Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Restrict access to site-to-site VPN tunnel

    Scheduled Pinned Locked Moved IPsec
    2 Posts 2 Posters 3.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      TommyZG
      last edited by

      Hello, everyone,
      First off, thanks to everyone involved in developing such a great product and keeping it free.

      We have an idea, but we're not sure it's supported. Also, we searched the forum and WIKI, but there is no mention of this kind of filtering.
      We would like to establish site-to-site VPN between main office and branch office, but allow access to the tunnel only for certain clients in branch office, either based on MAC address or certificate, because they're in the same subnet as other employees. Is this setup supported in pfSense? We can add more subnets in each site if it helps. Diagram is classic:

      Main office (resources) <–-> Internet <---> Branch office (VPN clients and other employees)

      Currently, branch office clients that are allowed access connect through client VPN, but need to do it everytime they disconnect from network or reboot the laptops. Tunnel would solve this, but then anyone from branch office site would be able to access the tunnel and main office subnet. Granted, they would still need username/password to access certain resources, but malicious user could try to break in. We would like to avoid that.

      Thank you!
      Tomislav

      1 Reply Last reply Reply Quote 0
      • S
        spiritbreaker
        last edited by

        Hi,

        u cant use mac filtering on firewall rules. Only captive Portal is macfilter aware.

        In ur environment u need to get employees into a range u can use for filterrules.

        1. method - easy way

        eg. clients that need to reach main office ressources

        Static IP or DHCP with reservation within eg 192.168.1.100 -192.168.1.150

        -> create Firewall Alias (IP Range)
        -> then allow alias to pass traffic to ur main office.

        This solution doesnt prevent users to change IP and get access to main office. So u need to restrict users that they can not change ip address.

        2. method - hard way - higher administrative effort

        Use vlans and get special employees into another subnet.
        This require vlan aware network devices and  lan adapter on clientside.

        Alternatively u can use port-based vlan if only ur switches support vlans. Use additional dhcp with MAC to IP assignments (Reservation) -> only special employees get an IP address, others get nothing on networkport that belong to special subnet. But then u need to make sure special employees use always the same network socket to reach main office.

        -> configure pfsense with vlans (setup vlan trunk to network switch) or use second network port on pfsense for vlan that is allowed to reach main office.
        -> create rule for vlan subnet to pass traffic to main office

        cya

        Pfsense running at 11 Locations
        -mobile OPENVPN and IPSEC
        -multiwan failover
        -filtering proxy(squidguard) in bridgemode with ntop monitoring

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.