diff options
| author | Seth Mos <seth.mos@xs4all.nl> | 2007-09-01 18:30:20 +0000 |
|---|---|---|
| committer | Seth Mos <seth.mos@xs4all.nl> | 2007-09-01 18:30:20 +0000 |
| commit | bc40d758bea5ba6be700bd83fd9a7ae643378faa (patch) | |
| tree | b60c4130ee7b5e9cfdcae080538bbc6cc8672ce7 /etc | |
| parent | c1abd446e2a96ad48a3d477d0f24ff5bbd8ae097 (diff) | |
| download | pfsense-bc40d758bea5ba6be700bd83fd9a7ae643378faa.zip pfsense-bc40d758bea5ba6be700bd83fd9a7ae643378faa.tar.gz | |
Create a management subnet on a wan interface if the interface is DHCP.
Create automatic nat rules for the management subnet.
Make the automatic nat rules always use the interface address.
Allow entry of these subnets on the interfaces page.
Diffstat (limited to 'etc')
| -rw-r--r-- | etc/inc/filter.inc | 126 | ||||
| -rw-r--r-- | etc/inc/interfaces.inc | 36 |
2 files changed, 114 insertions, 48 deletions
diff --git a/etc/inc/filter.inc b/etc/inc/filter.inc index 5892a7f..3c1ace3 100644 --- a/etc/inc/filter.inc +++ b/etc/inc/filter.inc @@ -695,31 +695,44 @@ function filter_nat_rules_generate() { } else { /* standard outbound rules (one for each interface) */ update_filter_reload_status("Creating outbound NAT rules"); - + $target = get_current_wan_address($interface = "wan"); + if(is_ipaddr($wancfg['alias-address'])) { + $aliastarget = $wancfg['alias-address']; + $aliassubnet = $wancfg['alias-subnet']; + $natrules .= filter_nat_rules_generate_if($wanif, + "{$lansa}/{$lancfg['subnet']}", null, "$aliastarget/$aliassubnet", null, $aliastarget, null, false); + } $natrules .= filter_nat_rules_generate_if($wanif, - "{$lansa}/{$lancfg['subnet']}", 500, "", 500, null, 500, false); + "{$lansa}/{$lancfg['subnet']}", 500, "", 500, $target, 500, false); $natrules .= filter_nat_rules_generate_if($wanif, - "{$lansa}/{$lancfg['subnet']}", 4500, "", 4500, null, 4500, false); + "{$lansa}/{$lancfg['subnet']}", 4500, "", 4500, $target, 4500, false); $natrules .= filter_nat_rules_generate_if($wanif, - "{$lansa}/{$lancfg['subnet']}", 5060, "", 5060, null, 5060, false); + "{$lansa}/{$lancfg['subnet']}", 5060, "", 5060, $target, 5060, false); $natrules .= filter_nat_rules_generate_if($wanif, - "{$lansa}/{$lancfg['subnet']}"); + "{$lansa}/{$lancfg['subnet']}", null, "", null, $target, null, false); $optints = array(); generate_optcfg_array($optints); /* generate lan nat mappings for opts with a gateway opts */ - foreach($optints as $oc) { + foreach($optints as $ocname => $oc) { $opt_interface = $oc['if']; if (interface_has_gateway("$opt_interface")) { + if(is_ipaddr($config['interfaces'][$ocname]['alias-address'])) { + $aliastarget = $config['interfaces'][$ocname]['alias-address']; + $aliassubnet = $config['interfaces'][$ocname]['alias-subnet']; + $natrules .= filter_nat_rules_generate_if($opt_interface, + "{$lansa}/{$lancfg['subnet']}", null, "$aliastarget/$aliassubnet", null, $aliastarget, null, false); + } + $target = get_current_wan_address($interface = "$ocname"); $natrules .= filter_nat_rules_generate_if($opt_interface, - "{$lansa}/{$lancfg['subnet']}", 500, "", 500, null, 500, false); + "{$lansa}/{$lancfg['subnet']}", 500, "", 500, $target, 500, false); $natrules .= filter_nat_rules_generate_if($opt_interface, - "{$lansa}/{$lancfg['subnet']}", 4500, "", 4500, null, 4500, false); + "{$lansa}/{$lancfg['subnet']}", 4500, "", 4500, $target, 4500, false); $natrules .= filter_nat_rules_generate_if($opt_interface, - "{$lansa}/{$lancfg['subnet']}", 5060, "", 5060, null, 5060, false); + "{$lansa}/{$lancfg['subnet']}", 5060, "", 5060, $target, 5060, false); $natrules .