Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPSec Mobile Client - Different Firewall Rules for Different Users

    Scheduled Pinned Locked Moved IPsec
    2 Posts 2 Posters 1.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      PatrickF
      last edited by

      Hi,
      we have now setup our first PfSense Box, and running IKEv2 / EAP-TLS VPN Setup for our RoadWarriors.
      Since we have multiple people accessing the Network from Outside, we would like to give the Mobile Clients distinct grants/firewall rules:

      Admins access to Everything
      Developers access to Net 192.168.50.0/24 and 192.168.30.0/24
      Support access to Host 192.168.30.30

      So what i thought about:

      1. We only have one Firewall connected to the WAN.
      2. As far as i see, we can only configure one "Mobile Client" VPN Tunnel (P1).
      3. We can add more Phase 2 to this Tunnel, but in Phase 2 Settings - while able to define the "Local Network", i did not find any options to force a specific user to a differnt phase.
      4. In the Firewall-Rules, i can not find any option to set Firewall-Rules based on the VPN user.

      Did i miss something?
      Or is this usecase so special, that it's not possible to run this on PfSense. I guess the Usecase is not so special, so how do other people handle this kind of stuff? :)

      Hope to finally find some help and fix my remaining vpn issues :-)
      Patrick

      1 Reply Last reply Reply Quote 0
      • NogBadTheBadN
        NogBadTheBad
        last edited by

        You'll need to use freeradius for user auth and hand out specific IP addresses to each user..

        I hand out 172.16.9.0/25 for my own use, allowing me to access the internet + all my local LANS and 172.16.9.128/25  to friends so they can use UK based TV services when abroad, etc …

        https://forum.pfsense.org/index.php?topic=129443.msg750980#msg750980

        A typical user looks like this :-

        "andy" Cleartext-Password := "XXXXXXXXX", Simultaneous-Use := "1"

        Framed-IP-Address = 172.16.9.1,
        Framed-IP-Netmask = 255.255.255.0,
        Framed-Route = "0.0.0.0/0 172.16.0.1 1"

        Untitled.png
        Untitled.png_thumb

        Andy

        1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.