VPN Feature Request:
-
Problem: pfSense does not support user/group based firewall rules for VPN users that have succesfully authenticated to pfSense as VPN clients.
While openVPN does have some less than good workarounds, mobile IPsec VPN has no such thing.
Mobile IPsec VPN is a way better solution than openVPN in my opinion as it works flawlessly with the built-in VPN clients in Windows 10, MacOS, iOS and Android.Possible EASY solution:
How about implementing a little service that add's a clients VPN IP address to a built-in FW Alias group if the user authenticated with a user belonging to a usergroup? Then we could make VPN usergroup firewall rules by using standard aliases as usual.
If this was done upon VPN connect, and removed on VPN disconnect (needs a bit of state handling as well), it should work regardless if the user authenticates with a local database user, or via a Radius user if the Radius returns the groupname with CLASS attribute. -
If there isn't anything similar already open then create a feature request for it here:
https://redmine.pfsense.org/ -
Both OpenVPN and IPsec support rules from RADIUS reply attributes already.
Maintaining a list of connected users in an alias is not as trivial as it sounds.
Use RADIUS, it's already there and proven to work. You can install the FreeRADIUS package on pfSense to do it locally.
-
Hi Jimp
I am using Radius already, but the problem is that the proper way - for all OS support and better security - is IKEv2 using EAP-RADIUS. And the Cisco-AV-Pair ACL return attributes does not work when you run EAP. They only work in a IKEv1 + Xauth setup.
So with IKEv2 there is no options for doing user/group based ACL’s as far as I can tell.
On another note, and why I suggest a Alias solution: I think it would be a much better solution to have the configurable and easily understandable pfSense firewall rules dictate what happens to group members traffic. Invisible ACL rules coming from a Radius is less than flexible.
I can understand that an alias list of user IP’s imight be more challenging than it sounds, but I really think pfSense needs this feature. There has to be some way to bring group membership in user validation directories to bear on which firewall rules you are governed by.
Once implemented myriads of other simple but great features could be built on top of that. -
Bump..
No comments about Jimp’s suggested solution Is unavailable when you use the the more modern and secure IKEv2 EAP based solution?