The simplest way to do this (for the users anyway) is to run a webserver inside the clients network and serve out a web based proxy (e.g. phpMyProxy), authenticate users at the PHP proxy (using htpasswd or any other apache auth module).
This would allow the users to browse to a web site which would then proxy the request through their internal network. Of course you would want to use SSL encryption and strict user authentication policies as well as possibly restricting requests to the proxy by IP address. You would probably also want to modify the PHP script to automatically forward the user to the site so they cannot use the proxy to browse whatever they like. Regards, Daniel Davis From: Chuck Mariotti [mailto:cmario...@xunity.com] Sent: Wednesday, 9 February 2011 2:20 PM To: support@pfsense.com Subject: [pfSense Support] Restrict a web site access by remote IP address block, gain access by VPN into that block? I'm not sure how best to describe this situation without it getting word. We have a number of servers behind a pfSense firewall at a datacenter. One of the servers is a web site that needs to be accessible only by computers on our client's network (also behind pfSense elsewhere)... This solution has been implemented and working based on IP address restrictions. Now the client wants to allow a few people access to the web site while at home. Unfortunately, password protecting it is not an option. VPN access seems to be the only options but I'm wondering what the best approach would be. We do not want to allow VPN access into the datacenter network and administratively this would be a hassle. Instead, we would like to force these home users onto the client network, using the client's gateway ... resulting in an allowable IP address to the restricted web site. This is simple to implement, but creates a lot of additional traffic if we leave them using the default gateway. Unfortunately, the client network is using a wireless connection that pays by the gigabyte. This will be an issue when a home users forgets to stop downloading music, movies, etc... We also would prefer not to install a new VPN client (like OpenVPN, even though it looks like the best solution). I was thinking a simple PPTP connection (not sure if this would work really), turning off the default gateway on the client end... Then, using pfSense on the client network, make a rule that would map an internal IP address (10.10.10.100) to the web site's public IP address... Then, make a public DNS entry mapped to the internal IP address and instruct the users to use this new DNS entry when remotely accessing this restricted site. Would this work? I guess my other question is, what is the best way to get this to work? Regards, Chuck -- This message has been scanned for viruses and dangerous content by mail.lasseters.com.au, and no infections were found.
