VPN with user rights
I just have a hopefully small question about the functionality of pfsense.
I have a customer who already uses a pfsense as a firewall behind a Fritzbox.
The network is actually built like this:
The customer wants to provide data to his customers by installing a fileserver in the DMZ. Their customers should connect by VPN and have access to this server and not the internal network.
The other thing is that employees should have access via VPN to another internal file server.
Is it possible to restrict rights of different VPN users? To treat customers differently to employees with pfSense?
The security rights after connecting by VPN in terms of folder restrictions and stuff should be taken by the internal domain controller or maybe with a separated domain in the DMZ. There shouldn´t appear any problems.
I´m looking forward to get some responses to this request.
Thanks for your help and kind regards from germany!
You would forward 1 or more ports in to the pfSense WAN and make OpenVPN server/s listening on pfSense WAN.
You could have 2 servers - 1 that provides routes to both DMZ and LAN subnets. And give the different groups of people clients keys for the relevant OpenVPN server. That would eliminate those customers from seeing a route to the LAN at all. They should be able to use their domain username/password for connecting to the OpenVPN server.
Then put firewall rules on OpenVPN (you will probably need to assign an interface to each OpenVPN so you get a separate Firewall Rules tab for each OpenVPN server) to restrict which IP addresses are allowed to be reached.
When people connect to a file share on the server/s they will need to use ordinary Windows authentication - their domain username/password.