i try to explain better.
what i want is IP-s range 192.168.1.3-192.168.1.100 not use VPN (go through WAN)
and IP range after that 192.168.1.101-192.168.1.255 use VPN (go through VPN)
Sorry, I haven't understood your OP properly. For this, you don't need any killswitch rule (and your mentioning it has sent me off-track as I started looking up what you mean by killswitch rule so I haven't read the rest carefully) but something commonly called policy routing
, where you choose one of several different routing tables depending on some criteria - in your case, the criteria is the source address range. So in the routing table used for 192.168.1.3-192.168.1.100, the default route will use the gateway on WAN, while in the routing table used for 192.168.1.101-192.168.1.254 (255 cannot be used as a client address in a /24 subnet), the default route will use the gateway on the VPN. One of many explanations how to do that is here
but also need killswitch function when VPN goes offline then WAN goes offline too
If you have in mind that if VPN goes down, the clients with addresses in the 192.168.1.101-192.168.1.254 range will not be able to use WAN instead, either the killswitch rule will take care of it if completed with src-address=192.168.1.101-192.168.1.254
, or a type=blackhole
default route in the routing table for that source address range can be used instead of that rule. The default route via VPN would have distance=1
, the blackhole default route would have distance=2
. So as long as the VPN is up, the route with distance=1
is used; when the VPN goes down, that route becomes unavailable, so the blackhole route is used instead, rather than the default route in the default routing table which would otherwise kick in.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.