Firewalling openvpn clients based on radius

  • Question and I am open to any suggestion on a better way to accomplish this.

    I am trying to find the best way to isolate VPN clients to specific networks based on something like Radius or ldap. Is it possible to push firewall rules to pfsense based on Radius auth?

    Basically something like this.

    User1 = VLAN10, 10.10.0.xx/24
    User2 = VLAN20, 10.20.0.xx/24
    User3 = VLAN30, 10.30.0.xx/24 & VLAN20, 10.20.0.xx/24

    I know I can push specific routes to accomplish something close to this but I like to push firewall rules or something..


  • I found on the features list it supports inACL and outACL but cannot locate any documentation. This sounds like what I am looking for I beleive.

  • Rebel Alliance Developer Netgate

    The inacl/outacl support is there and it uses cisco-style ACL syntax (e.g. "permit tcp from any to any". It's documented in the book but I don't think it's written up anywhere else pfSense-specific that's public.

    The syntax should be the same as anything else that does inacl/outacl via RADIUS replies, so you can probably find some more general documentation that isn't specifically about pfSense, but should still work.

Log in to reply