Feature #385


Reverse captive portal

Added by Chris Buechler over 12 years ago. Updated almost 3 years ago.

Captive Portal
Target version:
Start date:
Due date:
% Done:


Estimated time:
Plus Target Version:
Release Notes:


It would be nice to be able to "reverse" captive portal, i.e. force users on the Internet to authenticate to the firewall via a web page before accessing services behind the firewall.

Actions #1

Updated by Ermal Luçi over 12 years ago

What does prevent one to run CP on WAN interface? (especially on 2.0)

Actions #2

Updated by Chris Buechler over 12 years ago

It's fine to run on WAN, but it wouldn't do what's described here, it would block all reply traffic on outbound Internet requests, and can't be specific enough to restrict to one or several particular hosts or ports.

Actions #3

Updated by Ermal Luçi over 12 years ago

Well i need a definition of what reverse CP is to see what it takes to implement this.

Actions #4

Updated by Yehuda Katz over 11 years ago

I just brought this up on the forum this week (,31079.0.html)

Regular users log into a page on the firewall and choose which server/services they want and how long they want it for.
The web page would add a firewall exception for the specified information for the client IP address.
(Administrators could add for other IPs too.)

Does that help?
I am going to look into writing it myself, but I am watching this space and that forum topic if anyone has ideas.

Actions #5

Updated by Ermal Luçi over 11 years ago

Well there is a possiblity to add an ipfw rule with direction out and keep-state to provision this!?

Actions #6

Updated by H. H. over 11 years ago

Thats a feature I missed on pfsense too. I know very well the watchguard solution:
A small webserver (https) at the firewall sends a Java applet to the user to enter name and password. Encrypted by the Java applet, transfered to the firewall its used for verification against the authentication database defined in its configuration. A successfull authenticated user can use all services based on his group membership -- the group membership is used by filter rules where the IP of the authenticated user is temporary added. As long he keeps open the browser window with the logon applet he is autenticated. If its closed or network connection is lost, a few minutes later the IP is removed from the filter rules ...

It's a really nice feature to protect services from outside because no special client is needed.

Hope it helps to find a solution ...

Actions #7

Updated by P S over 9 years ago

Has there been any more activity on this feature request? I would love to use pfSense with the described functionality: I want to restrict remote access to my network without requiring users to establish a full-blown VPN connection. Instead they should only be required to authenticate on a webpage before the firewall is opened up for them...

Actions #8

Updated by Jim Pingle almost 3 years ago

  • Category set to Captive Portal

Also available in: Atom PDF