Securing internal network from external network access - 2 factor authentication


I have my own domain.
Behind the cable-provider modem a GL-AX1800 is installed.
This has some port forwarding rules for different services (NAS, guacamole, ....)
All these services have their own authentification.
But is it possible to install on router-level before port-forwarding happens some 2 factor authentication to increase security??
So this means when accessing the domain via the different ports I have to authenticate with username+password + e.g. google authenticator.
Just after successful authentification the port-forwaring will take place.



Are you connecting from the Internet?

If yes then suggest you use VPN.

That's not really the job for the router.

The best way to expose services would be to use a reverse proxy, something like nginx proxy manager and then just portforward 80 and 443 to nginx proxy manager. When I say best way to expose services I'm talking about selfhosted content that requires to be public without a wireguard client. Services like selfhosted nextcloud, jellyfin etc. For sensitive services or services that only you need to access then a VPN is the best way to reach the service as it's not public facing (if you don't put it on nginx proxy manager) never reverse proxy admin pages / login pages of LAN devices, that's asking for trouble.

On nginx proxy manager you can then add basic Auth - there's also Authlia docker which can add 2fa

I use nginx proxy manager for my services. By the way guacamole has 2FA option already in the image.

If you don't want to open ports you can also check out cloudflare tunnels which also has Auth options.

Also don't expose your NAS login to the internet! Remove that portforward. For NAS access use either wireguard or openvpn to connect back to your network (enable Remote Access LAN on the VPN client).