How to use User Management with Rule-Based Policy

How to use User Management with Rule-Based Policy

     

    Vigor Router supports for User Management: Rule-Based and User-Based. In general, User-Based is a management method that Administrator could set different Firewall rules for different user accounts; Rule-Based is the method that Administrator set different Firewall rules for different source/destination IP. (See Difference between User Based and Rule Based Policy for more details.) However, Administrator could still ask LAN clients to log in for Internet access while using Rule-Based as User Management mode. In this note, we provide three examples of using User Management with Rule-Based Policy.

    First of all, please go to User Management >> General Setup to make sure the Mode is selected as Rule-Based.

    general setup

    Part A. Authentication for Internet access

    Scenario of this part is Administrator requires employees to access Internet via a shared account.

    a

    1. Create a user account for the employees. Please go to User Management >> User Profile, click on a profile number create/edit a user profile.

    a1

    1. Apply the user profile to Default Firewall Rule so all the LAN clients will need authentication to access the Internet. Go to Firewall >> General Setup >> Default Rule.

    a2

    1. After the above configuration, all LAN clients will be asked to log in when they try to browse webpages. Only the LAN clients that knows the username and password will be able to use the Internet service.

    a3

    After they logged in, there will be a pop-up window shows their IP and their Time Quota, which is unlimited in this example.

    a4

    Part B. Different authentication for different IP subnet

    Scenario of this part is that employees and guests are using differnet user accounts for Internet access, and Administrator separate them into different IP subnet. LAN clients from a specific IP subnet have to log in with the right user account to access the Internet ; howerver, traffic from server is not restricted.

    b

    1. Go to User Management >> User Profile, follow the instructions in Part A to create two user profiles, one for employees, and one for guests.

    b1

    1. Go to Firewall >> Filter Setup >> Set 2 to add a Firewall Filter to pass the traffic from the server.

      1. Click on an Index number to add/edit a Filter Rule.

      2. Check to enable the Filter Rule.

      3. Click Edit to configure the Source IP as the IP of the server.

    b3

      1. Click on an Index number to add/edit a Filter Rule.

      2. Check to enable the Filter Rule.

      3. Click Edit to configure the Source IP as the IP range for the employees.

    b4

    With the Firewall Rule above, LAN clients from the IP range of 192.168.1.20~192.168.1.40 will need to log in with the Employee account for Internet Access.

    1. Similarly, add another Filter Rule for the guests.

      1. Click on an Index number to add/edit a Filter Rule.

      2. Check to enable the Filter Rule.

      3. Click Edit to configure the Source IP as the IP range for the guests.

    b5

    With the Firewall Rule above, LAN clients from the IP range of 192.168.2.10~192.168.2.100 need to log in with the Guest account for Internet Access

    1. Go to Firewall >> General Setup >> Default Rule to set the Firewall Default Rule to be “Block”, so that traffic that does not match any Filter Rules will be blocked.

      b2

    Part C. Restrict a destination to some users only

    Administrator may also restrict some websites to specific users only. For example, we may set a Firewall Rule so that VPN remote network is restricted to the employees only.

    c

    Please follow the instructions in Part A and B to create user profiles and Firewall Filters Rules for Internet access. After that, add another Filter Rule to allow Eemployees to access the VPN network at Firewall >> Filter Setup >> Set 2:

    1. Enable this Rule.

    2. Click Edit to configure the Destination IP as the IP of remote VPN network.

    c1

    With the Firewall Rule above, the network 172.16.2.0/24 can be reached only by the LAN clients who log in with the Employee account.

    NEWSLETTER

    Nom (*)
    Please let us know your name.
    Email (*)
    Please let us know your email address.