Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPsec Mobile Group based Firewall rules - Multiple IP pools?

    Scheduled Pinned Locked Moved IPsec
    5 Posts 3 Posters 956 Views 3 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • keyserK Offline
      keyser Rebel Alliance
      last edited by

      Hi

      I desperately looking for solutions to assign different firewall rules to different groups of users using IKEv2 Mobile IPSec VPN - impressively pfsense still does not support this, which renders pfSense IPsec Mobile VPN useless in larger environments.

      I’m using EAP-Radius authentication to a Windows NPS server, but pfSense cannot use a returned group identifier to assign group rights/firewall rules.
      Nor can it use the Cisco-AV-Pair ACL’s since we are using EAP-Radius authentication.

      Since IPsec rules are interface based - one size fits all -
      The only possible way to differentiate users so far is to assign a static IP to each user by returning the Framed-IP-Address attribute, but that does not scale well with 8000 users needing individual rules on a Windows NPS server :-)

      So my last attempt is this:
      Is there any way to setup multiple Virtual IP pools instead of just one one for IPsec Mobile users? The Radius server can return a Framed-Pool identifier, and if pfsense could use that to select which pool a user gets and IP from, then I could easily make different Firewall rules based on Windows group membership via radius authentication.

      Love the no fuss of using the official appliances :-)

      1 Reply Last reply Reply Quote 0
      • NogBadTheBadN Offline
        NogBadTheBad
        last edited by NogBadTheBad

        @keyser said in IPsec Mobile Group based Firewall rules - Multiple IP pools?:

        IPsec Mobile VPN

        Use Framed-IP addresses in Radius, then create firewall rules based on the ip address handed out.

        A bit of a pain but it works.

        Andy

        1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

        1 Reply Last reply Reply Quote 0
        • keyserK Offline
          keyser Rebel Alliance
          last edited by

          Yeah, but like I said, that does not work for us as we are currently about 8000 users with a high churn in new users.
          8000+ Radius policies and 10 - 100+ new policies per day is not a solution

          Love the no fuss of using the official appliances :-)

          K 1 Reply Last reply Reply Quote 0
          • K Offline
            Konstanti @keyser
            last edited by

            @keyser
            Hi
            there is one idea - but I need to understand , is there something in common in the usernames belonging to the same group ?

            1 Reply Last reply Reply Quote 0
            • keyserK Offline
              keyser Rebel Alliance
              last edited by

              Unfortunately not.

              I'm baffled that IPsec Mobile does not have any integration features towards Radius to allow for firewall rules separation.
              It must truely only be meant for Site-to-Site.... with Mobile User being a "bolt on" that really only has Site-to-Site features.

              Love the no fuss of using the official appliances :-)

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.