Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    How to add username/password for fort forwadring in pfsense

    Scheduled Pinned Locked Moved NAT
    26 Posts 9 Posters 2.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      caigeliu
      last edited by

      We have a in-house developed software in our LAN. We don't want this software world accessible, but we want some people can access this software anywhere world-wide. And we don't want to use VPN.

      Is there any way that for example we use port forwarding or something else except VPN, a user connect to the port, pfsense ask for username/password (or key/certificate), then pfsense forward it to the software in our LAN.

      Any suggestion is welcome. Thanks in advance.

      1 Reply Last reply Reply Quote 0
      • KOMK
        KOM
        last edited by

        No. Instead, create your NAT so that only Source IPs defined by you are allowed in. That way you can limit access to just the computers/network you want. Either that or build authentication into your software.

        1 Reply Last reply Reply Quote 0
        • C
          caigeliu
          last edited by

          Thank Kom, that's sad. Is there any opensource software to check username/password, so that pfsense port-forwarding to this software site in our LAN, then re-direct it to our software.

          1 Reply Last reply Reply Quote 0
          • AstraeaA
            Astraea
            last edited by

            Could you not use a reverse proxy and have an authentication setup on there?

            1 Reply Last reply Reply Quote 0
            • C
              caigeliu
              last edited by

              Thank Astraea, The reverse proxy may be a good idea. I have just searched and nginx in Linux can be used a reverse proxy. I'll investigate it deeply.
              Still expect more suggestions.

              C 1 Reply Last reply Reply Quote 0
              • C
                Crunk_Bass @caigeliu
                last edited by

                I also suggest using a reverse proxy.

                Take a look at the HAProxy package for pfSense.
                What protocol does your software use?

                Combined with the Acme package you can use HTTPS with a Let's Encrypt certificate if your software has a webinterface.

                1 Reply Last reply Reply Quote 0
                • C
                  caigeliu
                  last edited by

                  Thank Crunk_Bass. haproxy in pfsense would be a better solution if works. I have just installed it, but need knowledge/document to configure it. Would you or anyone please give me simple tutorial or simple instruction to configure it.

                  what we want is that: anyone from world can access to this haproxy at a special tcp port in pfsense gateway, after authentication, then forward to the software inside our LAN. The software is a website accessing by https.

                  Any suggestion is welcome.

                  1 Reply Last reply Reply Quote 0
                  • johnpozJ
                    johnpoz LAYER 8 Global Moderator
                    last edited by

                    Sounds like you want some sort of captive portal in front of your services to the public internet? Why would you not just do auth on the services? Or lock down for only the people you want to access to be able to access it via vpn, or source IP?

                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                    If you get confused: Listen to the Music Play
                    Please don't Chat/PM me for help, unless mod related
                    SG-4860 24.11 | Lab VMs 2.8, 24.11

                    1 Reply Last reply Reply Quote 0
                    • C
                      caigeliu
                      last edited by

                      Thank johnpoz. Not sure captive portal works or not, I usually think captive portal works for LAN to WAN. But we want from WAN to LAN.

                      We don't want to use VPN for its complex setup and usage(we use VPN for smart staffs), don't want to limit external source IPs because we don't know possible source IPs.

                      We want anyone with authentication/certificate can access a service in pfSense, then automatically be forwarded to a website inside of LAN. It is like a port-forwarding of pfSense, but we want an authentication between port-forward and internal website.

                      1 Reply Last reply Reply Quote 0
                      • johnpozJ
                        johnpoz LAYER 8 Global Moderator
                        last edited by johnpoz

                        No captive portal wouldn't work - but it sounds like that is what your looking for, something to auth to before allowed access to your forward..

                        Why not just put the auth on the service, you can for sure have auth to a web service, even cert auth.. But that would be setup on the httpd server itself, not pfsense.

                        An intelligent man is sometimes forced to be drunk to spend time with his fools
                        If you get confused: Listen to the Music Play
                        Please don't Chat/PM me for help, unless mod related
                        SG-4860 24.11 | Lab VMs 2.8, 24.11

                        1 Reply Last reply Reply Quote 0
                        • DerelictD
                          Derelict LAYER 8 Netgate
                          last edited by

                          There is nothing at the session layer that can prompt for authentication there.

                          You need the application to do it.

                          Chattanooga, Tennessee, USA
                          A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                          DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                          Do Not Chat For Help! NO_WAN_EGRESS(TM)

                          1 Reply Last reply Reply Quote 0
                          • johnpozJ
                            johnpoz LAYER 8 Global Moderator
                            last edited by johnpoz

                            It looks like you could do something with ha proxy.. Here after a simple google
                            https://blog.taragana.com/guide-haproxy-http-basic-authentication-for-specific-sites-ssl-termination-15813

                            But it doesn't look like something for new to ha proxy to setup ;)

                            I have never looked into doing anything like this, in my experience you auth at the application.. But this might be something useful for apps that do not support auth.. But then you just do it at the httpd server, with something as simple as a .htaccess file, or better which have done many many years ago even with IIS, is just tls auth - which is done at the httpd server..

                            An intelligent man is sometimes forced to be drunk to spend time with his fools
                            If you get confused: Listen to the Music Play
                            Please don't Chat/PM me for help, unless mod related
                            SG-4860 24.11 | Lab VMs 2.8, 24.11

                            1 Reply Last reply Reply Quote 0
                            • C
                              caigeliu
                              last edited by

                              You're right. We want an auth before a person reach our website inside LAN, because we have no confidence that our website inside LAN is solid enough to protect any attacks worldwide.

