pfSense firewalls are widely used for Windows networks: traffic to/from Windows servers goes through the pfSense firewall and thus the Windows Servers in the network cannot be directly attacked by malicious parties.
Windows networks usually use an Active Directory to determine, among other things, which users and groups have rights to certain resources within a Windows network, for example to shared network folders.
pfSense has built-in tools to also manage the users you manage your pfSense firewall with via an Active Directory. In this guide we show you how to do that.
This tutorial requires at minimum a private network that includes a Windows Server configured as an Active Directory Domain Controller and a pfSense firewall.
Step 1
Connect to your Domain Controller (DC) via Remote Desktop or the VPS console.
Windows uses the LDAP protocol to communicate with a Domain Controller. This protocol can be abused in (D)DoS attacks. We therefore monitor our network for publicly accessible LDAP servers and block the LDAP port if necessary.
If you have already secured the LDAP port (UDP) on your DC so that only servers on your private network can connect to it, skip to step 5.
Step 2
Click the start button and use the search term 'Firewall'. Alternatively, you can also find the firewall in the Server Manager under 'Tools'. In the search results, click 'Windows Firewall with Advanced Security'.
Step 3
Click 'Inbound Rules'. Most likely you already have two LDAP rules in this overview called 'Active Directory Domain Controller - LDAP' for TCP-In and UDP-In, or you have already created your own LDAP rule.
Now double click the LDAP rule for UDP traffic.
Step 4
First check in the 'General' tab that the option 'Allow the connection' is selected.
Then click the 'Scope' tab and then under 'Remote IP address' click 'Add'.
Enter the subnet (your IP range) that you use for your private network (see this manual), for example 192.169.0.0/24 and click 'OK'.
Click 'Apply' and 'OK' to apply the changes and close the window.
We then create the necessary users and groups in the Active Directory.
Click the Windows Start button, type 'Active Directory Users and Computers' and click the result.
Step 6
Click the name of your domain and then click 'Users'.
Step 7
In the list of users, right-click an empty space and select 'New' > 'User', or use the shortcut icon at the top of the window.
Step 8
Enter the name 'admin' as the first and user name and click 'Next'. Admin is the username we use for the pfSense web interface.
Step 9
Enter a password and click 'Next'.
Step 10
Click 'Finish' to close the wizard. Now repeat steps 7 to 10 and create another user, for example with the name 'pfldap'. We use this account for communication with the Active Directory database (in pfSense this is the Bind user).
Step 11
Next, we create a new group whose members have administrative rights on the pfSense web interface.
In the list of users, right-click an empty spot and select 'New' > 'Group', or use the shortcut icon at the top of the window to create a new group.
Step 12
Give the group a name, for example 'pfsense', and click 'OK'.
Step 13
In the ADUC tool, double click the group name 'pfsense' and click the 'Members' tab and then 'Add'.
Search for the name 'Admin'. You will see a screen with the message that multiple results have been found (Admin and Administrator). Select 'Admin' and click 'OK' twice.
You are now back in the pfsense Properties screen. Click 'Apply' > 'OK' to apply the changes and close the window.
Do you use Windows Server 2025? Follow the additional steps in the element directly below.
Windows Server 2025 additional steps
Windows comes with a feature called 'Group Policies'. Group policies are a Windows feature for managing security settings, software deployments, and much more within an Active Directory environment. To achieve this, ‘policies’ are applied to users, groups, computers and servers in an organisation. These policies are defined in Group Policy Objects (GPOs). Additionally, policies are also applied to local computers, even though some of those affect the Active Directory as a whole.
On the Domain Controller a few small adjustments in the Local Computer Policy related to LDAP security policies are required. In essence, some of these options aren't configured by default and are required to be able to use pfSense in combination with LDAP.
Step 1
Click the start button and search for ‘Local Group’. In the results, click on ‘Edit group policy’.
Step 2
In the menu on the left, collapse the elements Local Computer Policy > Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options and adjust the options below to the indicated values.
Please note: if not all of these options are available on your server, adjust as many of them as are available to you.
- Domain controller: LDAP server channel binding token requirements: “When Supported”
- Domain controller: LDAP server signing requirements: “None”
- Domain controller: LDAP server Enforce signing requirements: “Disabled”
- Network security: LDAP client encryption requirements: “Negotiate Sealing”
- Network security: LDAP client signing requirements: "Negotiate Signing"
Now close the Group Policy editor en ga verder met stap 14 hieronder.
Step 14
Now log in to the pfSense web interface as admin and click 'System' > 'User Mamager' in the top menu.
Step 15
Click the 'Authentication Servers' tab and then 'Add'.
Step 16
Fill in the form as in the example below and use your own details for the following points:
-
Hostname or IP address: The IP address or subdomain name of your Domain Controller.
-
Base DN: The domain name of your Windows domain, as you set it up in step 13 of our Active Directory tutorial. You divide the domain name by placing DC= in front of each part. For example, for the domain transip.local, this becomes DC=transip,DC=local (no spaces!).
-
Authentication Containers: The name of the folder in your active directory where you add users and groups with the suffix CN= (always 'CN=Users') in combination with your Base DN (see previous point), for example CN=Users,DC =transip,DC=local
-
Bind credentials: The suffix CN= with the name of the Bind user from step 10 of this guide, along with the Authentication Containers, for example CN=pfldap,CN=Users,DC=transip,DC=local
Does your Active Directory account have a first and last name? Then, the first CN is the first and last name including spaces, for example:
CN=Piet Piraat,CN=Users,DC=transip,DC=local
You can retrieve the correct CN in PowerShell using the command:
Get-ADUser <accountnaam> | Select DistinguishedName
Use the account name as viisble in the Active Directory Users and Computers tool under the ‘Account’ tab.
Step 17
Now click the 'Groups' tab in the User Manager and then click 'Add'.
Step 18
Enter a group name, for example 'pfsense' or 'pfsense-admins', set the scope to 'remote', give the group a description and make the user 'Admin' a member of this group. Then click 'Save'.
Step 19
An important option is missing when creating the group, but can be modified afterwards. Click the pencil next to the name of your new group to edit it.
Step 20
As you can see, no privileges have been assigned to the group yet. Click 'Add' to add a privilege.
Select the option 'WebCfg - All Pages' as a privilege to give members of this group admin rights and click 'Save' at the bottom.
Step 21
Time for a quick test: Click 'Diagnostiscs' in the top menu and select the 'Authentication' option.
Select the name you used in step 16 as 'Authentication Server' and as username and select the admin username and password you added in your Active Directory in steps 7 to 10 as password. Then click 'Test'. If everything went well, you will see the message in the screenshot below. It is true that you will not see groups of which the user is a member here.
Step 22
Go back to the User Manager (under System) and this time click 'Settings'. Change the 'Authentication Server' to the server you set up in step 16 and click 'Save'.
Surprise! You don't have to log in again now, but the next time you log in to the pfSense web interface, use the user Admin and the corresponding password as you have set it in your Active Directory.
This brings us to the end of this tutorial on how to manage pfSense users in an Active Directory.