pfSense firewalls are widely used for Windows networks: traffic to/from Windows servers goes through the pfSense firewall and thus the Windows Servers in the network cannot be directly attacked by malicious parties.
Windows networks usually use an Active Directory to determine, among other things, which users and groups have rights to certain resources within a Windows network, for example to shared network folders.
pfSense has built-in tools to also manage the users you manage your pfSense firewall with via an Active Directory. In this guide we show you how to do that.
This tutorial requires at minimum a private network that includes a Windows Server configured as an Active Directory Domain Controller and a pfSense firewall.
Step 1
Connect to your Domain Controller (DC) via Remote Desktop or the VPS console.
Windows uses the LDAP protocol to communicate with a Domain Controller. This protocol can be abused in (D)DoS attacks. We therefore monitor our network for publicly accessible LDAP servers and block the LDAP port if necessary.
If you have already secured the LDAP port (UDP) on your DC so that only servers on your private network can connect to it, skip to step 5.
Step 2
Click the start button and use the search term 'Firewall'. Alternatively, you can also find the firewall in the Server Manager under 'Tools'. In the search results, click 'Windows Firewall with Advanced Security'.
Step 3
Click 'Inbound Rules'. Most likely you already have two LDAP rules in this overview called 'Active Directory Domain Controller - LDAP' for TCP-In and UDP-In, or you have already created your own LDAP rule.
Now double click the LDAP rule for UDP traffic.
Step 4
First check in the 'General' tab that the option 'Allow the connection' is selected.
Then click the 'Scope' tab and then under 'Remote IP address' click 'Add'.
Enter the subnet (your IP range) that you use for your private network (see this manual), for example 192.169.0.0/24 and click 'OK'.
Click 'Apply' and 'OK' to apply the changes and close the window.
We then create the necessary users and groups in the Active Directory.
Click the Windows Start button, type 'Active Directory Users and Computers' and click the result.
Step 6
Click the name of your domain and then click 'Users'.
Step 7
In the list of users, right-click an empty space and select 'New' > 'User', or use the shortcut icon at the top of the window.
Step 8
Enter the name 'admin' as the first and user name and click 'Next'. Admin is the username we use for the pfSense web interface.
Step 9
Enter a password and click 'Next'.
Step 10
Click 'Finish' to close the wizard. Now repeat steps 7 to 10 and create another user, for example with the name 'pfldap'. We use this account for communication with the Active Directory database (in pfSense this is the Bind user).
Step 11
Next, we create a new group whose members have administrative rights on the pfSense web interface.
In the list of users, right-click an empty spot and select 'New' > 'Group', or use the shortcut icon at the top of the window to create a new group.
Step 12
Give the group a name, for example 'pfsense', and click 'OK'.
Step 13
In the ADUC tool, double click the group name 'pfsense' and click the 'Members' tab and then 'Add'.
Search for the name 'Admin'. You will see a screen with the message that multiple results have been found (Admin and Administrator). Select 'Admin' and click 'OK' twice.
You are now back in the pfsense Properties screen. Click 'Apply' > 'OK' to apply the changes and close the window.
Step 14
Now log in to the pfSense web interface as admin and click 'System' > 'User Mamager' in the top menu.
Step 15
Click the 'Authentication Servers' tab and then 'Add'.
Step 16
Fill in the form as in the example below and use your own details for the following points:
-
Hostname or IP address: The IP address or subdomain name of your Domain Controller.
-
Base DN: The domain name of your Windows domain, as you set it up in step 13 of our Active Directory tutorial. You divide the domain name by placing DC= in front of each part. For example, for the domain transip.local, this becomes DC=transip,DC=local (no spaces!).
-
Authentication Containers: The name of the folder in your active directory where you add users and groups with the suffix CN= (always 'CN=Users') in combination with your Base DN (see previous point), for example CN=Users,DC =transip,DC=local
- Bind credentials: The suffix CN= with the name of the Bind user from step 10 of this guide, along with the Authentication Containers, for example CN=pfldap,CN=Users,DC=transip,DC=local
Step 17
Now click the 'Groups' tab in the User Manager and then click 'Add'.
Step 18
Enter a group name, for example 'pfsense' or 'pfsense-admins', set the scope to 'remote', give the group a description and make the user 'Admin' a member of this group. Then click 'Save'.
Step 19
An important option is missing when creating the group, but can be modified afterwards. Click the pencil next to the name of your new group to edit it.
Step 20
As you can see, no privileges have been assigned to the group yet. Click 'Add' to add a privilege.
Select the option 'WebCfg - All Pages' as a privilege to give members of this group admin rights and click 'Save' at the bottom.
Step 21
Time for a quick test: Click 'Diagnostiscs' in the top menu and select the 'Authentication' option.
Select the name you used in step 16 as 'Authentication Server' and as username and select the admin username and password you added in your Active Directory in steps 7 to 10 as password. Then click 'Test'. If everything went well, you will see the message in the screenshot below. It is true that you will not see groups of which the user is a member here.
Step 22
Go back to the User Manager (under System) and this time click 'Settings'. Change the 'Authentication Server' to the server you set up in step 16 and click 'Save'.
Surprise! You don't have to log in again now, but the next time you log in to the pfSense web interface, use the user Admin and the corresponding password as you have set it in your Active Directory.
This brings us to the end of this tutorial on how to manage pfSense users in an Active Directory.