diff options
author | Ermal LUÇI <eri@pfsense.org> | 2015-04-03 19:59:23 +0200 |
---|---|---|
committer | Ermal LUÇI <eri@pfsense.org> | 2015-04-03 19:59:35 +0200 |
commit | 0887e836c45242e5afb8840acf2de9262f65d27c (patch) | |
tree | f881bf74837fb53bf4107ac49084b0686b7023f3 /etc | |
parent | ebb9469d4e7ccb1986a4c17f1cdb44caf6bb6ad8 (diff) | |
download | pfsense-0887e836c45242e5afb8840acf2de9262f65d27c.zip pfsense-0887e836c45242e5afb8840acf2de9262f65d27c.tar.gz |
Fixes #4504 Allow the bypass policy for LAN to be enabled and prevent traffic sent to lan ip to go to the ipsec tunnel
Diffstat (limited to 'etc')
-rw-r--r-- | etc/inc/vpn.inc | 19 |
1 files changed, 19 insertions, 0 deletions
diff --git a/etc/inc/vpn.inc b/etc/inc/vpn.inc index 6f63839..ce8181c 100644 --- a/etc/inc/vpn.inc +++ b/etc/inc/vpn.inc @@ -641,6 +641,25 @@ EOD; $ipsecconf .= "config setup\n\tuniqueids = {$uniqueids}\n"; $ipsecconf .= "\tcharondebug=\"" . vpn_ipsec_configure_loglevels(true) . "\"\n"; + if (isset($config['ipsec']['shuntlaninterfaces'])) { + if ($config['interfaces']['lan']) { + $lanip = get_interface_ip("lan"); + if (!empty($lanip) && is_ipaddrv4($lanip)) { + $lansn = get_interface_subnet("lan"); + $lansa = gen_subnet($lanip, $lansn); + $ipsecconf .= <<<EOD +conn bypasslan + leftsubnet={$lanip}/32 + rightsubnet={$lansa}/{$lansn} + authby=never + type=pass + auto=route + +EOD; + } + } + } + foreach ($a_phase1 as $ph1ent) { if (isset($ph1ent['disabled'])) { continue; |