Weird gap in firewall rules for foster home



  • I want different rules for different kids in my foster home (I'm the parent). Different schedules, different speeds per child (I also want to report on each childs bandwidth).

    Now I can achieve this by filtering MAC addresses on the DHCP Server - which is trivial and working well, but...

    This sucks right? Wouldn't it be better to authenticate a child/user on Radius credentials and then steer them through the firewall rules (and SquidGuard) with this? I can't see any way of doing this. Help?

    If the firewall Alias field accepted Usernames and User Groups (i.e Kids-authenticated-by-FreeRadius) then my problems would be solved.


  • Rebel Alliance Developer Netgate

    @peterwilson_69 said in Weird gap in firewall rules for foster home:

    Wouldn't it be better to authenticate a child/user on Radius credentials and then steer them through the firewall rules (and SquidGuard) with this?

    That would be 802.1x and that is entirely up to your layer 2 -- The AP or switch. That's why you don't see it on the firewall. By the time the traffic hits the firewall, it's too late to make that kind of decision.

    Depending on your switch/AP you could drop each person's login into their own VLAN, which would have its own set of rules and other settings on pfSense. Then no matter what they login using (laptop, phone, tablet, etc) it would have the same restrictions.



  • @jimp This is a very well thought out answer - thank you. I feel like an idiot for not realizing RADIUS was layer 2. Thank you.



  • @peterwilson_69 For anyone else reading this post, I also had to update my switch settings to accept tagged (VLAN) traffic on the relevant ports of my switch.


Log in to reply