diff options
author | Ermal LUÇI <eri@pfsense.org> | 2015-04-03 19:59:23 +0200 |
---|---|---|
committer | Ermal LUÇI <eri@pfsense.org> | 2015-04-03 19:59:23 +0200 |
commit | 534753890c74d7ce1188fe9a7b6f5f1b153f802d (patch) | |
tree | 6a92685abfa8a2156eaa05fb38237284d60a6c23 /etc | |
parent | 9bbc482102d7a0a562a4368e9034e499651ac2e6 (diff) | |
download | pfsense-534753890c74d7ce1188fe9a7b6f5f1b153f802d.zip pfsense-534753890c74d7ce1188fe9a7b6f5f1b153f802d.tar.gz |
Fixes #4504 Allow the bypass policy for LAN to be enabled and prevent traffic sent to lan ip to go to the ipsec tunnel
Diffstat (limited to 'etc')
-rw-r--r-- | etc/inc/vpn.inc | 19 |
1 files changed, 19 insertions, 0 deletions
diff --git a/etc/inc/vpn.inc b/etc/inc/vpn.inc index 8df1e6f..3131666 100644 --- a/etc/inc/vpn.inc +++ b/etc/inc/vpn.inc @@ -590,6 +590,25 @@ EOD; $ipsecconf .= "config setup\n\tuniqueids = {$uniqueids}\n"; $ipsecconf .= "\tcharondebug=\"" . vpn_ipsec_configure_loglevels(true) . "\"\n"; + if (isset($config['ipsec']['shuntlaninterfaces'])) { + if ($config['interfaces']['lan']) { + $lanip = get_interface_ip("lan"); + if (!empty($lanip) && is_ipaddrv4($lanip)) { + $lansn = get_interface_subnet("lan"); + $lansa = gen_subnet($lanip, $lansn); + $ipsecconf .= <<<EOD +conn bypasslan + leftsubnet={$lanip}/32 + rightsubnet={$lansa}/{$lansn} + authby=never + type=pass + auto=route + +EOD; + } + } + } + foreach ($a_phase1 as $ph1ent) { if (isset($ph1ent['disabled'])) continue; |