Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    per user or rather user group rules

    Scheduled Pinned Locked Moved OpenVPN
    1 Posts 1 Posters 270 Views 1 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S Offline
      skullnobrains
      last edited by

      hello all

      is there any way in pfsense to use user names or group membership in rules ?
      i'd rather not setup a bunch of static ips and fiddle with subnets or hard to maintain aliases with no names

      my case can be trimmed to a simple admin/nonadmin case but i'd rather find a more versatile solution

      a few acceptable but not really good ideas could be
      _ push the users addresses in the dns and configure it so the zone is internal only. workable but dangerous
      _ use a captive portal so allowed users can gain extra privileges but that boils to double authentication. it seems acceptable though if only admins need to authenticate a second time
      _ configure a second vpn for admins only but if i need a separate CA, that's a pain to maintain. if i can limit authentication on the secondary VPN to a group, that's more workable.

      any ideas ?

      btw, i'd like the same to work on the LAN through DHCP provided IPs, assuming the DHCP is secure due to l2 security on the switches. should the solution allow to map users to addresses and cover both issues, that would proove helpful

      note : if pf can be instructed to resolve addresses using only 127.0.0.1 ignoring whatever other dns servers are configured, and if i can make openvpn update the dns, that might simplify both issues somehow with a proper dnsmasq config that won't forward queries to the dedicated zone.

      i know several ways to achieve the equivalent in pure BSD. my goal is to use stuff that can be configured in the GUI

      if there is no better way, i'll have to use fixed addresses and one object per user but that's quite a pain to maintain so i'm hoping for some pfsense smarts i'm not aware of

      thanks for your time

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.