[SOLVED] Forcing a single IP out over VPN/blocking if VPN is down

[Callahan]

Hi,

As the title suggests, I have already configured 99% of this and it works fine. The issue I have is that if the VPN drops (using IPVanish), I want the hosts in the alias list to be prevented from accessing the Internet.

I have read that this can be achieved by tagging the packets and then using that tag to prevent outbound connections to the default WAN gateway. That doesn't work.

A simpler (or so I thought), way of achieving this would be an exact copy of the top rule forcing said clients out of the VPN, but as a deny rule preventing them from getting anywhere. That way, if the only rule allowing them out can't get to it's gateway, the 2nd rule prevents them from getting out.

This should be super simple but in reality, when the VPN gateway is down, the clients are allowed out ovet the default gateway despite having a specific rule that they should match on that would deny them outbound connections.

I'm at a loss as to figure out why.

I've added an attachment that shows exactly what I mean. Can anyone tell me what I'm missing to make this deny rule work?

Thanks!

[stefanpf]

Maybe this option helps you Out:
Firewall > Settings > Advanced > "Gateway Monitoring" > Skip rules when gateway is down.

[Callahan]

Thanks. That seems like a really crazy option to have switched on by default. It literally does the opposite of what anyone would expect. It turns deny rules into allow rules out of the box!

Thanks for your help Stefan!