[GUIDE] IKEv2/IPSec, Per user firewall rule settings with FreeRADIUS

1. Follow the “IKEv2 with EAP-MSCHAPv2” https://doc.pfsense.org/index.php/IKEv2_with_EAP-MSCHAPv2 from pfsense, to create a working IKEv2/IPsec VPN server first.
2. Install Freeradius2 on pfsense.
3. Once tested and working, some changes need to be made, so that the IKEv2/IPsec VPN will use radius to authenticate clients instead of local database. (Google some pfsense freeradius configuration guide)


Assume IKEv2/IPsec is working with freeradius.

Configure per user rules.
Create user1 and user2, user1 will have access to internal LAN and internet, user2 will only have internet access, not internal LAN access.
In real world case, user1 can be the pfsense owner/administrator, user2 can be friends who you want to give VPN.

1. Create user1 and user2 in Services -> FreeRADIUS -> Users.
user1
Put Username: user1, Password: password, IP Address: 10.1.2.1, Subnet Mask: 255.255.255.0, Gateway: 0.0.0.0/0 192.168.0.1 1
0.0.0.0/0 “Gateway address here (Address of pfsens box’s, not external gateway)” 1
Save

user2
Put Username: user2, Password: password, IP Address: 10.1.3.1, Subnet Mask: 255.255.255.0, Gateway: 0.0.0.0/0 192.168.0.1 1
0.0.0.0/0 “Gateway address here (Address of pfsens box’s, not external gateway)” 1
Save

Now, when user1 login, virtual IP address 10.1.2.1 will be assigned. When user2 login, virtual IP address 10.1.3.1 will be assigned.

2. Give internet access to two users, System -> Routing Static Routes
Add two different new static route for VPN client user1 and user2 to use, so that both client can have internet access from pfsense box.

Static Route1
Destination network: 10.1.2.0/24
Gateway: WAN_PPPOE – xxx.xxx.xxx.xxx (Your pfsense gateway, the one that you used to get internet access)
Save

Static Route2
Destination network: 10.1.3.0/24
Gateway: WAN_PPPOE – xxx.xxx.xxx.xxx (Your pfsense gateway, the one that you used to get internet access)
Save

3. Create firewall rules, Firewall -> IPsec
Create DNS rule, Action: Pass, Interface: IPsec, Address Family: IPv4, Protocol: TCP/UDP, Source: Any, Destination: This firewall (self), Destination Port Range: From 53 to 53.
Save

Create block rule, so that user2 won’t be able to access our LAN, Action: Reject, Interface: IPsec, Address Family: IPv4, Protocol: Any, Source: Network 10.1.3.0/24, Destination: LAN net.
Save

Create rule for allowing other traffic (internet etc.), Action: Pass, Interface: IPsec, Address Family: IPv4, Protocol: Any, Source: Any, Destination: Any
Save


Now user1 will have full access, LAN and internet, user2 will have internet access only, no LAN access.
To create more accounts for friends, just use same steps form step 1, assign them IP range from 10.1.3.2 to 10.1.3.254 will be fine.