remote access client users > different VLANs



  • Hi,

    Long time lurker, first post.

    I've been looking for an excuse to get my hands properly dirty on pfsense, having been using vyatta/edgerouters, cisco and fortigates for a while, but have been interested in pfsense's capabilities.

    I think i might have found that use case :)

    I have multiple VLANs internally which I need granted to external users securely from their client PCs on public IPs.

    I'm thinking along the lines of specific OpenVPN users being granted access to a specific VLAN.

    Has anyone built a similar config?

    Is there another completely different method of achieving this I've missed?

    I'd be grateful for any pointers.

    Chris.



  • any takers? I've googled the tips of my fingers off on this one :/


  • LAYER 8 Rebel Alliance

    AFAIK you can't just say User A get access to VLAN20 and User B to VLAN30. In OpenVPN you want to use tun mode which is Layer 3 anyway.
    BUT in pfSense you have your VLANs in Interfaces with IP subnets configured, right?
    Say VLAN20 is 192.168.20.0/24 network, VLAN30 is 192.168.30.0/24
    Sure you can say User A is only allowed to talk to the 192.168.20.0/24 network, User B only to 192.168.30.0/24 with Firewall Rules.
    You can also run separate OpenVPN Instances, one per VLAN and route only the according network to your connecting User. This will also spread the load. :-)

    -Rico


  • Galactic Empire

    FreeRadius and hand IP addresses (framed) out that you can use in firewall rules for the clients, I do it with IPsec so I can access everything and friends can only access the internet.

    Sort of pointless if all the users PCs the LAN side of pfSense are all on the same subnet.

    
    "andy" Cleartext-Password := "XXXXXXXX", Simultaneous-Use := "1", Expiration := "Apr 11 2027", NAS-Identifier == strongSwan 
    
    	Framed-IP-Address = 172.16.8.4,
    	Framed-IP-Netmask = 255.255.255.0,
    	Framed-Route = "0.0.0.0/0 172.16.8.1 1"
    
    

Log in to reply