The usecases I find here force traffic through a VPN and block unencrypted WAN traffic.
I intend to implement a different policy:
primarily I want to use the VPN, and only as a failover the traffic can use plain WAN.
- the two System.Gateways.Single gateways are dpinger monitored and online
- I guess I have to combine the two gateways in a System.Gateways.Group
- I've also created a Frirewall.Aliases list that defines all LAN sources that should follow this policy
- a Firewall.Rules.LAN rule passes all such aliased Traffic to that Gateway-Group
- Firewall.NAT.Outbound rules run hybrid with some manually added ones, see below
- System.Settings.General.Gateway switching [X]checked
Firewall.Settings.Advanced.Skip rules [_]unchecked
Firewall.Settings.Advanced.Sticky connections [_]unchecked
however: Tier1 (VPN) has not priority, traffic is routed unencrypted out the WAN, even if WAN is set to
never in the group.
According to the
Firewall.Log Files.Live View the "
(alias)-Traffic goes through VPN" rule is applied to pass the trafic.
Help's appreciated! What am I missing here?
I don't understand in which order the various mechanisms, even if they work as I believe, decide to which gateway the packet is routed:
- policy route @Firewall.Rules.LAN?
- are routes dynamically added when an interface goes down?
- Tier# @System.Gateways.Group?
- Priority @System.Gateways.Single?
- Weight @System.Gateways.Single?
and what's the correct settings for a WAN and VPN gateway xactly?
- Upstream Gateway [_|X]?
- Far Gateway [_|X]?
I assume that, if I punch no holes, i.e. allow rules @
Firewall.Rules.OpenVPN I'm safe from attacks that originate in the VPN network?
works4me since the update to Version 22.7.9 ✓