User-based access to different subnets



  • Hello,

    I have a new pfSense box with multiple network interfaces corresponding to different groups of users. For example, group A needs to access interface/subnet A and group B needs to access interface/subnet B. I'm looking for the most elegant way to implement this and what I have come up with on my own seems inelegant. All I have so far is to create multiple OpenVPN servers running on different ports (e.g. 1194, 1195, etc.) and assign each group of users to a separate OpenVPN server. That would allow me to assign a unique OpenVPN client subnet to each group and then control access via firewall rules to the corresponding interface/subnets mentioned above.

    My preference is to run a single OpenVPN server and control network access by users and/or user groups. Is that possible? Can you point me in the right direction or suggest another solution?

    Thank you,
    cdunbar


  • LAYER 8 Global Moderator

    So these are remote users..

    So you can setup vpn user A to get IP address X, you setup user B to IP address Y... You then on you rules allow X to get to what it needs, and Y to get to what it needs.

    There is no real reason to run multiple instances - but that might be easier if All users need the same sort of access and there is no bleed over where user A might need to part of what user B has access too.



  • @johnpoz,

    Thank you for the reply. I think I understand what you suggested, but managing individual IPs and firewall rules wouldn't scale very well. I'll potentially have 15+ users in each group and that would be a mess to keep up with.

    I just discovered Client Specific Overrides and it looks like it could do what I am looking for. However, it seems to also be too granular (i.e. one override per unique user) and I'm not sure if I can use it for a group of users. Any experience with this?

    Thank you,
    cdunbar


  • LAYER 8 Rebel Alliance

    With CSO you can bind a fixed IP to each of your VPN RAS Users.
    After that you could group your Users with Aliases via the IP and use the Alias in Firewall Rules.

    -Rico



  • For posterity...

    I decided to set up a separate OpenVPN server for each group of users. In the end it was the cleanest way to differentiate between the groups by assigning a unique subnet to each instance of OpenVPN. Client Specific Overrides is an interesting feature and might have allowed a portion of what I was looking for, but did not offer a complete solution.

    Thank you,
    cdunbar


Log in to reply