pfSense Not Routing Public WiFi to Internal Web Server



  • We used to have our OpenMesh WiFi network on its own network with a physical Firewall that connected to a switch that was on our router. (Inherited setup) Our pfSense router sends all HTTP/HTTPS requests on our Public IP address to a Windows IIS server that does reverse proxy to send to the appropriate internal web server/site. This was working fine.

    I setup a new SSID in OpenMesh that has LAN access and left the original SSID as is for public Internet access. I then connected the OpenMesh WiFi network directly to our internal network. Now, the private SSID (newly created SSID) works fine and is part of the internal network, as desired.

    However, the public SSID (original) will NOT route to the IIS Reverse Proxy server. Instead, it stops at our router and is not forwarded. This is ONLY happening for those connected to the PUBLIC WiFi SSID. Anyone on the local network (internal DNS Server routes to the proper internal server) or on an outside network route fine. For instance, my phone only my carrier's data network will route to the proper internal IIS server based on the URL. Once I connect the device to the public WiFi, I can browse the internet but pfSense is not routing the URLs to our internal web servers. Instead, I get the pfSense login screen.

    Any ideas what I'm missing here? Thanks in advance!


  • Netgate Administrator

    This pretty much:
    https://docs.netgate.com/pfsense/en/latest/nat/accessing-port-forwards-from-local-networks.html

    If you can't do split DNS for that traffic you need to enable NAT reflection.

    Steve



  • Thanks for that info. I'm going to read up on that. I tried enabling NAT reflection for a moment and that did fix my issue. However, it had worse affects on other parts of our network. LOL! I'll see what I can do.

    Again, thanks!



  • The OpenMesh APs connect to our internal network and have an internal IP. For the Public/Guest WiFi, it acts as its own DHCP/DNS/Gateway for the clients that connect to the AP. It then only routes traffic from the AP to our pfSense router to get access to the Internet while not allowing access to the internal network.

    The Split DNS is not making a difference since the client DNS server is the AP, not the pfSense router. I tried the other options but had all kinds of issues.

    I'll take a look at the switches we have (hadn't reviewed them yet since I'm new with this company) and see if maybe I can setup a VLAN for the public WiFi and only allow the VLAN to access the Internet.


Log in to reply