newer mpd versions require this to reconnect. Thanks to Olivier Mueller on support@ for confirming this works.
The physical interface must be passed to find_interface_ip()
this was breaking the racoon.conf for OPT WAN IPsec when interface is not statically addressed
Add tcp.closed 5 to outgoing traffic. This fixes a number of long standingsquid and load balancing bugs. Future version of PF have this bug solvedso we will not be adding this change to RELENG_1.
Ticket FEN-857512 in the Centipede Tracker.
Correctly process non carp interfaces
Correctly update static routes on change
Make the vpn configuration add static routes on interfaces other then WAN.link_carp_interface_to_parent() now correctly returns parent interface instead of always WAN.
Add back auto update support
Let traffic out by their friendly names. When using carp + vlanstraffic would be let out on vlan1 but not on carp24 (for example).
Pass description along to generate_optcfg_array callers.
Fixes Loopia and FreeDNS in DynDNS services.
Submitted-by: Urban Skije
Ticket #1702 fixes
Ticket #1677 fixes
MFC of changeset [22584]Atomic file writingPatch-by: David Rees
Do not quote an empty string when the DN identifier is blank.
Obtained-from: m0n0wall
Report the username we are syncing with (system > general> username)
This code is a bit different in 1.3.
Add vge to vlan supported nics. Verified by darkx via irc.
Integrate patch sent to m0n0wall-dev by Peter Allgeyer:
we have configured the captive portal to authenticate users against aRadius server with reauthentication every minute. When using the MACPass-Through feature, we have problems reaching hosts on the WAN side on...
bump dpd from 20 to 120
Use DPD and frag support we already have
MFC: Send extra sighup after startingMight fix mobile ipsec after startup
Set /tmp/$interface_router even for non DHCP items.
If XML Carp configuration sync fails, rerun the sync with setDebug(1).
If $interface is not defined, return false.
Ensure lock file is cleared after restart.
Noticed-by: mcrane via forum
Backport -ss syslogd feature from HEAD. Only bind to 127.0.0.1 if weare not remotely sending logs.
Remove bogus check.
Ensure /tmp/y exists before running pkg_delete command.
Missing global $g and $config
File an alert we cannot find a matching subnet for a CARP IP address.
Make sure we sync before mounting ro.
MFC from releng_1. Do not run pfctl -ss 4 times.Dated Nov 15 2007
With the current Racoon we need to inform that we are reloadingour SPD entries with a SIGHUP
Only check disabled/enabled status on OPTX interfaces. WAN and LAN areassumed to always be enabled.
When a CARP parent interface is down or disabled, ignore the CARP IPaddress as this will introduce a panic situation in FreeBSD.
Do not load CARP IP address if we cannot find a matching subnet on areal interface.
Update to racoon-0.7-cvs with Timo Teras patches.Use setkey -f because spd loading works normally now.
Do not pass traffic on user proxy which can cause deadlocks in freebsd
Revert dhclient timeout to the default of 60 seconds (originally didn't realize it was in there two more times).
Remove accidentally added debug code
Revert dhclient timeout to the default of 60 seconds. Setting it to 20 minutesis a bit insane (if you haven't gotten a reply in 60 seconds, you aren'tgetting one), and causes systems to hang 20 minutes during"Configuring WAN" at boot when there is no DHCP server available...
attempt loading SPD entries 4 times
Somehow sending a SIGHUP before flushing and reloading works better thenafter. Technically a SIGHUP to racoon should not do anything.
Flush both SA and SPD entries
Fix copy and pasto.
Add sipproxd hooks.
Make 3 passes at loading the SPD entries as this will fail on large configurations > 250 tunnelsTested by smos@ 399 tunnels 239 active, ok by sullrich@
remove DynDNS cache in services_dyndns_reset()
Ticket #1589
add vr(4) VLAN support
Ticket #1561
Reapply patches from ticket #1532
Correctly remove freebsd package upon package deletion.
text cleanup
Use list of VLAN long frame and native capable interfaces from globals.inc, and remove duplicate (and incomplete) list in interfaces.inc. Update list in globals.inc.
