Feature #2858
closed
Do not route rules to default gateway when its own gateway is down
Added by Shawn Bruce over 11 years ago.
Updated over 11 years ago.
Description
Current Behavior:
When an OVPN client connection goes down, any policy based routing rules pointing to the ovpnc gateway instead point to the default route. REJECT/BLOCK rules are also ignored.
Expected Behavior:
Traffic should not be redirected to the default route but instead should fail.
Additional Tests:
I also setup a gateway failover group with OVPNC1 set as Tier 1 and a Blackhole(Bogus LAN IP w/ monitoring disabled) gateway set as Tier 2. When setting the gateway to GWGRP1 I would expect traffic to be routed to Blackhole being that OVPNC1 is down, but instead traffic is handed over to the default route ignoring any REJECT/BLOCK rules.
I have tested this with 2.0.2 and 2.1-BETA1-i386-20130305-1457
Files
- Tracker changed from Bug to Feature
- Subject changed from Policy routing to OpenVPN client gateway ignored when VPN is down to Do not route rules to default gateway when its own gateway is down
- Category changed from OpenVPN to Gateways
- Assignee set to Renato Botelho
It's the expected behaviour today, so change it to a Feature and adjust Subject as well
- Status changed from New to Feedback
- % Done changed from 0 to 100
Wow thanks for working to add this!
I've applied the patch to pfSense-2.1-BETA1-amd64-20130312-0847 and it does not seem to work. I ticked the option in Advanced->Misc and performed a restart to be safe. Traffic is still sent to the default gateway when the OVPN gateway is down or service stopped.
Maybe I am missing something?
Could you show me /tmp/rules.debug in 2 different moments, when OVPN is up and when it's down?
It appears the rules related to gateway OVPNC1 drop when the VPN is stopped/failed.
Ah my apologies... Its working as you have written..
Silly me.
I'm assuming that I should now be placing a DENY rule below the rule that specifies the gateway?
Exactly, or you can negate the 192.168.99.151 as src on rule that allow all traffic from 192.168.99.0/24.
It's working perfectly then :)
Sorry about the previous confusion.
- Status changed from Feedback to Closed
Also available in: Atom
PDF
Updated by 
Updated by