Jim Thanks for the response. That is what I suspected, that the values were populated at config time rather than connect time.
The main reason that I wanted to be able to use those values is because I couldn't find a way to use an alias when defining a 'Client Specific Override'. I wanted to avoid needing to enter the same values more than one place in order to reduce the chance of error when defining CSO's and their related rules. Am I missing something? It seems like an oversight to not allow alias substitution when defining CSO's ... or is there a technical reason why substitution is not possible with the OpenVPN package? Is there a way to define both the client specific network and associated FW rules from a single input; using aliases, radius, AD, other. From what I have gleaned from the docs, forums, etc that I have perused, local DB + CSO's seem to be the closest I can get to this type of 'policy based routing/security' Basically, what we want to do is define a set of policies that can be applied to a group of users and allow fine tuning of the policy for individual users if necessary. I had envisioned using a different OpenVPN interface for each group; assigning rules to each interface then fine tuning using CSO's. Is there a better way to do this? Paul On 10/14/2014 07:08 AM, Jim Pingle wrote: On 10/13/2014 10:46 AM, Paul Beriswill wrote: > Now, when I create rules for the OpenVPN_Ops interface, using > 'OPEN_VPN_OPS net' as 'Source' the rule never hits. > It doesn't appear > that the 'net' and 'address' aliases are being populated when the > connection is established. Is this correct? I don't believe that macro works for OpenVPN interfaces. Remember, when you assign the interface you must set it to an IP type of "None" which is what that macro would have used to fill that macro. Manually specify the source of the traffic in the rules and you'll be OK. You could use aliases to define specific subnet(s) or groups of people based on the addresses you intend to assign via client-specific overrides. Jim _______________________________________________ List mailing list [email protected]<mailto:[email protected]> https://lists.pfsense.org/mailman/listinfo/list -- Paul Beriswill PDF Complete Inc | www.pdfcomplete.com<http://www.pdfcomplete.com/> 550 Club Drive, Ste. 477 | Montgomery, TX 77316 512.263.0868 x 707 direct | [email protected]<mailto:[email protected]> [cid:[email protected]]<http://www.pdfcomplete.com/>
_______________________________________________ List mailing list [email protected] https://lists.pfsense.org/mailman/listinfo/list
