We have experimented with a kind of "reverse captive portal" where logging in to another web site (temporarily) adds your IP to the list in pfSense. Maybe you could try something like that.
Moshe On Tuesday, February 8, 2011, Chuck Mariotti <cmario...@xunity.com> wrote: > > I’m not sure how best to describe this situation without it getting word. > > We have a number of servers behind a pfSense firewall at a datacenter. One of > the servers is a web site that needs to be accessible only by computers on > our client’s network (also behind pfSense elsewhere)… This solution has been > implemented > and working based on IP address restrictions. > > Now the client wants to allow a few people access to the web site while at > home. Unfortunately, password protecting it is not an option. VPN access > seems to be the only options but I’m wondering what the best approach would > be. > > We do not want to allow VPN access into the datacenter network and > administratively this would be a hassle. Instead, we would like to force > these home users onto the client network, using the client’s gateway … > resulting in an allowable > IP address to the restricted web site. This is simple to implement, but > creates a lot of additional traffic if we leave them using the default > gateway. > > Unfortunately, the client network is using a wireless connection that pays by > the gigabyte. This will be an issue when a home users forgets to stop > downloading music, movies, etc… We also would prefer not to install a new > VPN client (like > OpenVPN, even though it looks like the best solution). > > I was thinking a simple PPTP connection (not sure if this would work really), > turning off the default gateway on the client end… Then, using pfSense on the > client network, make a rule that would map an internal IP address > (10.10.10.100) > to the web site’s public IP address… Then, make a public DNS entry mapped to > the internal IP address and instruct the users to use this new DNS entry when > remotely accessing this restricted site. Would this work? > > > I guess my other question is, what is the best way to get this to work? > > Regards, > Chuck -- ------------------------------ Moshe Katz KatzNet Computers -- mo...@ymkatz.net -- kohenk...@gmail.com -- mk...@zment.com -- mmk...@umd.edu -- kohenk...@aim.com -- moshek...@verizon.net -- kohenk...@inbox.com -- kohenk...@protonic.com -- +1(301)867-3732 --------------------------------------------------------------------- To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
