From 534753890c74d7ce1188fe9a7b6f5f1b153f802d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ermal=20LU=C3=87I?= <eri@pfsense.org>
Date: Fri, 3 Apr 2015 19:59:23 +0200
Subject: Fixes #4504 Allow the bypass policy for LAN to be enabled and prevent
 traffic sent to lan ip to go to the ipsec tunnel

---
 etc/inc/vpn.inc | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

(limited to 'etc')

diff --git a/etc/inc/vpn.inc b/etc/inc/vpn.inc
index 8df1e6f..3131666 100644
--- a/etc/inc/vpn.inc
+++ b/etc/inc/vpn.inc
@@ -590,6 +590,25 @@ EOD;
 		$ipsecconf .= "config setup\n\tuniqueids = {$uniqueids}\n";
 		$ipsecconf .= "\tcharondebug=\"" . vpn_ipsec_configure_loglevels(true) . "\"\n";
 
+		if (isset($config['ipsec']['shuntlaninterfaces'])) {
+			if ($config['interfaces']['lan']) {
+				$lanip = get_interface_ip("lan");
+				if (!empty($lanip) && is_ipaddrv4($lanip)) {
+					$lansn = get_interface_subnet("lan");
+					$lansa = gen_subnet($lanip, $lansn);
+					$ipsecconf .= <<<EOD
+conn bypasslan
+	leftsubnet={$lanip}/32
+	rightsubnet={$lansa}/{$lansn}
+	authby=never
+	type=pass
+	auto=route
+
+EOD;
+				}
+			}
+		}
+
 		foreach ($a_phase1 as $ph1ent) {
 			if (isset($ph1ent['disabled']))
 				continue;
-- 
cgit v1.1