                              reverse proxy by nginx in Linux should work, but we need to set a separate host for. If HAproxy in pfSense can work, it should be good. Not sure how to find a simple way to configure it.

                              1 Reply Last reply Reply Quote 0
                              • C
                                Crunk_Bass
                                last edited by

                                I only configured HAProxy once so unfortunately I can not give you a very detailed guide with explanations.
                                Also english is no my native language so I struggle a bit when writing but I'll try my best.
                                You can find a lot of how-tos online.

                                THIS IS ONLY FOR TESTING. PLEASE DO YOUR OWN RESEARCH FOR USING IN A PRODUCTIVE ENVIRONMENT.

                                First you need to install the package (obviously), then go to HAProxy settings and enable it.
                                Set the internal stats port (I used 2200).
                                Under Global Advanced pass thru put

                                userlist SoftwareUsers
                                user user1 insecure-password randompassword
                                

                                Next create a backend.
                                Enter a Name and add a server to the list.
                                Give it a recognizable name like nameofyourcustomsoftware, put in the address and port and check the Encrypt(SSL) box.

                                Under Loadbalancing options select none
                                Health cheking -> none (you don't need it because there is only one backend and no option for a failover)

                                Now create a frontend.
                                Listen address -> LAN address (for testing)
                                Port -> your decision
                                Type -> ssl / https

                                Access Control lists:
                                UserAuthOkay Custom acl: http_auth(SoftwareUsers)

                                Actions:
                                http-request auth !UserAuthOkay
                                realm: realm UserAuthOkay

                                1 Reply Last reply Reply Quote 1
                                • DerelictD
                                  Derelict LAYER 8 Netgate
                                  last edited by

                                  That would just be running another web server application in front.

                                  What OP wants is a VPN.

                                  Chattanooga, Tennessee, USA
                                  A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                                  DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                                  Do Not Chat For Help! NO_WAN_EGRESS(TM)

                                  1 Reply Last reply Reply Quote 0
                                  • keyserK
                                    keyser Rebel Alliance
                                    last edited by

                                    In my experience the feature OP is asking for is a really good and very usable idea. Remember that the world is full of old insecure enterprise software that no one knows how to maintain.

                                    I have used the Authentication feature in Microsofts long dead TMG Firewall for that feature for many years. It allowed you to setup a reverse https proxy where you had to complete form based user authentication to the proxy before the backend site was fetched/accessed.

                                    Unfortunately TMG is dead now, and we started to use VPN because I at the time could not find a solution for HAproxy on pfSense.
                                    VPN is Very cumbersome and annoying to say the least - so I would love if we could get the suggested HAproxy solution to work :-) I’m not able to test right now as it will be a couple of weeks before I’m back @ pfSsense maintenance

                                    Pretty good idea in my opinion.

                                    Love the no fuss of using the official appliances :-)

                                    C 1 Reply Last reply Reply Quote 0
                                    • C
                                      Crunk_Bass @keyser
                                      last edited by Crunk_Bass

                                      @keyser I got this HAProxy authentication thing working at home.
                                      The only thing that is different is I am using http for communication between proxy and server on the internal network.
                                      Just play with it for a few hours. It is not that complicated.
                                      If you get stuck maybe I can help you with your configuration.

                                      keyserK 1 Reply Last reply Reply Quote 0
                                      • keyserK
                                        keyser Rebel Alliance @Crunk_Bass
                                        last edited by

                                        @Crunk_Bass Thank you so much for that confirmation. I’ll give it a go when I get back. If I can make it work, I think it merrits a little tutorial writeup so others can take advantage of the feature.

                                        Love the no fuss of using the official appliances :-)

                                        1 Reply Last reply Reply Quote 0
                                        • keyserK
                                          keyser Rebel Alliance
                                          last edited by

                                          Even though I’m not home right now, the feedback from @Crunk_Bass has provided enough info to confirm that HAproxy now does support user authentication, and it is fairly simple to setup. I found this guide which I think will easily be adopted to pfSense:

                                          https://blog.taragana.com/guide-haproxy-http-basic-authentication-for-specific-sites-ssl-termination-15813

                                          Really cool HAproxy has this feature now. I don’t think it was the case about 8 years ago when I was looking for a TMG replacement - at least I was unable to google my way to the solution if it did exist.

                                          Excellent discovery :-)

                                          Love the no fuss of using the official appliances :-)

                                          T 1 Reply Last reply Reply Quote 0
                                          • johnpozJ
                                            johnpoz LAYER 8 Global Moderator
                                            last edited by

                                            @keyser said in How to add username/password for fort forwadring in pfsense:

                                            VPN is Very cumbersome and annoying to say the least

                                            Huh?? The corp world, every user every single day uses vpn... We have 1 customer that has 300+ users vpn'd in every single day.. That is just slow day - if its a snow day or something and more users working at home there are 500+ users vpn'd in.. To access corp resources.

                                            To say its cumbersome is just nonsense plain and simple... Its a click, and auth.. Can it be annoying when you have to put in your pin number to your ticks card in twice in less than 10 seconds sure ;) But this is how security works..

                                            Now they don't have 300+ users coming in via pfsense vpn... But you could ;)

                                            While such a thing is possible with haproxy, its not by any means the best solution to secure access to your apps.

                                            An intelligent man is sometimes forced to be drunk to spend time with his fools
                                            If you get confused: Listen to the Music Play
                                            Please don't Chat/PM me for help, unless mod related
                                            SG-4860 24.11 | Lab VMs 2.8, 24.11

                                            keyserK 1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.