How to force immediate change to default gateway on Windows 10 without delay in browser, command line etc

Question

I'd like to block use of the internet via my laptop's wifi network adapter while allowing LAN traffic to continue, using the command line so that it can be scripted.

To do that, I've tried adding a firewall rule that restricts traffic to the default gateway, as described here.

netsh advfirewall firewall add rule name="Block default gateway" dir=out action=block remoteip=192.168.179.1

When I do that, loading websites not recently visited in new tabs in the browser fails as you'd expect. But reloading tabs that had previously finished loading succeeds, and pinging a well known address like Google by using ping www.google.com at the command line is also successful.

If I then try to load www.google.com in a new tab in the browser it fails, and then after that if I try again to ping www.google.com at the command line that also fails.

It is as though not all requests are being sent via the default gateway, and are cached somewhere for a while.

To try to address that, I've tried flushing the route table with the following command, as described here.

netsh interface ip delete destinationcache 

However, it doesn't seem to solve the problem.

How can I force the firewall rule to have an immediate effect even on open browser tabs or when connecting to addresses that have recently been visited?

Update: Please note that removing the default gateway using the route command does not work. The gateway is restored by the OS or something else that is running. (Details in comments on the related answer below.)

Answer 1

That rule will never have any effect on existing connections, delayed or not, because all those connections are not made to the gateway's IP address in the first place.

A connection to Google has Google's IP address as the "destination", a connection to SuperUser.com has SuperUser's IP address as its destination, and so on, whereas the gateway's IP address is not used for that at all – only its MAC address is.

So the only thing you are blocking is DNS queries to the gateway's built-in DNS server. With the rule in place you can't make new DNS queries to look up domain names, but you can still can look up what's in the Windows DNS cache, and you can still send packets to servers whose IP address is already known (because – again – you're not sending them to the gateway's IP address, you're sending them to the server's IP address).

To prevent the OS from using 192.168.179.1 as a gateway, do not configure it as the gateway in the first place: use route delete to remove any routes (e.g. the 0.0.0.0 "default route") which specify it as a gateway.