Restrict users of the GUI

WhoAmI68 · Dec 12, 2024, 1:37 PM

Is it possible to restrict the login to the GUI to a specific user only?
Thanks for help.

WhoAmI68 · Dec 12, 2024, 3:17 PM

For example, only user BB can access the GUI from the VPN.

JonathanLee · Dec 12, 2024, 3:36 PM

Yes you can add user accounts with different privileges

WhoAmI68 · Dec 12, 2024, 5:41 PM

@JonathanLee Yes, but users BB and admin can still log in to the GUI. I only want to allow user BB to log in.

SteveITS · Dec 12, 2024, 7:59 PM

@WhoAmI68 said in Restrict users of the GUI:

For example, only user BB can access the GUI from the VPN.

Are you trying to block access to pfSense? That can be done by firewall rule though there is some juggling to assign the person an IP by using FreeRADIUS to authenticate for the VPN.

I'm a bit confused because if you don't want them to log in to pfSense, don't create a user in pfSense for them...?

JonathanLee · Dec 12, 2024, 8:11 PM

@WhoAmI68 I’m confused you can add users with different privilege rights again if you want to restrict by machine, you could do that with an IP address based system, but if you want access someone to still be able to look at logs, etc. you could create a different user environment that only has those options within that perspective. You can create users that don’t have admin rights to still access the firewall and restrict them to specific needs

Gertjan · Dec 13, 2024, 8:45 AM

@WhoAmI68 said in Restrict users of the GUI:

Yes, but users BB and admin can still log in to the GUI. I only want to allow user BB to log in.

pfSense is a firewall.
Not a game server, file server, mail server, or something like that.
The very few people that need to admin it (most actually never do) need just the admin password. And the for sure the login name 'admin'.
Don't deactivate the 'admin' user, you'll break your system.

You want a multi users system, get a rasberry PI, throw in a FreeBSD native ISO, and now you can do multi whatever.

Btw : pfSense is a firewall.
So, why not make use of the fact that it is a firewall ?
Like : on all interfaces, block the https and http access on port 80 and 443 to pfSense.
On just one interface, for one designated IP, allow it. Put this rule above the previous one.
Bow, to be able to login as admin, you need to have the right LAN IP, and the password of course.

WhoAmI68 · Dec 14, 2024, 5:53 AM

@SteveITS said in Restrict users of the GUI:

Are you trying to block access to pfSense? That can be done by firewall rule though there is some juggling to assign the person an IP by using FreeRADIUS to authenticate for the VPN.

I'm a bit confused because if you don't want them to log in to pfSense, don't create a user in pfSense for them...?

Yes, but not for every users.
E.g. I have Admin users and BB user. I want to allow login to GUI from LAN only Admin user and also I want to allow login to GUI from WIFI only BB user.
Ofcourse, User BB have a low level of privileges.

I have forgotten about the FreeRADIUS, Maybe it will help me. I need to check it because I didn't install it before.

@JonathanLee said in Restrict users of the GUI:

I’m confused you can add users with different privilege rights again if you want to restrict by machine, you could do that with an IP address based system, but if you want access someone to still be able to look at logs, etc. you could create a different user environment that only has those options within that perspective. You can create users that don’t have admin rights to still access the firewall and restrict them to specific needs

E.g. I have Admin users and BB user. I want to allow login to GUI from LAN only Admin user and also I want to allow login to GUI from WIFI only BB user.

@Gertjan said in Restrict users of the GUI:

pfSense is a firewall.

Right, it is a firewall, It is for security.

SteveITS · Dec 14, 2024, 1:45 PM

@WhoAmI68 AFAIK pfSense has no concept of “from” like MySQL does (user@ip).