Allow outgoing traffic based on Active Directory group
-
Hi,
I have a 2.7.0 pfSense installation on front of my network. It has two interfaces, one facing internet, another facing the internal network.
On the internal network we have three types of users: the ones that cannot have outgoing traffic, the ones that can have traffic only to some sites, and the ones that have free traffic to the outside world.
We need to configure, if it's possible with pfSense, three firewall rules (don't know if this is solved using firewall rules, or any other module or plugin) for those three groups.
Those groups are defined on the Active Directory we have to manage our users.
Is there any documentation, or something I can use for this configuration?
Thanks a lot in advance for your time and attention.
Best regards,HeCSa.
-
There is this option with RADIUS: https://docs.netgate.com/pfsense/en/latest/vpn/openvpn/client-parameters-radius.html.
It's not as friendly and seamless as some of the options from the big commercial firewall vendors, but it can work.
Here is an older thread about per-user firewall rules from 2017: https://forum.netgate.com/topic/114627/user-based-firewall-rules.
The short answer here is that pfSense cannot natively control firewall rules on a per-user basis as it is totally unaware of user ID (except for someone logging directly into the firewall via SSH or the web GUI management interface). pfSense works from IP addresses. The solutions mentioned above use the features of a third-party software package to first segregate users into small IP subnets (VPNs), and then pfSense filters as usual based on those VPN IP addresses (meaning pfSense is still filtering by IP address and not user IDs).
-
@bmeeks
Hi,
First of all, thanks a lot for your answer!
I was reading carefully the links you gave me. Looks like a bit messy to have RADIUS, then provide some parameters to the clients when they connect to the network and try to, for example, browse the web.
I'm thinking about configuring a transparent proxy integrated with AD, and then control for example navigation rules from there. What do you think about this idea? Could be a solution for this kind of situation, right?
Thanks again, and best regards,HeCSa.
-
@hecsa said in Allow outgoing traffic based on Active Directory group:
I'm thinking about configuring a transparent proxy integrated with AD, and then control for example navigation rules from there. What do you think about this idea? Could be a solution for this kind of situation, right?
Possibly, but this is not an area in pfSense where I have any experience. Did something similar to this many years ago with Checkpoint firewalls, but have never investigated this with pfSense.
I did, at one time, have an AD/RADIUS authentication setup for my OpenVPN access into my home network. But my ISP eventually moved me over to CGNAT (carrier-grade NAT), and that ended my easy VPN access directly into my home network so I dismantled the Active Directory/RADIUS setup.
I would suggest setting up a pfSense instance in a virtual environment and experimenting with some of the options. Pretty easy to do in something like VMware or Proxmox (or even Hyper-V).
-
@bmeeks said in Allow outgoing traffic based on Active Directory group:
I would suggest setting up a pfSense instance in a virtual environment and experimenting with some of the options. Pretty easy to do in something like VMware or Proxmox (or even Hyper-V).
Yes, this is exactly my plan. I installed a 2.7.0 pfSense, a 2012 R2 DomainController, and two W10 virtual machines on my lab, just to test everything before touching the production environment.
Thanks, and best regards,
HeCSa.