Only iterate items if it is an array.
Revert broken OPT interface removal commit. This breaks configurations entirely, worse than just improperly shifting configuration items.
Ticket #1532
change label to more accurately portray purpose of rule
The original code did a mixed work: the part in interfaces_assign.php first renamed the interfaces, and then called cleanup_opt_interfaces_after_removal(). The latter didn't do anything at all: it never entered the loop, it didn't save the result of str_replace, it didn't save the resulting config after the processing. And if it had worked, it would have renamed the interfaces a second time as a side effect, completely messing-up the config....
globals.inc is required so that we use the correct lock file!
If /etc/pwd.db.tmp exists when we are syncing the password database then remove the temporary file prior to attempting to sync.
Don't forget line breaks!
Correctly remove old clients correctly.
Submitted to m0n0wall list by R?nnblom Jan?ke /Teknous
Define lanip
Set server.max-request-size to 384 for captive portal.
Limit captive portal uploads to /tmp/captiveportal which has no access to write files.
Allow pfsync and carp traffic on captive portal.
MFC from HEAD
Set dhclient timeout to 1200.Set retry value to 1.Set select-timeout to 0.Set initial-interval to 1.
Sometimes when the user enters the hostname of the HTTPs captive portal server it resolves the IP address to $LANIP. Allow access to $LANIP in addition to the $CPIP so that we can speedup captive portal by 10000* in these cases.
Move update bogons script to 3am.
Discussed on pfSense-support@
Log when we change the bogons frequency hour.
Move special case fixes before we return so that it can be processed.
Change bogons update script frequency to 2am.
Failover in 10 seconds as opposed to 60 seconds on DHCP Server failover mode.
IPSEC keep alive pinger using the wrong source IP address
Ticket #1482
fix setting of sysctls to remove error at bootup
multiple vlans + spoofmac result in unexpected behaviour
Ticket #1514
IntroductionI have an acceptable workaround, so the problem is not urgent, but before i fiogured out the workaround, is was severely impacting performance (3 interfaces not operating). I am a network specialist and I am available to assist wherever possible. If the issue si considered seriousenough for a fix, I can assist in more detailed pinpointing using tcpdumps on test-platforms....
Adding keep alive host to IPsec causes warning in webGUI
Ticket #1509
MFCTicket 1709: fixed typo in OpenVPN cfg-page
Ticket #1482 - set the source to an interface that is inside the subnet definition
Remove blank c/r
Allow the interface assignment code to exit from its strict checking. This allows Netboot installation services to work correctly.
MFC of [19631] for Ticket #1456drop one level of verbosity in tcpdump. Some protocols will still decode to multi-line message - not an easy fix. Doesn't appear to break non-raw log display
Add VRRP as a protocol type in the decode
Correctly set reflection timeout for all protocols.
MFC RELENG_1. Make it possible to disable RRD graphs. Bump config so it's on by default if it wasn't already.
Sync NATT support from m0n0wall
-move upnp_action to services.inc-make sure to clear rules when stopping miniupnpd-fix status_upnp and status_services pages so they use upnp_action and not the rcfile
Correct average times, otherwise the grap stops after 8 months.
Oops, correct path to binaries
CAPS kills. Literally. Do not set the description to upper case LAN when we are looking for lower case.
Kill off old pftpx processes correctly
MFC IPSEC fixes from seth, this should properly reload and handle largeconfigs > 300 tunnels.
Use $lanif for lan anti-lockout rule
Missed commmit
Escape $lan correctly
Do not use $iface as source or destination as it may be a member of a bridge without an ip address and pfctl will complain.
Since we are matching traffic on incoming interface, do not link wan or lan to bridgeX
Only pass anti-lockout traffic on $lan
Cleanup IPSEC rules. We where blocking port = 500 UDP on CARP interfaces, for one.
Be more verbose on logging so that we can correctly deterimine protocol, etc.
Ticket #1348