pfSense » pfSense Plus

Normally this type of setup is implemented with something like IPsec/OpenVPN using RADIUS authentication, at which point the rules can be dynamically generated and applied based on the user. I haven't seen this used without VPN, but maybe it's possible. See: https://docs.netgate.com/pfsense/en/latest/vpn/openvpn/client-parameters-radius.html

This isn’t for OpenVPN. This is for firewall rules controlling movement day from LAN to DMZ.
Source is an AD user not an IP address

Mike Moore wrote in #note-2:

This isn’t for OpenVPN. This is for firewall rules controlling movement day from LAN to DMZ.
Source is an AD user not an IP address

There has to be an association between the AD user and an IP address. Running a service on each domain controller that listens for logon events and transmits this information back to some central repository for curation is a pretty typical solution to this problem. Another is running agent software on each domain-joined machine that basically performs the same task.

pfSense would otherwise have no insight into the relationship between AD users and their IP.

So there is no way in the future to create a LAN rule stating
Src: AD/mmoore
Dst: 1.1.1.1
Prot: ICMP

So in the src field i am specificing an account in AD not an IP address.

Mike Moore wrote in #note-4:

So there is no way in the future to create a LAN rule stating
Src: AD/mmoore
Dst: 1.1.1.1
Prot: ICMP

So in the src field i am specificing an account in AD not an IP address.

Mike,

Correct. There is no functionality at this time to tie an AD user to a firewall rule. This would require a significant amount of development work to implement, if it ever is, but thank you for your feature request. We will keep this on the backburner for a future project if it presents itself.

Appreciate the feedback Kris!