= filter_nat_rules_generate_if($opt_interface, - "{$lansa}/{$lancfg['subnet']}"); + "{$lansa}/{$lancfg['subnet']}", null, "", null, $target, null, false); } } @@ -730,29 +743,42 @@ function filter_nat_rules_generate() { if ((isset ($optcfg['enable'])) && (!$optcfg['bridge']) && (!interface_has_gateway("opt{$i}"))) { $optsa = gen_subnet($optcfg['ipaddr'], $optcfg['subnet']); - + $target = get_current_wan_address($interface = "opt$i"); + if(is_ipaddr($wancfg['alias-address'])) { + $aliastarget = $wancfg['alias-address']; + $aliassubnet = $wancfg['alias-subnet']; + $natrules .= filter_nat_rules_generate_if($wanif, + "{$lansa}/{$lancfg['subnet']}", null, "$aliastarget/$aliassubnet", null, $aliastarget, null, false); + } /* create outbound nat entries for primary wan */ $natrules .= filter_nat_rules_generate_if($wanif, - "{$optsa}/{$optcfg['subnet']}", 500, "", 500, null, 500, false); + "{$optsa}/{$optcfg['subnet']}", 500, "", 500, $target, 500, false); $natrules .= filter_nat_rules_generate_if($wanif, - "{$optsa}/{$optcfg['subnet']}", 4500, "", 4500, null, 4500, false); + "{$optsa}/{$optcfg['subnet']}", 4500, "", 4500, $target, 4500, false); $natrules .= filter_nat_rules_generate_if($wanif, - "{$optsa}/{$optcfg['subnet']}", 5060, "", 5060, null, 5060, false); + "{$optsa}/{$optcfg['subnet']}", 5060, "", 5060, $target, 5060, false); $natrules .= filter_nat_rules_generate_if($wanif, - "{$optsa}/{$optcfg['subnet']}", null, "", null, null, null, isset($optcfg['nonat'])); + "{$optsa}/{$optcfg['subnet']}", null, "", null, $target, null, isset($optcfg['nonat'])); /* create outbound nat entries for all opt wans */ - foreach($optints as $oc) { + foreach($optints as $ocname => $oc) { $opt_interface = $oc['if']; if (interface_has_gateway("$opt_interface")) { + $target = get_current_wan_address($interface = "$ocname"); + if(is_ipaddr($config['interfaces'][$ocname]['alias-address'])) { + $aliastarget = $config['interfaces'][$ocname]['alias-address']; + $aliassubnet = $config['interfaces'][$ocname]['alias-subnet']; + $natrules .= filter_nat_rules_generate_if($opt_interface, + "{$lansa}/{$lancfg['subnet']}", null, "$aliastarget/$aliassubnet", null, $aliastarget, null, false); + } $natrules .= filter_nat_rules_generate_if($opt_interface, - "{$optsa}/{$optcfg['subnet']}", 500, "", 500, null, 500, false); + "{$optsa}/{$optcfg['subnet']}", 500, "", 500, $target, 500, false); $natrules .= filter_nat_rules_generate_if($opt_interface, - "{$optsa}/{$optcfg['subnet']}", 4500, "", 4500, null, 4500, false); + "{$optsa}/{$optcfg['subnet']}", 4500, "", 4500, $target, 4500, false); $natrules .= filter_nat_rules_generate_if($opt_interface, - "{$optsa}/{$optcfg['subnet']}", 5060, "", 5060, null, 5060, false); + "{$optsa}/{$optcfg['subnet']}", 5060, "", 5060, $target, 5060, false); $natrules .= filter_nat_rules_generate_if($opt_interface, - "{$optsa}/{$optcfg['subnet']}", null, "", null, null, null, isset($optcfg['nonat'])); + "{$optsa}/{$optcfg['subnet']}", null, "", null, $target, null, isset($optcfg['nonat'])); } } } @@ -763,27 +789,29 @@ function filter_nat_rules_generate() { $pptp_subnet = $g['pptp_subnet']; if($config['pptp']['pptp_subnet'] <> "") $pptp_subnet = $config['pptp']['pptp_subnet']; + $target = get_current_wan_address($interface = "wan"); $natrules .= filter_nat_rules_generate_if($wanif, - "{$pptpdcfg['remoteip']}/{$pptp_subnet}", 500, "", 500, null, 500, false); + "{$pptpdcfg['remoteip']}/{$pptp_subnet}", 500, "", 500, $target, 500, false); $natrules .= filter_nat_rules_generate_if($wanif, - "{$pptpdcfg['remoteip']}/{$pptp_subnet}", 4500, "", 4500, null, 4500, false); + "{$pptpdcfg['remoteip']}/{$pptp_subnet}", 4500, "", 4500, $target, 4500, false); $natrules .