[GUIDE] IKEv2/IPSec, Per user firewall rule settings with FreeRADIUS

1. Follow the “IKEv2 with EAP-MSCHAPv2” https://doc.pfsense.org/index.php/IKEv2_with_EAP-MSCHAPv2 from pfsense, to create a working IKEv2/IPsec VPN server first.
2. Install Freeradius2 on pfsense.
3. Once tested and working, some changes need to be made, so that the IKEv2/IPsec VPN will use radius to authenticate clients instead of local database. (Google some pfsense freeradius configuration guide)


Assume IKEv2/IPsec is working with freeradius.

Configure per user rules.
Create user1 and user2, user1 will have access to internal LAN and internet, user2 will only have internet access, not internal LAN access.
In real world case, user1 can be the pfsense owner/administrator, user2 can be friends who you want to give VPN.

1. Create user1 and user2 in Services -> FreeRADIUS -> Users.
user1
Put Username: user1, Password: password, IP Address: 10.1.2.1, Subnet Mask: 255.255.255.0, Gateway: 0.0.0.0/0 192.168.0.1 1
0.0.0.0/0 “Gateway address here (Address of pfsens box’s, not external gateway)” 1
Save

user2
Put Username: user2, Password: password, IP Address: 10.1.3.1, Subnet Mask: 255.255.255.0, Gateway: 0.0.0.0/0 192.168.0.1 1
0.0.0.0/0 “Gateway address here (Address of pfsens box’s, not external gateway)” 1
Save

Now, when user1 login, virtual IP address 10.1.2.1 will be assigned. When user2 login, virtual IP address 10.1.3.1 will be assigned.

2. Give internet access to two users, System -> Routing Static Routes
Add two different new static route for VPN client user1 and user2 to use, so that both client can have internet access from pfsense box.

Static Route1
Destination network: 10.1.2.0/24
Gateway: WAN_PPPOE – xxx.xxx.xxx.xxx (Your pfsense gateway, the one that you used to get internet access)
Save

Static Route2
Destination network: 10.1.3.0/24
Gateway: WAN_PPPOE – xxx.xxx.xxx.xxx (Your pfsense gateway, the one that you used to get internet access)
Save

3. Create firewall rules, Firewall -> IPsec
Create DNS rule, Action: Pass, Interface: IPsec, Address Family: IPv4, Protocol: TCP/UDP, Source: Any, Destination: This firewall (self), Destination Port Range: From 53 to 53.
Save

Create block rule, so that user2 won’t be able to access our LAN, Action: Reject, Interface: IPsec, Address Family: IPv4, Protocol: Any, Source: Network 10.1.3.0/24, Destination: LAN net.
Save

Create rule for allowing other traffic (internet etc.), Action: Pass, Interface: IPsec, Address Family: IPv4, Protocol: Any, Source: Any, Destination: Any
Save


Now user1 will have full access, LAN and internet, user2 will have internet access only, no LAN access.
To create more accounts for friends, just use same steps form step 1, assign them IP range from 10.1.3.2 to 10.1.3.254 will be fine.

TPG NBN modem with pfSense

How to use pfSense with TPG NBN modem


Create an VLAN, Interface -> Assignments -> VLANs -> Add.

Parent Interface: Use your WAN interface (mine is igb0)

VLAN Tag: 2

VLAN Priority: 0 (Make sure it’s 0, or connection will fail)

pfSense VLAN editing page screenshot

Create a PPP, Interface -> Assignment -> PPPs -> Add.

Link Type: PPPoE

Link Interface: The VLAN you set up before.

Username: TPG Username

Password: TPG Password

pfSense PPPs/PPPoE editing page screenshot

Configure the WAN port.

Description: WAN

IPv4 Configuration Type: PPPoE

MTU: 1500

MSS: 1492

Username: TPG Username

Password: TPG Password

pfSense WAN interface editing page screenshot

Now you can connect to internet through pfSense -> NBN Modem/NBN HFC connection box (Usually a small black box) -> HFC cable connected to wall

[Originally it should be TPG supplied WiFi router -> NBN Modem/NBN HFC connection box (Usually a small black box) -> HFC cable connected to wall]