Route some VPN users to VLAN2 only
-
In pfSense 23 I want to achieve the following: I have some VPN users for which I have setup OpenVPN and it is working. Users are authenticated against local database. Behind the 4100 pfsense hardware appliance there is a switch; and I pulled 2 cables from 4100 to the switch, one from LAN1 and one from LAN2. The switch has ports split in 2 VLANs: 1 and 2. Now I would like that some of the VPN users to have access only to VLAN 2 when they connect to VPN. How to achieve this?
-
@drg25
This is commonly not a thing of VLANs, but rather of destination IPs. You allow the VPN users to access a certain subnet.So say you VLAN2 is the subnet 10.10.0.0/24, enter this subnet in the OpenVPN server settings into the "Local Networks" box and edit the pass rule on the OpenVPN tab and set the source to the VPN tunnel network and the destination to the network 10.10.0.0/24.
-
@viragomann Thank you, but if I do like this all VPN users would get routed to VLAN2? I want some users to access VLAN1 and some VLAN2. I should make 2 OpenVPN servers for this correct?
-
@drg25
I see. You can do this also with single server though, but yes, it might be more clearly, if you set up a separate server for each user group.With a single server you would have to create a client specific override for each single user to assign an IP out of a smaller subnet of the OpenVPN tunnel to him.
So say your tunnel is 10.0.8.0/24 you can assign the VLAN1 group 10.0.8.64/26 and 10.0.8.128/26 to the VLAN2 group.
In the CSOs you can also specify the "Local Network" to push different routes to the clients and then use the two tunnel subnets as sources in the firewall pass rules.