Feature #2858
closed
Do not route rules to default gateway when its own gateway is down
100%
Description
Current Behavior:
When an OVPN client connection goes down, any policy based routing rules pointing to the ovpnc gateway instead point to the default route. REJECT/BLOCK rules are also ignored.
Expected Behavior:
Traffic should not be redirected to the default route but instead should fail.
Additional Tests:
I also setup a gateway failover group with OVPNC1 set as Tier 1 and a Blackhole(Bogus LAN IP w/ monitoring disabled) gateway set as Tier 2. When setting the gateway to GWGRP1 I would expect traffic to be routed to Blackhole being that OVPNC1 is down, but instead traffic is handed over to the default route ignoring any REJECT/BLOCK rules.
I have tested this with 2.0.2 and 2.1-BETA1-i386-20130305-1457
Files
Updated by Renato Botelho over 11 years ago
- Tracker changed from Bug to Feature
- Subject changed from Policy routing to OpenVPN client gateway ignored when VPN is down to Do not route rules to default gateway when its own gateway is down
- Category changed from OpenVPN to Gateways
- Assignee set to Renato Botelho
It's the expected behaviour today, so change it to a Feature and adjust Subject as well
Updated by Renato Botelho over 11 years ago
- Status changed from New to Feedback
- % Done changed from 0 to 100
Applied in changeset a1f735b31c8f7f0cca0ebc5a7153cd06cdf4482e.
Updated by Shawn Bruce over 11 years ago
Wow thanks for working to add this!
I've applied the patch to pfSense-2.1-BETA1-amd64-20130312-0847 and it does not seem to work. I ticked the option in Advanced->Misc and performed a restart to be safe. Traffic is still sent to the default gateway when the OVPN gateway is down or service stopped.
Maybe I am missing something?
Updated by Renato Botelho over 11 years ago
Could you show me /tmp/rules.debug in 2 different moments, when OVPN is up and when it's down?
Updated by Shawn Bruce over 11 years ago
- File rules.debug_GWUP rules.debug_GWUP added
- File rules.debug_GWDOWN rules.debug_GWDOWN added
It appears the rules related to gateway OVPNC1 drop when the VPN is stopped/failed.
Updated by Shawn Bruce over 11 years ago
Ah my apologies... Its working as you have written..
Silly me.
I'm assuming that I should now be placing a DENY rule below the rule that specifies the gateway?
Updated by Renato Botelho over 11 years ago
Exactly, or you can negate the 192.168.99.151 as src on rule that allow all traffic from 192.168.99.0/24.
Updated by Shawn Bruce over 11 years ago
It's working perfectly then :)
Sorry about the previous confusion.
Updated by Renato Botelho over 11 years ago
- Status changed from Feedback to Closed
thanks for feedback