Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    VPN Feature Request:

    Scheduled Pinned Locked Moved General pfSense Questions
    5 Posts 3 Posters 583 Views 3 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • keyserK Offline
      keyser Rebel Alliance
      last edited by

      Problem: pfSense does not support user/group based firewall rules for VPN users that have succesfully authenticated to pfSense as VPN clients.
      While openVPN does have some less than good workarounds, mobile IPsec VPN has no such thing.
      Mobile IPsec VPN is a way better solution than openVPN in my opinion as it works flawlessly with the built-in VPN clients in Windows 10, MacOS, iOS and Android.

      Possible EASY solution:
      How about implementing a little service that add's a clients VPN IP address to a built-in FW Alias group if the user authenticated with a user belonging to a usergroup? Then we could make VPN usergroup firewall rules by using standard aliases as usual.
      If this was done upon VPN connect, and removed on VPN disconnect (needs a bit of state handling as well), it should work regardless if the user authenticates with a local database user, or via a Radius user if the Radius returns the groupname with CLASS attribute.

      Love the no fuss of using the official appliances :-)

      1 Reply Last reply Reply Quote 1
      • stephenw10S Offline
        stephenw10 Netgate Administrator
        last edited by

        If there isn't anything similar already open then create a feature request for it here:
        https://redmine.pfsense.org/

        1 Reply Last reply Reply Quote 0
        • jimpJ Offline
          jimp Rebel Alliance Developer Netgate
          last edited by

          Both OpenVPN and IPsec support rules from RADIUS reply attributes already.

          Maintaining a list of connected users in an alias is not as trivial as it sounds.

          Use RADIUS, it's already there and proven to work. You can install the FreeRADIUS package on pfSense to do it locally.

          Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

          Need help fast? Netgate Global Support!

          Do not Chat/PM for help!

          1 Reply Last reply Reply Quote 0
          • keyserK Offline
            keyser Rebel Alliance
            last edited by

            Hi Jimp

            I am using Radius already, but the problem is that the proper way - for all OS support and better security - is IKEv2 using EAP-RADIUS. And the Cisco-AV-Pair ACL return attributes does not work when you run EAP. They only work in a IKEv1 + Xauth setup.

            So with IKEv2 there is no options for doing user/group based ACL’s as far as I can tell.

            On another note, and why I suggest a Alias solution: I think it would be a much better solution to have the configurable and easily understandable pfSense firewall rules dictate what happens to group members traffic. Invisible ACL rules coming from a Radius is less than flexible.

            I can understand that an alias list of user IP’s imight be more challenging than it sounds, but I really think pfSense needs this feature. There has to be some way to bring group membership in user validation directories to bear on which firewall rules you are governed by.
            Once implemented myriads of other simple but great features could be built on top of that.

            Love the no fuss of using the official appliances :-)

            1 Reply Last reply Reply Quote 0
            • keyserK Offline
              keyser Rebel Alliance
              last edited by

              Bump..

              No comments about Jimp’s suggested solution Is unavailable when you use the the more modern and secure IKEv2 EAP based solution?

              Love the no fuss of using the official appliances :-)

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.