tested on 2.5.0.a.20201016.1850
FreeRADIUS ACLs:
Cisco-AVPair = "ip:outacl#1=permit udp host 4.4.4.4 host 7.7.7.7 range 3110 5000",
Cisco-AVPair += "ip:outacl#2=permit tcp any host 7.7.7.7 gt 333",
Cisco-AVPair += "ip:inacl#3=permit udp host 3.3.3.3 host 7.7.7.7 lt 566",
Cisco-AVPair += "ip:inacl#4=permit udp host 3.3.3.3 host 7.7.7.7 neq 899",
Cisco-AVPair += "ip:inacl#5=permit tcp host 2.2.2.2 host 5.5.5.5 eq 999",
Cisco-AVPair += "ip:inacl#6=permit icmp host 2.2.2.2 host 5.5.5.5",
Cisco-AVPair += "ipv6:outacl#1=permit udp host 2001:DB8::4444 host 2001:DB8::7777 range 3110 5000",
Cisco-AVPair += "ipv6:outacl#2=permit tcp any host 2001:DB8::7777 gt 333",
Cisco-AVPair += "ipv6:inacl#3=permit udp host 2001:DB8::3333 host 2001:DB8::7777 lt 566",
Cisco-AVPair += "ipv6:inacl#4=permit udp host 2001:DB8::3333 host 2001:DB8::7777 neq 899",
Cisco-AVPair += "ipv6:inacl#5=permit tcp host 2001:DB8::2222 host 2001:DB8::5555 eq 999",
Cisco-AVPair += "ipv6:inacl#6=deny udp 2001:DB8:1234::/64 2001:DB8:6789::/48",
Cisco-AVPair += "ipv6:inacl#7=deny icmp 2001:DB8:1234::/64 2001:DB8:9999::/56"
Created OpenVPN rules:
# pfctl -a openvpn/ovpns1_radiususer1_22146 -sr
pass in quick on ovpns1 inet proto udp from 3.3.3.3 to 7.7.7.7 port < 566 no state
pass in quick on ovpns1 inet proto udp from 3.3.3.3 to 7.7.7.7 port != 899 no state
pass in quick on ovpns1 inet proto tcp from 2.2.2.2 to 5.5.5.5 port = garcon no state
pass in quick on ovpns1 inet proto icmp from 2.2.2.2 to 5.5.5.5 no state
pass in quick on ovpns1 inet6 proto udp from 2001:db8::3333 to 2001:db8::7777 port < 566 no state
pass in quick on ovpns1 inet6 proto udp from 2001:db8::3333 to 2001:db8::7777 port != 899 no state
pass in quick on ovpns1 inet6 proto tcp from 2001:db8::2222 to 2001:db8::5555 port = garcon no state
pass out quick on ovpns1 inet proto udp from 4.4.4.4 to 7.7.7.7 port 3109 >< 5001 no state
pass out quick on ovpns1 inet proto tcp from any to 7.7.7.7 port > 333 no state
block drop in quick on ovpns1 inet6 proto udp from 2001:db8:1234::/64 to 2001:db8:6789::/48
block drop in quick on ovpns1 inet6 proto ipv6-icmp from 2001:db8:1234::/64 to 2001:db8:9999::/56
pass out quick on ovpns1 inet6 proto udp from 2001:db8::4444 to 2001:db8::7777 port 3109 >< 5001 no state
pass out quick on ovpns1 inet6 proto tcp from any to 2001:db8::7777 port > 333 no state
Created IPsec Mobile (XAuth) rules:
# pfctl -a ipsec/radiususer1 -sr
pass in quick on enc0 inet proto udp from 3.3.3.3 to 7.7.7.7 port < 566 no state
pass in quick on enc0 inet proto udp from 3.3.3.3 to 7.7.7.7 port != 899 no state
pass in quick on enc0 inet proto tcp from 2.2.2.2 to 5.5.5.5 port = garcon no state
pass in quick on enc0 inet proto icmp from 2.2.2.2 to 5.5.5.5 no state
pass in quick on enc0 inet6 proto udp from 2001:db8::3333 to 2001:db8::7777 port < 566 no state
pass in quick on enc0 inet6 proto udp from 2001:db8::3333 to 2001:db8::7777 port != 899 no state
pass in quick on enc0 inet6 proto tcp from 2001:db8::2222 to 2001:db8::5555 port = garcon no state
pass out quick on enc0 inet proto udp from 4.4.4.4 to 7.7.7.7 port 3109 >< 5001 no state
pass out quick on enc0 inet proto tcp from any to 7.7.7.7 port > 333 no state
block drop in quick on enc0 inet6 proto udp from 2001:db8:1234::/64 to 2001:db8:6789::/48
block drop in quick on enc0 inet6 proto ipv6-icmp from 2001:db8:1234::/64 to 2001:db8:9999::/56
pass out quick on enc0 inet6 proto udp from 2001:db8::4444 to 2001:db8::7777 port 3109 >< 5001 no state
pass out quick on enc0 inet6 proto tcp from any to 2001:db8::7777 port > 333 no state
Updated by Viktor Gurov 
Updated by 
Updated by 
Updated by Anonymous