How to prevent a mobile user from jumping into another mobile user's HEAD-net?
-
Hi all,
I have HEAD-pfsense machine with WAN and multiple nics/subnets (A,B), one for each mobile user(a,b).
How can I prevent mobile user "a" to reconfigure his IPSEC client (remote subnet option on his side) and getting into subnet B of user b?
I cannot lock down his pfsense a box - he needs access. I only control pfsense HEAD.
(no, I don't like to use one box for each user on my side, since in reality I have user a, b, c, d, … and that does not scale well. ;-) )
(no, I don't think that firewall rules on IPSEC interface are an option, because user a could change his local subnet as well and then he would be in.)
I hear that Cisco can do it?mobile client a-pfsense a--\ /---Subnet A only for user a
Internet---pfsenseHEAD
mobile client b-pfsense b--/ ---Subnet B only for user bIs this here related: ?
http://forum.pfsense.org/index.php/topic,3633.0.htmlThanks for your help!
-
edited: too sleepy to read right ^^"
-
Hello, thank you very much for your advice.
Unfortunately I cannot rely on "I assume they are not going to change IPs". In my first post, I said that firewall rules on IPSEC port are not an option. I don't know all of these guys well and some are quite savvy. - This is about highest possible security and not having to spend a dedicated hardware each.
I guess OpenVPN would be the better choice, but some of the users are connecting their IPSec capable DSL routers and of course those don't do OpenVPN. :-(
Maybe there is a more advanced option? Do you know of any options I could feed directly into the config (non-GUI)?Thanks!