Reverse captive portal
It would be nice to be able to "reverse" captive portal, i.e. force users on the Internet to authenticate to the firewall via a web page before accessing services behind the firewall.
Updated by Yehuda Katz almost 11 years ago
I just brought this up on the forum this week (http://forum.pfsense.org/index.php/topic,31079.0.html)
Regular users log into a page on the firewall and choose which server/services they want and how long they want it for.
The web page would add a firewall exception for the specified information for the client IP address.
(Administrators could add for other IPs too.)
Does that help?
I am going to look into writing it myself, but I am watching this space and that forum topic if anyone has ideas.
Updated by H. H. almost 11 years ago
Thats a feature I missed on pfsense too. I know very well the watchguard solution:
A small webserver (https) at the firewall sends a Java applet to the user to enter name and password. Encrypted by the Java applet, transfered to the firewall its used for verification against the authentication database defined in its configuration. A successfull authenticated user can use all services based on his group membership -- the group membership is used by filter rules where the IP of the authenticated user is temporary added. As long he keeps open the browser window with the logon applet he is autenticated. If its closed or network connection is lost, a few minutes later the IP is removed from the filter rules ...
It's a really nice feature to protect services from outside because no special client is needed.
Hope it helps to find a solution ...
Updated by P S over 8 years ago
Has there been any more activity on this feature request? I would love to use pfSense with the described functionality: I want to restrict remote access to my network without requiring users to establish a full-blown VPN connection. Instead they should only be required to authenticate on a webpage before the firewall is opened up for them...