Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Access to an internally hosted website.

    NAT
    3
    4
    2.7k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R
      rspalding
      last edited by

      :-\ Here's the problem….hopefully I will be able to explain this so it can be understood. We currently have two PFSense portals. One is used for our VOIP system. The other is our data. Both reside on the same physical server. We have our network divided up using 8 different VLAN's. VLAN 5 is where all 'guest' traffic flows. We use that VLAN to offer external internet access to guest with no access to our internal network.

      We also currently have several websites that are hosted internally. Our main website ....www.calvarychurch.org.....is hosted outside our firewall so access to that is not a problem for people on our internal 'guest' network. We also have multiple websites that we host internally. Those are what we have a problem with. We find that when someone inside our firewall tries to access an internal website they get blocked because PFSense sends the request directly to the destination currently blocking all traffic to the LAN. Getting on a browser and going to the web address does not work because PFSense is smart enough to route traffic directly instead of outside  and back in.

      Can anyone give me a hand with how to structure and write the rules necessary to get traffic allowed into our network but ONLY to the selected directories/files (Websites) that we want. We don't want any access to the network as a whole.

      Also we apparently need so sort of logging capability if we do establish an open access point.....but.....that is a question for another forum.

      1 Reply Last reply Reply Quote 0
      • P
        podilarius
        last edited by

        You are looking for either "NAT Reflection" or split brain (horizon) DNS. Both can be setup in pfSense or you can setup split brain (or just internal DNS servers) to hand out the local address instead of internet one on just about any DNS system.

        1 Reply Last reply Reply Quote 0
        • marcellocM
          marcelloc
          last edited by

          Firewall rules will not work.

          To restrict folders/files, you must use a http reverse proxy to filter layer7.

          At pfsense you can use varnish, apache+mod_security or squid.

          I recomend varnish if you want speed and mod_security if you want to enable a full layer7 rules to your web server.

          Treinamentos de Elite: http://sys-squad.com

          Help a community developer! ;D

          1 Reply Last reply Reply Quote 0
          • P
            podilarius
            last edited by

            You don't need anything that CPU or space/memory intensive to accomplish what you are trying to do. IMO NAT reflection or Split DNS should suffice.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.