On every rule that specifies a gateway, set a mark on the traffic then block the traffic with the mark on the interface(s) you don’t want it to egress.
Say you have GW_WAN1 and GW_WAN2. On the rule that policy routes traffic out GW_WAN2, make the rule also set a mark of WAN2_ONLY. Then make a floating rule on WAN1 out that blocks or rejects traffic marked with WAN2_ONLY. > On Jan 20, 2015, at 10:28 AM, Steven Sherwood <[email protected]> wrote: > > I have two kludgy (and untested) ideas if per gateway functionality is > required. > > 1) Disable gateway monitoring for your VPN gateway so pfSense always > considers it ‘up’. Your traffic wouldn’t flow to the default gateway, but > you also wouldn’t know the VPN gateway was down. (in pfSense at least) You’d > need to rely on an external tool to check if the real gateway/subnet was > still available. > 2) Activate a new interface (real or virtual) and define a new gateway > for that interface. As above, disable gateway monitoring to this ‘gateway to > nowhere’ (GWTN), but leave gateway monitoring on (as-is) for your VPN > gateway. Create a new fail-over gateway group with your real VPN gateway as > Tier 1, and your GWTN as Tier 2. In an actual failover situation, your VPN > GW would show offline, and your traffic should failover to the GWTN. Prevent > leaking by defining block rules to your subnet(s) on the new interface. > > Again – these are untested ideas which came to me when you mentioned the > desire to do what you wanted on a per gateway basis. I don’t know what your > application is or how secure you need this to be, but it might be a better > option for you than the global one currently available. > > Moving forward, an option to null route traffic should the GW go down on a > per interface basis would be great as an enhancement. > > Steve > > From: List [mailto:[email protected]] On Behalf Of Moshe Katz > Sent: Sunday, January 11, 2015 10:41 PM > To: pfSense Support and Discussion Mailing List > Subject: Re: [pfSense] Enforcing policy routing gateway > > On Fri, Jan 9, 2015 at 11:07 PM, Tim Eggleston <[email protected]> wrote: > > On 2015-01-09 19:45, Chris Bagnall wrote: > > Check the setting of System -> Advanced -> Miscellaneous -> Skip rules > when gateway is down. > > Nice! That sounds like exactly what I'm after. Shame it's global and not a > per-policy-route or per-gateway setting but I'll take what I can get. Many > thanks! > > ---tim > > > Depending on how complex your rules are, you could also create "negative" > versions of them that explicitly block that traffic on all other interfaces > except the VPN. (Aliases could help simplify that, but you may or may not > actually want to do it, depending on the rule complexity.) > > Moshe > > -- > Moshe Katz > -- [email protected] > -- +1(301)867-3732 > > _______________________________________________ > pfSense mailing list > https://lists.pfsense.org/mailman/listinfo/list > Support the project with Gold! https://pfsense.org/gold _______________________________________________ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
