Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    VPN with user rights

    Scheduled Pinned Locked Moved General pfSense Questions
    2 Posts 2 Posters 957 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • K
      Kilimanscharo
      last edited by

      Hey guys,
      I just have a hopefully small question about the functionality of pfsense.

      I have a customer who already uses a pfsense as a firewall behind a Fritzbox.
      The network is actually built like this:

      Internet–>Fritzbox-->DMZ-->PFSense-->internal network

      The customer wants to provide data to his customers by installing a fileserver in the DMZ. Their customers should connect by VPN and have access to this server and not the internal network.
      The other thing is that employees should have access via VPN to another internal file server.

      Is it possible to restrict rights of different VPN users? To treat customers differently to employees with pfSense?
      The security rights after connecting by VPN in terms of folder restrictions and stuff should be taken by the internal domain controller or maybe with a separated domain in the DMZ. There shouldn´t appear any problems.

      I´m looking forward to get some responses to this request.

      Thanks for your help and kind regards from germany!

      1 Reply Last reply Reply Quote 0
      • P
        phil.davis
        last edited by

        You would forward 1 or more ports in to the pfSense WAN and make OpenVPN server/s listening on pfSense WAN.
        You could have 2 servers - 1 that provides routes to both DMZ and LAN subnets. And give the different groups of people clients keys for the relevant OpenVPN server. That would eliminate those customers from seeing a route to the LAN at all. They should be able to use their domain username/password for connecting to the OpenVPN server.
        Then put firewall rules on OpenVPN (you will probably need to assign an interface to each OpenVPN so you get a separate Firewall Rules tab for each OpenVPN server) to restrict which IP addresses are allowed to be reached.
        When people connect to a file share on the server/s they will need to use ordinary Windows authentication - their domain username/password.

        As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
        If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.