Differences

This shows you the differences between two versions of the page.

--- pfsense:install_pfsense:pfsense_configuration [2021/01/05 13:43] – [Miscellaneous Configuration] peter
+++ pfsense:install_pfsense:pfsense_configuration [2023/04/22 08:31] (current) – peter
@@ Line 7: / Line 7: @@
 In **DNS Server Settings**:
-  * DNS servers:  **Any DNS Servers you want to use**.  The Servers here are **not** going to be used, as long as Unbound is not working in Forwarding Mode, so just leave it as default, since we are using the **Resolver** Option for Unbound.
+  * DNS servers:  **Any DNS Servers you want to use**.  The Servers here are **not** going to be used, as long as Unbound is not working in Forwarding Mode, so just leave it as default, since we will be using the **Resolver** Option for Unbound.
-    * Use Gateway:  **none**.  Only needed on Multi-WAN networks.  As Unbound will be doing the Resolving, these  configuration they are not used anyway.
+    * Use Gateway:  **none**.  Only needed on Multi-WAN networks.  As Unbound will be doing the Resolving, these  configuration are not used anyway.
   * DNS Server Override:  **Not Checked**.  To prevent any DNS configuration setup on the system being overridden by the ISP or other applications.
-  * Disable DNS Forwarder:  **Not Checked**.  To have pfSense use it's local cache for lookups.
+  * Disable DNS Forwarder:  **Not Checked**.  To have pfSense use its local cache for lookups.
 <WRAP info>
@@ Line 53: / Line 53: @@
   * Allow Agent Forwarding:  **Not Checked**.
   * SSH Port:  **22**.
+{{:pfsense:install_pfsense:pfsense_-_system_-_advanced_-_admin_access_-_secure_shell.png?800|}}
+  * Click **Save**.
 <WRAP info>
@@ Line 63: / Line 67: @@
 </WRAP>
-{{:pfsense:install_pfsense:pfsense_-_system_-_advanced_-_admin_access_-_secure_shell.png?800|}}
-  * Click **Save**.
@@ Line 163: / Line 164: @@
   * Skip rules when gateway is down:  **Not Checked**.
-<WRAP center round todo 60%>
+<WRAP alert>
-Check   * Skip rules when gateway is down:  **Checked**.
+**ALERT:**  Take special note of the **Skip rules when gateway is down** option.
+One might think that with the check mark unchecked, means that it skips rules when the gateway is down.  But no, it means just the opposite!
+  * By default, when a rule has a specific gateway set, and this gateway is down, a rule is created and traffic is sent to default gateway.
+  * This option overrides that behavior and the rule is not created when gateway is down.
+The end result is that if the rules are routing your private traffic over a VPN, but then the VPN goes down for some reason, the system silently routes your traffic to the default network.
+  * Not even the firewall logs provide an alert.
+  * They even show the defined gateway rules still executing properly!
+If there is a need to still allow a computer to access the internet anytime (even when VPN is down) then a rule will be needed in **Firewall -> Rules -> LAN** to allow the internal IP address there.
+  * If this access if only needed when the VPN is down, then put it in the LAN firewall rules list after the normal policy-routing rule for VPN traffic.
+  * That way it only comes into play when the VPN is down.
 </WRAP>