Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    pfSense setup for a charity - Need three subnets to share one NAS

    Routing and Multi WAN
    2
    3
    200
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      SampleX
      last edited by

      Hi there,

      Please excuse me, I'm a novice.

      I've used pfSense to set up SOHO networks with very basic setups before, but not really in-depth.

      I've got a new project that's giving me trouble.

      It's for a church/charity so it's minimal budget and I'm helping out.

      We've got a Watchguard XTM5 running the latest version of pfSense community edition.

      The organisation has a fibre broadband connection which we have bridged to the 10/100 port of the XTM5 and configured as a PPPoE WAN. It works. We have internet!

      So then the XTM5 is configured as follows

      192.168.1.0 (LAN) is the main back office - printers, static computers, ethernet devices and internal VOIP system (obviously connected to SIP trunks through the WAN) all of which are hardwired into an unmanaged switch. All devices can see each other, all can communicate back and forth to the internet.

      192.168.2.0 (SERV) is the 'Server' subnet. It hosts a Kerio Mail/Groupware server on Windows Server 2008. It also connects to the internet just fine and users outside the network can access mail via POP3, IMAP and using a webmail HTML portal.

      The config so far is based on a configuration I've used on a few basic setups including my own, wherein the SERV subnet particularly is subject to some NAT, port restrictions and firewall rules to keep only the essentials open to traffic.

      Computers on the LAN can be used to log into the Server on the SERV subnet in order to use Windows Remote Connection to administrate the Server 2008 box and make changes directly to the Kerio mailserver. No configuration is in place to make administrative access from the WAN.

      Then where this setup is augmented from the basic config that I use...

      WIFI is a subnet 192.168.3.0 which is offered to staff and associates at the organisation to hook in their wifi devices, tablets, laptops, smartphones etc. for (generally) mostly internet access. It is a physical port on the XTM5 which is bridged to a Linksys WRT32X being used as a wifi access point. This access point uses the IP 192.168.3.1 (which is assigned to pfSense as an interface address) to connect to the pfSense as Admin and also as a gateway address which presumably passes on DNS servers and DHCP address allocations.

      and MESH is a subnet 192.168.4.0 which is an internet only Mesh Wifi Subnet for visitors and guests to the facility to use as a wifi hotspot. It is also a physical port which is bridged to a Tenda Nova MW5 Mesh kit repeating throughout the building.

      Both WIFI and MESH are also happy independently connecting to the internet and functioning as wifi hotspots, able to connect to the admin panel (pfSense) on their respective networks.

      However - and this is where I come unstuck - we now need to expand some of their access within the organisation's network.

      WIFI needs to be able to access LAN - not least because the Qnap NAS is hosted on the LAN subnet, as are a couple of printers. I'd be interested in just being able to make those devices accessible, or granting access only to certain users on WIFI (though I suspect that's a lot more involved), as well as what 'catch all' I could use to just make LAN and WIFI visible to each other.

      I also have an additional conundrum...

      The server on SERV has, of course, a FQDN (ORGNAME.co.uk) and mobile devices or remote workers outside the LAN system can also log into webmail.ORGNAME.co.uk.

      Back when this was first set up at the org, with just LAN and SERV, somehow mobile devices being used on the wifi which was an access point with a DHCP pool on LAN were able to access the server seamlessly through the LAN.

      Now that the WIFI has been made it's own subnet some devices are struggling to connect to the server. They seem to be fine just getting mail using IMAP but attempting to connect via the http interface to webmail.ORGNAME.co.uk just fails.

      What am I missing here? How do I make pfSense identify and route that traffic internally - or indeed make it kick it out the WAN and let it back in again?

      All help appreciated!

      SampleX

      1 Reply Last reply Reply Quote 0
      • S
        SampleX
        last edited by

        Ooops. Same theme...

        Now been asked to create access to LAN hosted IP printers from WIFI too.

        Please help.

        1 Reply Last reply Reply Quote 0
        • H
          HG
          last edited by

          Well, if you haven't set it up very strangely, the routes should already be there. But to be sure, you can check Diagnostics -> Routes. You can also try to ping a host on the other network. If you don't get something like "Destination net unreachable", chances are good that your routes are fine.

          Most likely you need to add/adapt some firewall rules. Probably you have some firewall rules that restrict access between your LANs before the "allow to any" rule that allows Internet traffic, or the "allow to any" rule excludes your local networks?

          I haven't completely understood your SERV setup. As far as I understand, webmail.ORGNAME.co.uk has a public IP so it is accessible from Internet? How do you map that to your private IP addresses?

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.