Skip rules when gateway is down - doesn't work, WUT?

Mr. Jingles

G'day all  ;D

pfSense 2.1.5

Top of the LAN rules:

[src] LAN-net [dest] VPN1-Alias [gateway] VPN1-gateway
[src] LAN-net [dest] VPN2-Alias [gateway] VPN2-gateway

And set in System/advanced:

Skip rules when gateway is down

The rule for VPN1 works, however, for VPN2 it does not. It did work, and there is only one difference:

The account has expired. So there is no 10.x.x.x IP issued to me from that provider (VPN log: AUTH failed. Dashboard: no IP for that VPN). The gateway shows 'pending', not 'down' in the dashboard.

So, instead of blocking traffic out via VPN2 it happily sends it over the default gateway.

Ergo: when the account is expired SkipRulesWhenGateWayIsDown is ignored?

"This is not a bug, it's a feature"?

( ;D )

Bug?

Thank you in advance for any help  :P

Bye,

Mr. Jingles

I take it I should have read the manual, apparently somewhere in there will be a line saying it is a feature  ;D ;D

jimp

The rule is literally skipped (omitted) when it's down – If you have a pass rule under that using a default gateway then it will go that way.

The behavior without the box checked is to simply act as if the gateway doesn't have a rule.
With the box checked, the rule is not put into the ruleset if the gateway is down.

So if you really don't want them to go out some other way, then you could do

PASS [src] LAN-net [dest] VPN2-Alias [gateway] VPN2-gateway
BLOCK [src] LAN-net [dest] VPN2-Alias

Then when the skip happens it will hit the block and not a later pass rule.