting but I'll take what I can get. Many thanks! ---tim Depending on how complex your rules are, you could also create "negative" versions of them that explicitly block that traffic on all other interfaces except the VPN. (Aliases could help simplify that, but you may or may not actually want to do it, depending on the rule complexity.) Moshe -- Moshe Katz -- [email protected]<mailto:[email protected]> -- +1(301)867-3732
_______________________________________________ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
