Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Weird gap in firewall rules for foster home

    Scheduled Pinned Locked Moved Firewalling
    4 Posts 2 Posters 523 Views 2 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P Offline
      peterwilson_69
      last edited by peterwilson_69

      I want different rules for different kids in my foster home (I'm the parent). Different schedules, different speeds per child (I also want to report on each childs bandwidth).

      Now I can achieve this by filtering MAC addresses on the DHCP Server - which is trivial and working well, but...

      This sucks right? Wouldn't it be better to authenticate a child/user on Radius credentials and then steer them through the firewall rules (and SquidGuard) with this? I can't see any way of doing this. Help?

      If the firewall Alias field accepted Usernames and User Groups (i.e Kids-authenticated-by-FreeRadius) then my problems would be solved.

      jimpJ 1 Reply Last reply Reply Quote 0
      • jimpJ Offline
        jimp Rebel Alliance Developer Netgate @peterwilson_69
        last edited by

        @peterwilson_69 said in Weird gap in firewall rules for foster home:

        Wouldn't it be better to authenticate a child/user on Radius credentials and then steer them through the firewall rules (and SquidGuard) with this?

        That would be 802.1x and that is entirely up to your layer 2 -- The AP or switch. That's why you don't see it on the firewall. By the time the traffic hits the firewall, it's too late to make that kind of decision.

        Depending on your switch/AP you could drop each person's login into their own VLAN, which would have its own set of rules and other settings on pfSense. Then no matter what they login using (laptop, phone, tablet, etc) it would have the same restrictions.

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        P 1 Reply Last reply Reply Quote 1
        • P Offline
          peterwilson_69 @jimp
          last edited by

          @jimp This is a very well thought out answer - thank you. I feel like an idiot for not realizing RADIUS was layer 2. Thank you.

          P 1 Reply Last reply Reply Quote 0
          • P Offline
            peterwilson_69 @peterwilson_69
            last edited by

            @peterwilson_69 For anyone else reading this post, I also had to update my switch settings to accept tagged (VLAN) traffic on the relevant ports of my switch.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.