Choose WAN output based on AD Organizational Units (OU) or Security Group

  • Hi, nice portal, nice device  :)
    I hope someone could help me on this.  :P

    We have several ISPs, each one billed to a different offices on our building, we plan to use pfSense as content filtering based on rules and deny the web usage to non-domain member PCs or Devices.

    All authorized computers has joined building's domain and we want to redirect web traffic based on Active Directory's Organizational Units (or Security Groups).

    So if user belongs to the OU called 'DSL1OU' it will use ONLY the DSL1 for web surfing; if user belongs to the OU called 'DSL2OU' it will use ONLY the DSL2 for web surfing and so on.

    We had correctly configured the VLANs and Squid Proxy authentication using NTLM but we Don't know how to define rules based on described above  :o any ideas?

    See diagram below:

    |DSL1|–-----|Layer2|                            |        |---PC with user DSL1OU member (access Granted using DSL1)
    |DSL2|-------|SW    |---|PFSENSE|----|LAN  |---PC with user DSL2OU member (access Granted using DSL2)
    |DSL3|-------|          |                            |        |---non domain PC (access denied)
    |DSLX|-------|          |                            |        |---Tablet connected using portable wireless router on the ethernet cable (access denied)

    Thanks in advance  ;D

  • Policy-based routing using AD OUs.  Very interesting, but there is no integration like that.  The only thing I can think of that did this was Junos Pulse, but maybe not to the extent that you want to.

  • you would be better of trying todo this with 802.1x authentication on your switches.
    so basically a client needs AD authentication before it is assigned to the correct vlan. (unauthenticated clients are placed in a vlan that only has access to your domain controllers, for authentication).

    so, you setup your switches with a couple of 802.1x dynamic vlans.
    you setup your pfsense and configure the vlans with each their own policy routing.


  • May I add that u can use tcp_outgoing_address squid option to do what u want, refer to for more info.

Log in to reply