I have a single host I would like to force all traffic through tunl1, if tunl1 drops I want this host to completely lose internet connectivity. Is this possible with tomato? At the minute I'm running the widely known wanup iptable script which forces the host down the vpn but when the tunnel drops this traffic makes its way via the normal gateway to the wan port. If .66 is the host I'm talking about would this work? iptables -I FORWARD -i br0 -s 192.168.1.66 -o tun0 -j ACCEPT iptables -I FORWARD -i tun0 -s 192.168.1.66 -o br0 -j ACCEPT iptables -I FORWARD -i br0 -s 192.168.1.66 -o vlan2 -j DROP iptables -I INPUT -i tun0 -s 192.168.1.66 -j REJECT iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE I'm not sure if i need the masquerade or not? Or whether the above will accomplish what I need.