What is te best way to limit the access of a network to 1 host behind the VPN?



  • Dear reader,

    I would like to achieve that VPN users from a certain subnet are only allowed to connect to 1 host on the firewall LAN.
    After extensive reading, fiddling and some time with my thinking cap on my bold head I came to the following solution;

    • create a certificate for each subnet
    • create a specific tunnel with that subnet with a unique virtual address pool IP nr
    • create a IPSEC firewall rule with that unique IP number in the source and the host in the destination
    • supply all the users of that subnet with the certificate

    Is this the best/easyest way to do it?

    Thanks in advance for your time!


  • Netgate

    The IPSec tab on a pfSense firewall governs what connections can be established INTO that pfSense firewall from remote IPsec clients be they mobile, site-to-site, etc.

    Local subnet:              192.168.1.0/24
    Remote IPSec subnet: 192.168.2.0/24

    Host you want the remotes to access: 192.168.1.100

    Local IPSec Firewall > Rules Tab:

    Pass IPv4 any source 192.168.2.0/24 dest 192.168.1.100/32

    It could also be:

    Pass IPv4 any source any dest 192.168.1.100/32

    Which would apply to all IPSec remote locations.

    And that's it.  You are free to set up the IPSec tunnel normally (with the phase 2 for the complete /24 networks.)

    All they will be able to make connections to is that one host.

    Other than that the default deny rule applies.



  • Thanks Derelict!

    Maybe I wasn't clear stating my question in te first place…

    The challenge is to give each user of the VPN his own host behind the firewall without the possibility to get access to the hosts of other users on the same subnet.
    It seems that the only way is to make sure that every user has his own virtual address.
    That means that I have to create a certificate and accompanying tunnel for each user.

    Or is there a better way to do it?


  • Netgate

    I don't think you need to go the certificate route, but it is certainly the most secure way to go.  You should be able to accomplish the same thing with username/password.  Any way you can assign the same IP address to the same client every time you can use the firewall rules on the IPsec tab to limit that IP address to a specific host.

    Sorry. i know how to do it with OpenVPN, but not IPSec off the top of my head.



  • The route I suggested does not work. There seems to be no way to bind a virtual address to a certificate.
    So all VPN users get the same virtual address.
    And the virtual address seems to be the only possibility to tie a firewall rule to a specific user.

    Does anyone have a solution to my problem?

    I like to limit each VPN user to his own host behind the firewall without access to the other hosts in the same subnet.

    Thanks in advance


  • Netgate

    Are you married to IPSec or is OpenVPN an option?



  • Well Derelict… OpenVPN could be the solution but I find installing OpenVPN client on Windows 8 and higher a bit cumbersome.

    • forced running in administrator mode because of the routing add
    • triple setup actions for simple users (install client, install certificates, placement username/password file)
    • username / password readable in a text file
    • autostart is complicated

    I do see the advantages of OpenVPN though but at the end of the day I like the ease of use for the simple users.

    Thanks again !


  • Netgate

    Have you tried the client export package for pfSense?

    This is all I could find but it's for 2.0.1:

    https://forum.pfsense.org/index.php?topic=56513.0

    I don't see how it's possible to assign a static IP to an IPsec mobile user unless there's something buried in the RADIUS code that does it.