VPN with WAN fallback

[Andreas.Wien]

The usecases I find here force traffic through a VPN and block unencrypted WAN traffic.
I intend to implement a different policy:
primarily I want to use the VPN, and only as a failover the traffic can use plain WAN.

• the two System.Gateways.Single gateways are dpinger monitored and online
• I guess I have to combine the two gateways in a System.Gateways.Group
• I've also created a Frirewall.Aliases list that defines all LAN sources that should follow this policy
• a Firewall.Rules.LAN rule passes all such aliased Traffic to that Gateway-Group
• Firewall.NAT.Outbound rules run hybrid with some manually added ones, see below
• System.Settings.General.Gateway switching [X]checked
  Firewall.Settings.Advanced.Skip rules [_]unchecked
  Firewall.Settings.Advanced.Sticky connections [_]unchecked

however: Tier1 (VPN) has not priority, traffic is routed unencrypted out the WAN, even if WAN is set to never in the group.
According to the Firewall.Log Files.Live View the "(alias)-Traffic goes through VPN" rule is applied to pass the trafic.

Help's appreciated! What am I missing here?

[Andreas.Wien]

I don't understand in which order the various mechanisms, even if they work as I believe, decide to which gateway the packet is routed:

• policy route @Firewall.Rules.LAN?
• are routes dynamically added when an interface goes down?
• Tier# @System.Gateways.Group?
• Priority @System.Gateways.Single?
• Weight @System.Gateways.Single?

and what's the correct settings for a WAN and VPN gateway xactly?

• Upstream Gateway [_|X]?
• Far Gateway [_|X]?

I assume that, if I punch no holes, i.e. allow rules @Firewall.Rules.OpenVPN I'm safe from attacks that originate in the VPN network?

[Andreas.Wien]

works4me since the update to Version 22.7.9 ✓