Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    [GUIDE] IKEv2/IPSec, Per user firewall rule settings with FreeRADIUS

    Scheduled Pinned Locked Moved IPsec
    2 Posts 2 Posters 3.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      PFbest
      last edited by

      Just found this way to set per user rules, probably someone already discovered, but seems there's no post regarding to this, hopefully it can help someone.

      1. Follow the "IKEv2 with EAP-MSCHAPv2" https://doc.pfsense.org/index.php/IKEv2_with_EAP-MSCHAPv2 from pfsense, to create a working IKEv2/IPsec VPN server first.
      2. Install Freeradius2 on pfsense.
      3. Once tested and working, some changes need to be made, so that the IKEv2/IPsec VPN will use radius to authenticate clients instead of local database. (Google some pfsense freeradius configuration guide)


      Assume IKEv2/IPsec is working with freeradius.

      Configure per user rules.
      Create user1 and user2, user1 will have access to internal LAN and internet, user2 will only have internet access, not internal LAN access.
      In real world case, user1 can be the pfsense owner/administrator, user2 can be friends who you want to give VPN.

      1. Create user1 and user2 in Services -> FreeRADIUS -> Users.
      user1
      Put Username: user1, Password: password, IP Address: 10.1.2.1, Subnet Mask: 255.255.255.0, Gateway: 0.0.0.0/0 192.168.0.1 1
      0.0.0.0/0 "Gateway address here (Address of pfsens box's, not external gateway)" 1
      Save

      user2
      Put Username: user2, Password: password, IP Address: 10.1.3.1, Subnet Mask: 255.255.255.0, Gateway: 0.0.0.0/0 192.168.0.1 1
      0.0.0.0/0 "Gateway address here (Address of pfsens box's, not external gateway)" 1
      Save

      Now, when user1 login, virtual IP address 10.1.2.1 will be assigned. When user2 login, virtual IP address 10.1.3.1 will be assigned.

      2. Give internet access to two users, System -> Routing Static Routes
      Add two different new static route for VPN client user1 and user2 to use, so that both client can have internet access from pfsense box.

      Static Route1
      Destination network: 10.1.2.0/24
      Gateway: WAN_PPPOE - xxx.xxx.xxx.xxx (Your pfsense gateway, the one that you used to get internet access)
      Save

      Static Route2
      Destination network: 10.1.3.0/24
      Gateway: WAN_PPPOE - xxx.xxx.xxx.xxx (Your pfsense gateway, the one that you used to get internet access)
      Save

      3. Create firewall rules, Firewall -> IPsec
      Create DNS rule, Action: Pass, Interface: IPsec, Address Family: IPv4, Protocol: TCP/UDP, Source: Any, Destination: This firewall (self), Destination Port Range: From 53 to 53.
      Save

      Create block rule, so that user2 won't be able to access our LAN, Action: Reject, Interface: IPsec, Address Family: IPv4, Protocol: Any, Source: Network 10.1.3.0/24, Destination: LAN net.
      Save

      Create rule for allowing other traffic (internet etc.), Action: Pass, Interface: IPsec, Address Family: IPv4, Protocol: Any, Source: Any, Destination: Any
      Save


      Now user1 will have full access, LAN and internet, user2 will have internet access only, no LAN access.
      To create more accounts for friends, just use same steps form step 1, assign them IP range from 10.1.3.2 to 10.1.3.254 will be fine.


      Notes:
      If you find this post useful please comment or click on Thank you button or do both :)
      If you think it can be improved please share your comment.

      Future work:
      If you know how to configure freeradius to assign IP address dynamically via DHCP etc. to specific users please share your comment.

      Thanks

      1 Reply Last reply Reply Quote 2
      • L
        lilhater27
        last edited by

        @pfbest

        This is amazing! Thank you so much, it works really well.

        1 Reply Last reply Reply Quote 1
        • NogBadTheBadN NogBadTheBad referenced this topic on
        • NogBadTheBadN NogBadTheBad referenced this topic on
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.