per user or rather user group rules



  • hello all

    is there any way in pfsense to use user names or group membership in rules ?
    i'd rather not setup a bunch of static ips and fiddle with subnets or hard to maintain aliases with no names

    my case can be trimmed to a simple admin/nonadmin case but i'd rather find a more versatile solution

    a few acceptable but not really good ideas could be
    _ push the users addresses in the dns and configure it so the zone is internal only. workable but dangerous
    _ use a captive portal so allowed users can gain extra privileges but that boils to double authentication. it seems acceptable though if only admins need to authenticate a second time
    _ configure a second vpn for admins only but if i need a separate CA, that's a pain to maintain. if i can limit authentication on the secondary VPN to a group, that's more workable.

    any ideas ?

    btw, i'd like the same to work on the LAN through DHCP provided IPs, assuming the DHCP is secure due to l2 security on the switches. should the solution allow to map users to addresses and cover both issues, that would proove helpful

    note : if pf can be instructed to resolve addresses using only 127.0.0.1 ignoring whatever other dns servers are configured, and if i can make openvpn update the dns, that might simplify both issues somehow with a proper dnsmasq config that won't forward queries to the dedicated zone.

    i know several ways to achieve the equivalent in pure BSD. my goal is to use stuff that can be configured in the GUI

    if there is no better way, i'll have to use fixed addresses and one object per user but that's quite a pain to maintain so i'm hoping for some pfsense smarts i'm not aware of

    thanks for your time