Access to an internally hosted website.



  • :-\ Here's the problem….hopefully I will be able to explain this so it can be understood. We currently have two PFSense portals. One is used for our VOIP system. The other is our data. Both reside on the same physical server. We have our network divided up using 8 different VLAN's. VLAN 5 is where all 'guest' traffic flows. We use that VLAN to offer external internet access to guest with no access to our internal network.

    We also currently have several websites that are hosted internally. Our main website ....www.calvarychurch.org.....is hosted outside our firewall so access to that is not a problem for people on our internal 'guest' network. We also have multiple websites that we host internally. Those are what we have a problem with. We find that when someone inside our firewall tries to access an internal website they get blocked because PFSense sends the request directly to the destination currently blocking all traffic to the LAN. Getting on a browser and going to the web address does not work because PFSense is smart enough to route traffic directly instead of outside  and back in.

    Can anyone give me a hand with how to structure and write the rules necessary to get traffic allowed into our network but ONLY to the selected directories/files (Websites) that we want. We don't want any access to the network as a whole.

    Also we apparently need so sort of logging capability if we do establish an open access point.....but.....that is a question for another forum.



  • You are looking for either "NAT Reflection" or split brain (horizon) DNS. Both can be setup in pfSense or you can setup split brain (or just internal DNS servers) to hand out the local address instead of internet one on just about any DNS system.



  • Firewall rules will not work.

    To restrict folders/files, you must use a http reverse proxy to filter layer7.

    At pfsense you can use varnish, apache+mod_security or squid.

    I recomend varnish if you want speed and mod_security if you want to enable a full layer7 rules to your web server.



  • You don't need anything that CPU or space/memory intensive to accomplish what you are trying to do. IMO NAT reflection or Split DNS should suffice.


Locked