Password protecting a forward, is it possible?

vladk · Apr 13, 2015, 3:07 PM

We moved from cisco to pfsense and one of the features I can not figure out is password protecting a route/forward.

So if we have a forward to ports 80/443 from external ip to internal server, I'd like to password protect it.

Only people with login/pw should be able to hit that port and after logging in see the site that's on the server behind.

This feature was easy on cisco but I can not figure out how to do that in pfsense. Is something like that available? If not, is there any other way to secure the sites on internal server but still make them accessible from outside?

Thanks.

KOM · Apr 13, 2015, 3:23 PM

No, there is no such method on pfSense. Usually, one puts a password on the resource being accessed. Assuming your'e talking about a web server, there are a zillion ways to limit access based on credentials.

vladk · Apr 13, 2015, 3:55 PM

Do you mind naming one that will lock down the whole server (with dozens of sites) but only to outside world and not to internal network?

Thanks.

p.s. server is windows 2012 r2 running IIS.

KOM · Apr 13, 2015, 5:04 PM

Do you mind naming one that will lock down the whole server (with dozens of sites) but only to outside world and not to internal network?

That wasn't your original requirement. I'm not aware of a way to make a Windows box do a challenge only on access from a particular network, but I'm not a Windows magician. It's simple under Apache.

johnpoz · Apr 14, 2015, 12:47 PM

How exactly where you doing that on cisco? Forwards of ports don't have auth on them..

KOM · Apr 14, 2015, 1:08 PM

Forwards of ports don't have auth on them..

He was talking about the route being password-protected, not the port-forward.

johnpoz · Apr 14, 2015, 3:38 PM

"I can not figure out is password protecting a route/forward."

How do you password protect a route in cisco?? You can firewall what source IPs can use a forward, but if you want a password to access resource that would be done on the service providing box or proxy between them, etc.

I know how you setup setup authentication to your neighbor routers so you sure your getting good routes. But I have never heard of a user providing password to use a router or a forward. So he says its easy to do on cisco, so curious what he was doing? Was it some sort of captive portal?

vladk · Apr 15, 2015, 2:35 PM

It has been a while since we decommissioned our cisco router so I don't remember.

All we had to do was specify that for a particular route (our iis server) you had to provide credentials to log in (credentials were specified right there on the router). Everyone coming from outside the network had to go through cisco first and then if they got credentials correctly they'd be allowed to get to the server.

It might have been captive portal, I don't remember at this point. I think the router was ASA5505 so there might be something in the docs.

johnpoz · Apr 18, 2015, 10:41 AM

sounds more like a ssl based vpn to me.. That yes the ASA support, this has nothing to do with routing or forwarding. And no pfsense does not support that.