Project

General

Profile

Actions

Feature #2858

closed

Do not route rules to default gateway when its own gateway is down

Added by Shawn Bruce over 11 years ago. Updated over 11 years ago.

Status:
Closed
Priority:
Normal
Category:
Gateways
Target version:
Start date:
03/05/2013
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
Release Notes:

Description

Current Behavior:
When an OVPN client connection goes down, any policy based routing rules pointing to the ovpnc gateway instead point to the default route. REJECT/BLOCK rules are also ignored.

Expected Behavior:
Traffic should not be redirected to the default route but instead should fail.

Additional Tests:
I also setup a gateway failover group with OVPNC1 set as Tier 1 and a Blackhole(Bogus LAN IP w/ monitoring disabled) gateway set as Tier 2. When setting the gateway to GWGRP1 I would expect traffic to be routed to Blackhole being that OVPNC1 is down, but instead traffic is handed over to the default route ignoring any REJECT/BLOCK rules.

I have tested this with 2.0.2 and 2.1-BETA1-i386-20130305-1457


Files

rules.debug_GWUP (8.16 KB) rules.debug_GWUP Shawn Bruce, 03/12/2013 08:03 PM
rules.debug_GWDOWN (7.67 KB) rules.debug_GWDOWN Shawn Bruce, 03/12/2013 08:03 PM
Actions #1

Updated by Renato Botelho over 11 years ago

  • Tracker changed from Bug to Feature
  • Subject changed from Policy routing to OpenVPN client gateway ignored when VPN is down to Do not route rules to default gateway when its own gateway is down
  • Category changed from OpenVPN to Gateways
  • Assignee set to Renato Botelho

It's the expected behaviour today, so change it to a Feature and adjust Subject as well

Actions #2

Updated by Renato Botelho over 11 years ago

  • Status changed from New to Feedback
  • % Done changed from 0 to 100
Actions #3

Updated by Shawn Bruce over 11 years ago

Wow thanks for working to add this!

I've applied the patch to pfSense-2.1-BETA1-amd64-20130312-0847 and it does not seem to work. I ticked the option in Advanced->Misc and performed a restart to be safe. Traffic is still sent to the default gateway when the OVPN gateway is down or service stopped.

Maybe I am missing something?

Actions #4

Updated by Renato Botelho over 11 years ago

Could you show me /tmp/rules.debug in 2 different moments, when OVPN is up and when it's down?

Actions #5

Updated by Shawn Bruce over 11 years ago

It appears the rules related to gateway OVPNC1 drop when the VPN is stopped/failed.

Actions #6

Updated by Shawn Bruce over 11 years ago

Ah my apologies... Its working as you have written..

Silly me.

I'm assuming that I should now be placing a DENY rule below the rule that specifies the gateway?

Actions #7

Updated by Renato Botelho over 11 years ago

Exactly, or you can negate the 192.168.99.151 as src on rule that allow all traffic from 192.168.99.0/24.

Actions #8

Updated by Shawn Bruce over 11 years ago

It's working perfectly then :)

Sorry about the previous confusion.

Actions #9

Updated by Renato Botelho over 11 years ago

  • Status changed from Feedback to Closed

thanks for feedback

Actions

Also available in: Atom PDF