User-based access to different subnets
-
Hello,
I have a new pfSense box with multiple network interfaces corresponding to different groups of users. For example, group A needs to access interface/subnet A and group B needs to access interface/subnet B. I'm looking for the most elegant way to implement this and what I have come up with on my own seems inelegant. All I have so far is to create multiple OpenVPN servers running on different ports (e.g. 1194, 1195, etc.) and assign each group of users to a separate OpenVPN server. That would allow me to assign a unique OpenVPN client subnet to each group and then control access via firewall rules to the corresponding interface/subnets mentioned above.
My preference is to run a single OpenVPN server and control network access by users and/or user groups. Is that possible? Can you point me in the right direction or suggest another solution?
Thank you,
cdunbar -
So these are remote users..
So you can setup vpn user A to get IP address X, you setup user B to IP address Y... You then on you rules allow X to get to what it needs, and Y to get to what it needs.
There is no real reason to run multiple instances - but that might be easier if All users need the same sort of access and there is no bleed over where user A might need to part of what user B has access too.
-
Thank you for the reply. I think I understand what you suggested, but managing individual IPs and firewall rules wouldn't scale very well. I'll potentially have 15+ users in each group and that would be a mess to keep up with.
I just discovered Client Specific Overrides and it looks like it could do what I am looking for. However, it seems to also be too granular (i.e. one override per unique user) and I'm not sure if I can use it for a group of users. Any experience with this?
Thank you,
cdunbar -
With CSO you can bind a fixed IP to each of your VPN RAS Users.
After that you could group your Users with Aliases via the IP and use the Alias in Firewall Rules.-Rico
-
For posterity...
I decided to set up a separate OpenVPN server for each group of users. In the end it was the cleanest way to differentiate between the groups by assigning a unique subnet to each instance of OpenVPN. Client Specific Overrides is an interesting feature and might have allowed a portion of what I was looking for, but did not offer a complete solution.
Thank you,
cdunbar