Pfsense with freeradius2 in same machine or another?

  • Hello,
    Is it better to have pfsense and freeradius2 module installed or install pfsense in a different machine from pfsense box?

  • It depends what kind of scale you have and what you want to achieve with radius

  • And where your users are stored: LDAP? SQL? on freeradius users file?
    And if you need it for accounting or not.

    This is from web page - Testimonials

    Jeff Carneal - Apex Internet
    Using late-2000 freeradius snapshot to authenticate ~25k ppp users. All users stored in a single file and authenticated via rlm_fastusers. Mysql accounting through direct mysql API in rlm_sql. Currently not doing simultaneous use checks, though it should be easy to implement. 

    So authenticating 25.000 users is no problem for freeradius and the builtin users manager.
    Accounting will increase performance needs so this user is using mysql. Further mysql allows you to do more complex kinds of accounting checks.

    So I would say that there will be no problem to use pfsense + freeradius2 package for accounting and authenticating on the same machine with less than 1.000 users - on actual server based hardware.

    An Alix Board will probably not be able to handly so much users - but I do not have any exact numbers.

  • well i plan to start a vpn business.At first i would like to use one server with very good hardware and connection.By installing freeradius in pfsense box i see options for limiting bandwidth and speed of user.By default does it use mysql database or do i have to create one myself? A problem that exists is that when installing freeradius,adding as client the pfsense and installing openvpn client export utility,the client certificate does not exist.neither the user.The user is added through freeradius in tab Users.

  • Hi,

    1.) You can connect openvpn to a RADIUS server, that is right.
    2.) freeradius understand attributes to limit and cound bandwidth and traffic but this will not help you until OpenVPN isn't sending these attributes to freeradius. So limiting bandwidth and traffic with freeradius2 is not possible because OpenVPN isn't able to do so.
    3.) Did you setup pfsense as client in SYSTEM -> User Manager -> Server ? And did you select this server as backend in OpenVPN server ?

  • I used it as backend authentication and chose the pfsense nas.If i cannot limit openvpn bandwidth and traffic per user with freeradius,what can i do to achieve it?

    I have setup a freeradius2+mysql in vm and pfsense with openvpn in another vm.As billing and accounting system i use daloradius.

    What i am trying to do is : setup a vpn server with freeradius.I want to have the ability to limit bandwidth and traffic per user.Let's say that i want to provide 2 with 50gb traffic and 5mbit bandwidth and a second one with 100gb traffic and 5mbit bandwidth.I need the users to access a website(or daloradius is enough?) to choose and pay for a package and when the payment is complete the account with expiration,traffic,bandwidth limit can be created automatically and give the details to customer through a client area with the configuration files for openvpn client(ca,client cert and key).

    I just need some guidance

    for monitoring the systems i will use opennms.

  • To limit bandwidth you can try the traffic shaper. You can give every user on OpenVPN always the same IP or you use two different OpenVPN servers and limit the bandwidth for the user.

    Why dou you want to provide VPN access ?
    If your users are on the LAN site of your pfsense it could make sense to use captive portal. This is working with freeradius2 features.

  • The users will not interact each other.The vpn access is to provide security and anonymity.In some countries some services and sites are forbidden so with the vpn users will be able to use them.Daloradius has traffic limits so i may use them.the problem is that i need to limit bandwith to the point that the package a client chose is suitable for him.

    how can i give a client the same ip?(based on username)

  • @nicolassp:

    how can i give a client the same ip?(based on username)

    As far as I know just possible with certificates - and the static IP is based on the CN (COmmon Name) of the certificate.

  • does mikrotik dictionary for radius work with pfsense?

  • @nicolassp:

    does mikrotik dictionary for radius work with pfsense?

    Every vendor has its own attributes. These attributes are explained in dictionaries. freeradius as radius server needs to know the attributes if freeradius should work with them.
    So you are able to add new attributes to the freeradius dictionary list if you need them. The dictionary for mikrotik that comes with freeradius can be found here:


    pfsense as NAS does not use the mikrotik dictionary. pfsense uses attributes which are used from different dictionaries/vendors. This is an example:


    But probably most of them are written down in the rfcs like:


    So my question to you is:
    What do you want to realize? Do you want to use freeradius2 package which runs on pfsense to use with mikrotik equipment?
    Or do you want to use the mikrotik attributes with pfsense CaptivePortal - which will not work ?

  • i want to be able to use freeradius2 as radius server and limit bandwidth and traffic using nas and freeradius2 attributes.I will probably use whmcs with whmcs vpn module also.They have told me that as a nas i should use mikrotik and i will be able to do what i want using mikrotik dictionary and freeradius2.Mikrotik is not free though.It costs 250usd for 50 clients and up.So i was wondering if pfsense could work with this dictionary

  • freeradius2 itself can work with mikrotik dictionary and attributes.
    freeradius2 GUI is made for "Acct-Input-Octets" and "Acct-Output-Octets" for counting traffic. Mikrotik uses other attributes but you can add them in freeradius2 GUI custom attributes.

    So if WHMCS is you NAS and this NAS is sending and understanding the mikrotik attributes this should work.

  • whcms in my billing-accounting system which sends attributes to my nas.whcms is using mikrotik dictionary.I wanted to use pfsense as nas but as you said it does not support mikrotik i have to use mikrotik which costs 250usd apparently..

Log in to reply