My router with rare exceptions was solidly running a VPN to my provider for select devices on my network using PBR with the config below.

1. now in those rare exceptions the link would go down those select devices would connect to the internet via default route unprotected. Therefore I wanted to know how could I add a kill switch because all examples I find delete the default route killing internet access for the entire network not just my select devices.

2. second question is that although the link mostly would come back automatically (e.g. when I kill VPN connection via provider control panel) there were occasions I had to log in to issue "clear crypto isakmp" and "clear crypto session" to bring it back. Thus, I would also like to know how could I improve automatic reconnection and if there is a way for Cisco router to alert me about the link going down for an extended period of time.

3. while I am at it I was wondering what is the best way to prevent DNS leaking. Most internet advice was around source interface and DNS view but I ended up with "ip route 1.1.1.1 255.255.255.255 Virtual-PPP1" as I am using Cloudflare DNS as my resolver. Thoughts?

4. to make the entire thing work I did place the Cisco router behind pfsense router because of ACL statement "permit udp host 192.168.100.40 eq 1701 host [VPNIP] eq 1701" Since I am on residential dynamic IP there is no workaround to make this L2TP client config work if Cisco WAN IP was dynamically assigned, correct?

thank you