pfSense

diff --git a/src/etc/inc/captiveportal.inc b/src/etc/inc/captiveportal.inc

index fb8086444b..4f95e5df48 100644

--- a/src/etc/inc/captiveportal.inc

+++ b/src/etc/inc/captiveportal.inc

@@ -1020,6 +1020,7 @@ function captiveportal_passthrumac_delete_entry($macent) {

 	if ($macent['action'] == 'pass') {

 		$pipes = captiveportal_get_dn_passthru_pipes($macent['mac']);

 		if (!empty($pipes)) {

+			// passthrumac should always have 2 pipes, one each for 'ether in' and 'ether out'.

 			captiveportal_pipes_delete($pipes);

 		}

 	} else {

@@ -1088,6 +1089,14 @@ function captiveportal_ether_delete_entry($hostent, $anchor = 'allowedhosts') {

 	$pipes = pfSense_pf_cp_get_eth_pipes("{$cpzoneprefix}_{$anchor}/{$host}");

 	if (!empty($pipes)) {

+		// 2 pipes are reserved per entry; keep the reservation list aligned when a rule is created for a single direction.

+		if (count($pipes) == 1) {

+			if ($hostent['dir'] == 'to') {

+				$pipes[array_key_last($pipes) + 1] = $pipes[array_key_last($pipes)] + 1;

+			} elseif ($hostent['dir'] == 'from') {

+				$pipes[array_key_last($pipes) + 1] = $pipes[array_key_last($pipes)] - 1;

+			}

+		}

 		captiveportal_pipes_delete($pipes);

 	}

 	/* flush anchor rules */

@@ -2590,6 +2599,14 @@ function captiveportal_allowedhostname_cleanup() {

 		$pipes = pfSense_pf_cp_get_eth_pipes("{$cpzoneprefix}_allowedhosts/hostname_{$id}");

 		pfSense_pf_cp_flush("{$cpzoneprefix}_allowedhosts/hostname_{$id}", "ether");

 		if (!empty($pipes)) {

+			// 2 pipes are reserved per entry; keep the reservation list aligned when a rule is created for a single direction.

+			if (count($pipes) == 1) {

+				if ($hostnameent['dir'] == 'to') {

+					$pipes[array_key_last($pipes) + 1] = $pipes[array_key_last($pipes)] + 1;

+				} elseif ($hostnameent['dir'] == 'from') {

+					$pipes[array_key_last($pipes) + 1] = $pipes[array_key_last($pipes)] - 1;

+				}

+			}

 			captiveportal_pipes_delete($pipes);

 		}

 	}

diff --git a/src/etc/inc/system.inc b/src/etc/inc/system.inc

index f78531488e..d93089267d 100644

--- a/src/etc/inc/system.inc

+++ b/src/etc/inc/system.inc

@@ -3051,18 +3051,21 @@ function system_reboot_cleanup() {

 	mwexec("/usr/local/bin/beep.sh stop");

 	require_once("captiveportal.inc");

 	$cps = config_get_path('captiveportal', []);

+	$preservedb = false;

 	foreach ($cps as $cpzone=>$cp) {

 		if (!isset($cp['preservedb'])) {

 			/* send Accounting-Stop packet for all clients, termination cause 'Admin-Reboot' */

 			captiveportal_radius_stop_all(7); // Admin-Reboot

 			unlink_if_exists("{$g['vardb_path']}/captiveportal{$cpzone}.db");

 			captiveportal_free_dnrules();

+		} else {

+			$preservedb = true;

 		}

 		/* Send Accounting-Off packet to the RADIUS server */

 		captiveportal_send_server_accounting('off');

 	}

-	if (count($cps)> 0) {

+	if (!$preservedb) {

 		/* Remove the pipe database */

 		unlink_if_exists("{$g['vardb_path']}/captiveportaldn.rules");

 	}

diff --git a/src/etc/rc.carpmaster b/src/etc/rc.carpmaster

index fde3e22054..cf8f251f8b 100755

--- a/src/etc/rc.carpmaster

+++ b/src/etc/rc.carpmaster

@@ -149,7 +149,11 @@ if (!empty(config_get_path('captiveportal')) &&

 		}

 	}

-	foreach (array_keys(config_get_path('captiveportal', [])) as $cpzone) {

+	foreach (config_get_path('captiveportal', []) as $cpzone => $cpzone_config) {

+		if ($cpzone_config['interface'] != $friendly) {

+			// Ignore CARP events for unrelated interfaces.

+			continue;

+		}

 		$rpc_client = new pfsense_xmlrpc_client();

 		$rpc_client->setConnectionData(config_get_path('hasync/synchronizetoip'), $xmlrpc_port, $xmlrpc_username, config_get_path('hasync/password'));

 		$resp = $rpc_client->xmlrpc_method('captive_portal_sync', array('op' => 'get_databases', 'zone' => $cpzone));

@@ -169,7 +173,8 @@ if (!empty(config_get_path('captiveportal')) &&

 			if (!empty($unsetindexes)) {

 				captiveportal_remove_entries($unsetindexes, true); // true: prevent carp loop

 			}

-			captiveportal_free_dnrules();

+			// Make sure the passthrumac, ip, and hostname entries are added; clear the rest.

+			captiveportal_init_rules(true);

 			foreach ($connected_users as $user) {

 				if (!is_array($user) || empty($user)) {

diff --git a/src/usr/local/www/services_captiveportal_ip_edit.php b/src/usr/local/www/services_captiveportal_ip_edit.php

index e1de2da60e..b8ce3f88bb 100644

--- a/src/usr/local/www/services_captiveportal_ip_edit.php

+++ b/src/usr/local/www/services_captiveportal_ip_edit.php

@@ -135,15 +135,7 @@ if ($_POST['save']) {

 			$ip['bw_down'] = $_POST['bw_down'];

 		}

-		$oldip = array();

 		if ($this_allowedip_config) {

-			$oldip['ip'] = $this_allowedip_config['ip'];

-			if (!empty($this_allowedip_config['sn'])) {

-				$oldip['sn'] = $this_allowedip_config['sn'];

-			} else {

-				$oldip['sn'] = 32;

-			}

-

 			config_set_path("captiveportal/{$cpzone}/allowedip/{$id}", $ip);

 		} else {

 			config_set_path("captiveportal/{$cpzone}/allowedip/", $ip);

@@ -154,8 +146,8 @@ if ($_POST['save']) {

 		write_config("Captive portal allowed IPs added");

 		if (config_path_enabled("captiveportal/{$cpzone}")) {

-			if (!empty($oldip)) {

-				captiveportal_ether_delete_entry($oldip, 'allowedhosts');

+			if ($this_allowedip_config) {

+				captiveportal_ether_delete_entry($this_allowedip_config, 'allowedhosts');

 			}

 			captiveportal_allowedip_configure_entry($ip);

 		}