= filter_nat_rules_generate_if($wanif, - "{$pptpdcfg['remoteip']}/{$pptp_subnet}", 5060, "", 5060, null, 5060, false); + "{$pptpdcfg['remoteip']}/{$pptp_subnet}", 5060, "", 5060, $target, 5060, false); $natrules .= filter_nat_rules_generate_if($wanif, - "{$pptpdcfg['remoteip']}/{$pptp_subnet}"); + "{$pptpdcfg['remoteip']}/{$pptp_subnet}", null, "", null, $target, null, false); /* generate nat mappings for opts with a gateway opts */ - foreach($optints as $oc) { + foreach($optints as $ocname => $oc) { $opt_interface = $oc['if']; if ((is_private_ip($pptpdcfg['remoteip'])) && (interface_has_gateway($opt_interface))) { + $target = get_current_wan_address($interface = "$ocname"); $natrules .= filter_nat_rules_generate_if($opt_interface, - "{$pptpdcfg['remoteip']}/{$pptp_subnet}", 500, "", 500, null, 500, false); + "{$pptpdcfg['remoteip']}/{$pptp_subnet}", 500, "", 500, $target, 500, false); $natrules .= filter_nat_rules_generate_if($opt_interface, - "{$pptpdcfg['remoteip']}/{$pptp_subnet}", 4500, "", 4500, null, 4500, false); + "{$pptpdcfg['remoteip']}/{$pptp_subnet}", 4500, "", 4500, $target, 4500, false); $natrules .= filter_nat_rules_generate_if($opt_interface, - "{$pptpdcfg['remoteip']}/{$pptp_subnet}", 5060, "", 5060, null, 5060, false); + "{$pptpdcfg['remoteip']}/{$pptp_subnet}", 5060, "", 5060, $target, 5060, false); $natrules .= filter_nat_rules_generate_if($opt_interface, - "{$pptpdcfg['remoteip']}/{$pptp_subnet}"); + "{$pptpdcfg['remoteip']}/{$pptp_subnet}", null, "", null, $target, null, false); } } } @@ -793,27 +821,29 @@ function filter_nat_rules_generate() { $pppoe_subnet = $g['pppoe_subnet']; if($config['pppoe']['pppoe_subnet'] <> "") $pppoe_subnet = $config['pppoe']['pppoe_subnet']; + $target = get_current_wan_address($interface = "wan"); $natrules .= filter_nat_rules_generate_if($wanif, - "{$pppoecfg['remoteip']}/{$pppoe_subnet}", 500, "", 500, null, 500, false); + "{$pppoecfg['remoteip']}/{$pppoe_subnet}", 500, "", 500, $target, 500, false); $natrules .= filter_nat_rules_generate_if($wanif, - "{$pppoecfg['remoteip']}/{$pppoe_subnet}", 4500, "", 4500, null, 4500, false); + "{$pppoecfg['remoteip']}/{$pppoe_subnet}", 4500, "", 4500, $target, 4500, false); $natrules .= filter_nat_rules_generate_if($wanif, - "{$pppoecfg['remoteip']}/{$pppoe_subnet}", 5060, "", 5060, null, 5060, false); + "{$pppoecfg['remoteip']}/{$pppoe_subnet}", 5060, "", 5060, $target, 5060, false); $natrules .= filter_nat_rules_generate_if($wanif, - "{$pppoecfg['remoteip']}/{$pppoe_subnet}"); + "{$pppoecfg['remoteip']}/{$pppoe_subnet}", null, "", null, $target, null, false); /* generate nat mappings for opts with a gateway opts */ - foreach($optints as $oc) { + foreach($optints as $ocname => $oc) { $opt_interface = $oc['if']; if ((is_private_ip($pppoecfg['remoteip'])) && (interface_has_gateway($opt_interface))) { + $target = get_current_wan_address($interface = "$ocname"); $natrules .= filter_nat_rules_generate_if($opt_interface, - "{$pppoecfg['remoteip']}/{$pppoe_subnet}", 500, "", 500, null, 500, false); + "{$pppoecfg['remoteip']}/{$pppoe_subnet}", 500, "", 500, $target, 500, false); $natrules .= filter_nat_rules_generate_if($opt_interface, - "{$pppoecfg['remoteip']}/{$pppoe_subnet}", 4500, "", 4500, null, 4500, false); + "{$pppoecfg['remoteip']}/{$pppoe_subnet}", 4500, "", 4500, $target, 4500, false); $natrules .= filter_nat_rules_generate_if($opt_interface, - "{$pppoecfg['remoteip']}/{$pppoe_subnet}", 5060, "", 5060, null, 5060, false); + "{$pppoecfg['remoteip']}/{$pppoe_subnet}", 5060, "", 5060, $target, 5060, false); $natrules .