Hi, I am wondering if the following setup is possible to achieve:
A number of people at my company work at home by running a VNC server on their desktops, and connected to them from their home machines. It is often a better choice than using a VPN because it makes security much easier, and saves installing work-related software on a home machine.
Since there are several people doing this, I have a series of port forwards from the firewall/router machine's external IP address, so that port 59001 is routed to 5900 on internal PC 1, port 59002 is routed to port 5900 on PC 2, and so on.
What would be very neat would be a kind of "captive portal" arrangement where the external user would first use a browser to connect to the firewall/router and log in. After a successful login, the firewall/router would forward external port 5900 to that user's internal PC for the one specific external IP address.
The result would be more secure than individual port forwards (since it is easier to enforce password policy, and to log logins), more scalable (new users just means new entries in the user table rather than additional firewall rules), and easier to manage (all users access VNC using the same addresses, and the same standard port).
Obviously their are other similar situations when such a system could be used, such as for the samba ports to allow people access to their desktop drives from the outside in a reasonably secure way (no encryption, but at least access would only be from specific IP addresses).
I don't think there is anything difficult about the underlying technology here - it's just port-forward rules that depend on the incoming IP source address. But it would need a sort of captive-portal style interface.
Is such a setup possible with pfSense, but I just don't know about it (my copy of the book has not yet arrived...)? Is it something that would be useful to others, and could go on a features request list? Is it a silly idea because of some security issue I haven't thought of?
mvh., David _______________________________________________ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
