*** Note: Please add new entries to the top of this file. ***
-------------------------------------------------------------------------------
+- added "disable port mapping" option to advanced outbound NAT (helps with certain IPsec
+ VPN gateways that insist on the IKE source port being 500) (mkasper)
+
+- updated PHP to 4.4.2 (mkasper)
+
+- updated ipsec-tools to 0.6.5 (fixes problem with /32 subnets) (mkasper)
+
- added option to System: Advanced page to allow IPsec/ESP-encrypted IP fragments to be passed (mkasper)
- added DHCP/interface route fix for UK ADSL half-bridge modems (DSL-300T, X-modem) (mkasper)
</destination>
<target>xxx.xxx.xxx.xxx</target>
<descr></descr>
+ <noportmap/>
</rule>
</advancedoutbound>
-->
return mwexec("/sbin/ipf -FS");
}
-function filter_nat_rules_generate_if($if, $src, $dst, $target) {
+function filter_nat_rules_generate_if($if, $src, $dst, $target, $portmap = true) {
if ($target)
$tgt = $target . "/32";
else
$tgt = "0/32";
-
- $natrule = <<<EOD
-map $if $src $dst -> {$tgt} proxy port ftp ftp/tcp
-map $if $src $dst -> {$tgt} portmap tcp/udp auto
-map $if $src $dst -> {$tgt}
-
-EOD;
-
+
+ $natrule = "map $if $src $dst -> {$tgt} proxy port ftp ftp/tcp\n";
+
+ if ($portmap)
+ $natrule .= "map $if $src $dst -> {$tgt} portmap tcp/udp auto\n";
+
+ $natrule .= "map $if $src $dst -> {$tgt}\n";
+
return $natrule;
}
$natif = $config['interfaces'][$obent['interface']]['if'];
$natrules .= filter_nat_rules_generate_if($natif, $src, $dst,
- $obent['target']);
+ $obent['target'], !isset($obent['noportmap']));
}
}
} else {
<td width="5%" class="list"></td>
</tr>
<?php $i = 0; foreach ($a_out as $natent): ?>
- <tr>
+ <tr valign="top">
<td class="listlr">
<?php
if (!$natent['interface'] || ($natent['interface'] == "wan"))
echo "*";
else
echo $natent['target'];
+
+ if (isset($natent['noportmap']))
+ echo "<br>(no portmap)";
?>
</td>
<td class="listbg">
if (!$pconfig['interface'])
$pconfig['interface'] = "wan";
$pconfig['descr'] = $a_out[$id]['descr'];
+ $pconfig['noportmap'] = isset($a_out[$id]['noportmap']);
} else {
$pconfig['source_subnet'] = 24;
$pconfig['destination'] = "any";
$pconfig['destination_subnet'] = 24;
$pconfig['interface'] = "wan";
+ $pconfig['noportmap'] = false;
}
if ($_POST) {
$natent['descr'] = $_POST['descr'];
$natent['target'] = $_POST['target'];
$natent['interface'] = $_POST['interface'];
+ $natent['noportmap'] = $_POST['noportmap'] ? true : false;
if ($ext == "any")
$natent['destination']['any'] = true;
<br>
<span class="vexpl">Packets matching this rule will be mapped to the IP address given here. Leave blank to use the selected interface's IP address.</span></td>
</tr>
+ <tr>
+ <td width="22%" valign="top" class="vncell">Portmap</td>
+ <td width="78%" class="vtable">
+ <input name="noportmap" type="checkbox" id="noportmap" value="1" <?php if ($pconfig['noportmap']) echo "checked"; ?>> <strong>Disable port mapping</strong>
+ <br>
+ <span class="vexpl">This option disables remapping of the source port number for outbound packets. This may help with software
+ that insists on the source ports being left unchanged when applying NAT (such as some IPsec VPN gateways). However,
+ with this option enabled, two clients behind NAT cannot communicate with the same server at the same time using the
+ same source ports.</span></td>
+ </tr>
<tr>
<td width="22%" valign="top" class="vncell">Description</td>
<td width="78%" class="vtable">
projects / m0n0chwall.git / commitdiff