= filter_nat_rules_generate_if($opt_interface, - "{$pppoecfg['remoteip']}/{$pppoe_subnet}"); + "{$pppoecfg['remoteip']}/{$pppoe_subnet}", null, "", null, $target, null, false); } } } @@ -823,27 +853,29 @@ function filter_nat_rules_generate() { foreach ($config['staticroutes']['route'] as $route) { $netip = explode("/", $route['network']); if ((! interface_has_gateway($route['interface'])) && (is_private_ip($netip[0]))) { + $target = get_current_wan_address($interface = "wan"); $natrules .= filter_nat_rules_generate_if($wanif, - "{$route['network']}", 500, "", 500, null, 500, false); + "{$route['network']}", 500, "", 500, $target, 500, false); $natrules .= filter_nat_rules_generate_if($wanif, - "{$route['network']}", 4500, "", 4500, null, 4500, false); + "{$route['network']}", 4500, "", 4500, $target, 4500, false); $natrules .= filter_nat_rules_generate_if($wanif, - "{$route['network']}", 5060, "", 5060, null, 5060, false); + "{$route['network']}", 5060, "", 5060, $target, 5060, false); $natrules .= filter_nat_rules_generate_if($wanif, - "{$route['network']}", "", null); + "{$route['network']}", null, "", null, $target, null, false); } /* generate nat mapping for static routes on opts */ - foreach($optints as $oc) { + foreach($optints as $ocname => $oc) { $opt_interface = $oc['if']; if ((! interface_has_gateway($route['interface'])) && (is_private_ip($netip[0])) && (interface_has_gateway($opt_interface))) { + $target = get_current_wan_address($interface = "$ocname"); $natrules .= filter_nat_rules_generate_if($opt_interface, - "{$route['network']}", 500, "", 500, null, 500, false); + "{$route['network']}", 500, "", 500, $target, 500, false); $natrules .= filter_nat_rules_generate_if($opt_interface, - "{$route['network']}", 4500, "", 4500, null, 4500, false); + "{$route['network']}", 4500, "", 4500, $target, 4500, false); $natrules .= filter_nat_rules_generate_if($opt_interface, - "{$route['network']}", 5060, "", 5060, null, 5060, false); + "{$route['network']}", 5060, "", 5060, $target, 5060, false); $natrules .= filter_nat_rules_generate_if($opt_interface, - "{$route['network']}", "", null); + "{$route['network']}", null, "", null, $target, null, false); } } diff --git a/etc/inc/interfaces.inc b/etc/inc/interfaces.inc index c77eeb6..9fb01fe 100644 --- a/etc/inc/interfaces.inc +++ b/etc/inc/interfaces.inc @@ -984,6 +984,17 @@ interface "{$optif}" { EOD; +if(is_ipaddr($optcfg['alias-address'])) { + $subnetmask = gen_subnet_mask($optcfg['alias-subnet']); + $dhclientconf .= <<<EOD +alias { + interface "{$optif}"; + fixed-address {$optcfg['alias-address']}; + option subnet-mask {$subnetmask}; +} + +EOD; +} fwrite($fd, $dhclientconf); fclose($fd); @@ -1028,6 +1039,18 @@ interface "{$realinterface}" { EOD; +if(is_ipaddr($optcfg['alias-address'])) { + $subnetmask = gen_subnet_mask($optcfg['alias-subnet']); + $dhclientconf .= <<<EOD +alias { + interface "{$optif}"; + fixed-address {$optcfg['alias-address']}; + option subnet-mask {$subnetmask}; +} + +EOD; +} + fwrite($fd, $dhclientconf); fclose($fd); @@ -1075,6 +1098,17 @@ interface "{$wancfg['if']}" { EOD; +if(is_ipaddr($wancfg['alias-address'])) { + $subnetmask = gen_subnet_mask($wancfg['alias-subnet']); + $dhclientconf .= <<<EOD +alias { + interface "{$wancfg['if']}"; + fixed-address {$wancfg['alias-address']}; + option subnet-mask {$subnetmask}; +} + +EOD; +} fwrite($fd, $dhclientconf); fclose($fd); @@ -1659,4 +1693,4 @@ function get_interface_mac($interface) { return $mac; } -?>
\ No newline at end of file +?> |
