pfSense

Should be fixed by https://github.com/pfsense/pfsense/pull/1594
There did not seem to be any code to handle the mark gateway down setting when processing policy-routing rules.

ill try the other patch but i gues the skip rules isnt working as well because for voip to work i need to send it through tunnel as directly out of wan is blocked by isp so when tunnel goes down i need to skip the rule entirely or else if any sip packets go directly to isp then they blacklist my IP which causes all UDP traffic to be heavily filtered almost killing all UDP traffic

The code after my change 1594 effectively removes the force_down gateway from the list, just like other gateways are not put in the list if they are down. The result in these cases is that no "route-to" is put. Then later code checks these conditions and omits the rule entirely if "skip rules when gateway down" is set. I think it will:
a) When gateway is marked down, then make the rule anyway but without the rout-to, this passing the traffic to the routing table.
b) When gateway is marked down and "skip rules when gateway down" is set, omit the rule altogether - so that the traffic might be blocked if there is no other general rule to pass it.

But maybe I missed some other downstream changed that is also needed - it did seem to be too easy/small a fix when I investigated it :)

There is also the case of marking force_down on a gateway/s that are part of a gateway group, then what happens if all gateway group members end up being down. I haven't tried what happens there. When the whole gateway group is down, then I think the system should be respecting the "skip rules when gateway down" setting when deciding whether to still put the rule in the rule-set.

link to thread

https://forum.pfsense.org/index.php?topic=91392.0

the last 2 patches for this would solve marked down gateway to be skipped or passed to default gateway but the other issue i started now having in the last 2 posts is inspite of gateway not marked down and gateway being up, traffic still stops going through it

i think im suffering from the issue mentioned here https://redmine.pfsense.org/issues/4296#change-17784 as i have the alias with FQDN as well as ip addresses

just wanted to know the patch mentioned there is all that will fix it or there are any more commits relating to this?

i tried the patch, it works partially, first i have the rule to pass traffic to sip server through tunnel and next rule block it so it doesnt go out of wan and when i force the vpn gateway down, it shows down everywhere but the sip device on lan is able to register to server but calls then get dropped or dont go through.

sip registration still occurs shown by the below state table entry where as marking it down should omit the rule completely or block any such traffic

LAN udp x.x.x.x:5060 <- 192.168.0.11:5060 MULTIPLE:MULTIPLE
VPN udp 10.10.0.62:5060 (192.168.0.11:5060) -> x.x.x.x:5060 MULTIPLE:MULTIPLE

When you force a gateway down, there might still be states that are functioning across that gateway - in this case the SIP registration process. The new ruleset gets applied, without the rule to pass traffic, but the existing state/s are not removed. We know that the gateway is still physically working, so that would be why the registration function keeps working but new calls do not work.
System->Advanced, Miscellaneous "State Killing on Gateway Failure" should clear up old states when the gateway is forced down. See if that works in conjunction with "Mark Gateway Down".

yes but sip registration states still get created after i manually removed the existing states and even shutdown my sip devices for timeout period.

that state table entry gets created even after killing it multiple times so could be manually removing them doesnt work i guess

bytheway that state killing gateway failure is unticked