0

I recently purchased the SG-4860 pfSense Security Gateway Appliance and I'm trying to migrate all of our settings off of our SonicWall. Everything for the most part has been great in my lab environment but I'm stuck on migrating my NetExtender settings from SonicWall.

Basically on the SonicWall I was able to define users and also groups. Then I could assign groups a list of routes that would load when they connect. So for the sake of simplicity I have an example here with 3 Groups with permissions to the following subnets:

  1. System Engineers (192.168.1.0/24, 192.168.2.0/24, 192.168.3.0/24)
  2. Developers (192.168.2.0/24, 192.168.3.0/24)
  3. End Users (192.168.3.0/24)

In the pfSense appliance I created an OpenVPN endpoint and 1 engineer user. In tunnel settings I listed the 3 local networks and when I connect with Viscosity I'm able to reach all the desired subnets. My questions is, how can I make the assignment of the networks dynamic per user/group so that my developers and end users only see the networks they are allowed to see?

chris
  • 103
  • 5

1 Answers1

0

On pfsense you can easily create multiple openvpn instances. Having a limited set of route combinations that's the easiest way to go.

You can also make use of client specific overrides.

From security perspective it's better to use instances - you can map each instances as a seperate interface and define firewall rules there. An interface/bridge on pfsense can be roughly compared to a zone on sonicwall or other zone based firewalls.

Daniel Nachtrub
  • 1,022
  • 7
  • 12