Feature #1205

VPN: User-based / Group-based firewall rules

Added by Mark Laagland over 6 years ago. Updated over 2 years ago.

Very Low
User manager
Target version:
Start date:
Due date:
% Done:



Firewall rules on a per-user or per-group basis would be very helpfull.
This means we could limit acces to certain servers on a per-user or per-group basis.

At the moment, this is already possible by setting a specific IP address per user. However, this feels like a dirty hack. Appart from that, it also means only one user can be connected using a specific account at any one time.

True user/group based firewall rules would bring pfSense one step closer to the big guys like Microsoft, which uses a very nice policy system for this.


#1 Updated by al all about 3 years ago

some could say that it can be done using more than one openvpn server instances with different client ip settings and different firewall rules applying at each. But the idea of having firewall rules grouped and applied in a per user group basis seems to be very helpful (despite of the fact that some of it can be approached using Aliases).
This feature also seems to have the same goal with [[#3156]]

#2 Updated by Ermal Lu├ži about 3 years ago

The user based rules are supported if they come from radius.

Locally to pfSense they still need to be implemented.

#3 Updated by Steffen Wagner over 2 years ago

I even have that in my local ZyXEL router... it's a must have do define firewall rules by LDAP / local groups and users.

Also available in: Atom PDF