I’ve got a unique situation where I’m originating a /32 as a secondary IP that my upstream routers aim at my PBX for distribution into OSPF and eventually BGP to my provider. I’ve got some custom iptables rules that handle the mangling of source address in the POSTROUTING chain. These custom rules are only applied if the FreePBX firewall starts, and it seems that the FreePBX firewall will only start if it sees an active outbound WAN connection, which obviously isn’t present in my case. I can work around this by allowing / NAT’ing the primary LAN IP on the PBX through my hardware firewall to bootstrap an active internet connection to allow the FreePBX firewall to start and apply custom iptable rules, but this seems like it shouldn’t be necessary.
Why wouldn’t the FreePBX firewall not start without an active internet connection?