Advanced WiFi isolation



  • Dear pfSense experts,

    pfSense box in our office has WAN, LAN, DMZ and WIFI interfaces. We have some services (Exchange/Lync) on our LAN, external users routed via DMZ to access them. So when I start Lync on my device (laptop or smartphone) home (externally, not from office) I can access and login to Exchange/Lync. I want to isolate the public WIFI from the rest of my network and "show" WIFI users to pfSense box like they come from Internet.

    Typical firewall rule below works perfect to isolate internal networks:

    allow WiFi to not (internal networks alias) any port

    But with this firewall rule WIFI users cannot access and login to Exchange/Lync.

    What is the best way to do this trick? Firewall rule or some kind of routing?


  • Rebel Alliance Global Moderator

    allow the ports you want to the IPs you want in the wifi interface firewall rules, above your rule that blocks them from internal networks..



  • Johnpoz, thanks for your post.

    When I allow the ports like you suggest Lync and Exchange use internal (self signed) certificates. And smartphones (and non domain member computers) have difficulties with it.

    So I need some kind of isolation (routing or firewalling) to let WIFI users really come from external interface. Any idea?


  • Rebel Alliance Global Moderator

    Huh.. How are the certs public when coming from public side and selfsigned when coming from internal?

    You do understand you can use the same fqdn to access via it be from public or internal.  Just setup your local dns to resolve the fqdn on the cert to the private IP..



  • Johnpoz, this part is done by 3rd party and I cannot change it.

    So I wonder if I can do the trick on firewall level…


  • Rebel Alliance Global Moderator

    Huh??  What part is done by 3rd party?

    Why is it always like pulling teeth with 2 toothpicks trying to get information..

    We are not mind readers.. If you want help your going to have to explain your setup..  What part is done by 3rd party the cert on the servers?  So what??



  • I mean Exchange / Lync / split dns installation is done by 3rd party. I have an access to pfSense box and I wonder if I can do this advanced WiFi isolation with just pfSense firewall rules…


  • Rebel Alliance Global Moderator

    Yes you can do whatever firewall rules you want on pfsense.  Your saying you don't run dns on pfsense?  Do clients behind pfsense, say your wifi ask pfsense for dns?  Or do they point to something else?

    If they ask pfsense, then you can put in an override to resolve anything you want to any IP you want.  You can make www.google.com resolve to 192.168.1.14 if you wanted to for example.



  • Your saying you don't run dns on pfsense?

    my pfSense box forwards all DNS requests from LAN clients to internal DNS servers so split DNS can work.

    Do clients behind pfsense, say your wifi ask pfsense for dns?  Or do they point to something else?

    I enabled DHCP service on my pfSense box for WIFI clients. I do not care about split DNS on WIFI so I provide public Google DNS via DHCP.

    DNS override idea sounds interesting. Can I enable it for WIFI clinets only?


  • Rebel Alliance Global Moderator

    "I do not care about split DNS on WIFI so I provide public Google DNS via DHCP."

    Well there is your problem, let them use your dns that forwards to wherever and you can put in host overrides that point specific fqdn to their private IPs on your network.

    As to who would use the overrides would be anyone using pfsense for dns.  But those should only be people behind your pfsense, so I would think all of them should use your overrides.