Netgate SG-1000 microFirewall

Author Topic: IPSec Mobile Client - Different Firewall Rules for Different Users  (Read 210 times)

0 Members and 1 Guest are viewing this topic.

Offline PatrickF

  • Newbie
  • *
  • Posts: 3
  • Karma: +0/-0
    • View Profile
we have now setup our first PfSense Box, and running IKEv2 / EAP-TLS VPN Setup for our RoadWarriors.
Since we have multiple people accessing the Network from Outside, we would like to give the Mobile Clients distinct grants/firewall rules:

Admins access to Everything
Developers access to Net and
Support access to Host

So what i thought about:

1) We only have one Firewall connected to the WAN.
2) As far as i see, we can only configure one "Mobile Client" VPN Tunnel (P1).
3) We can add more Phase 2 to this Tunnel, but in Phase 2 Settings - while able to define the "Local Network", i did not find any options to force a specific user to a differnt phase.
4) In the Firewall-Rules, i can not find any option to set Firewall-Rules based on the VPN user.

Did i miss something?
Or is this usecase so special, that it's not possible to run this on PfSense. I guess the Usecase is not so special, so how do other people handle this kind of stuff? :)

Hope to finally find some help and fix my remaining vpn issues :-)

Offline NogBadTheBad

  • Sr. Member
  • ****
  • Posts: 545
  • Karma: +47/-0
    • View Profile
Re: IPSec Mobile Client - Different Firewall Rules for Different Users
« Reply #1 on: November 28, 2017, 06:18:26 am »
You'll need to use freeradius for user auth and hand out specific IP addresses to each user..

I hand out for my own use, allowing me to access the internet + all my local LANS and  to friends so they can use UK based TV services when abroad, etc ...

A typical user looks like this :-

"andy" Cleartext-Password := "XXXXXXXXX", Simultaneous-Use := "1"

   Framed-IP-Address =,
   Framed-IP-Netmask =,
   Framed-Route = " 1"
« Last Edit: November 28, 2017, 06:30:26 am by NogBadTheBad »