Access restrictions and authentication (AD/VLAN)



  • Hello!

    In a virtual environment with two pfSense routers (connected through a Site-to-Site OpenVPN connection) I would like to:

    • Put servers and workstation both in their own VLAN in pfSense.

    • Keep the connection with the Active Directory server and workstations after they are seperated with VLAN's.

    • Give different usergroups access to different servers. Some servers need to be accessed by multiple groups.

    • Let users who use their laptops (which are not joined to the AD domain) authenticate with a username and password, and put them in the right VLAN based on their details. The user also needs to be able to access the right servers that belong to his group. I probably need to use Network Port Security, but I don't know how yet.

    All I'm hoping for is a push in the right direction. I simply don't know what to look for and everything I've found doesn't fit these points. A few simple keywords or functions for the mentioned things would already help me out!



  • A bit more explanation for if it's needed:

    We're building a test network for a company.

    The company has two locations, which are connected through a Site-to-Site OpenVPN connection. There are also workplaces within these locations where employees can connect their own laptops. We're planning on making three VLAN's: for the servers, the company workstations and the workplaces for laptops.

    There are four servers in the network and different departments who all need to be able to connect to their own servers. Besides that, some servers also need to be accessed by multiple departments, to make it more difficult. The servers and workstations are all joined to a Active Directory domainserver, and we can probably restrict VLAN/server access there. The laptops that employees bring from home are not connected to the domain. On these laptops, we need to authenticate users with an AD username and password in some way, and make sure they get into the right VLAN and have access to the right servers that belong to their departments.

    What we also don't know is how we are going to keep the connection with the AD server after we split the servers and clients in to different VLAN's, but we think we can route that in the router just like normal seperate networks would need.

    We already setup a virtual environment that has two pfSense routers which are connected through a working Site-to-Site VPN and a Windows 2016 Domaincontroller with all clients and servers joined to the domain.

    We're trying to learn, but would like some help. Thanks!



  • Use different subnets first.

    10.0.1.0/24 for servers for example
    192.168.1.0/24 for client workstations.

    Only open up ports between 10.0.1.0/24 and 192.168.1.0/24 that are required for communication between the clients and the applications on the servers.

    You'll need a layer 2/3 switch at each location to manage your VLANs and/or the subnets.


Log in to reply