Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Guest WiFi issues accessing internal websites.

    Scheduled Pinned Locked Moved NAT
    4 Posts 2 Posters 1.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      Mitchell
      last edited by

      Hi folks, I've been using pfsense for years but only finally decided to join the forums! :)

      I have been recently involved in a project to redesign WiFi for our head office at work but having a little trouble so with DNS for internal web sites and services such as Exchange over HTTP

      The scope of the project is to create two Wireless SSIDs, a Guest WiFi network and a Production WiFi network, and VLAN off the traffic to each.

      Hardware:

      pfsense 2.1.5 amd64 running on a Dell PowerEdge 2950 II with 2 onboard NICs and an Intel Quad Port card (1 LAN/1WAN connected)
      3x Dell PowerConnect 5548 Switches in a Stack Configuration
      2x Ubiquiti Unifi AP 300 Access Points

      pfsense Interface Configuration:

      2 VLANs present on the LAN interface with IDs 1 and 4 (1 Primary VLAN and 4 Guest VLAN)
      VLAN 1 assigned to existing LAN interface (10.0.0.0/23)
      New OPT1 interface created and assigned to VLAN 4 for Guest Network
      Static IP of 192.168.0.1/24 assigned to OPT1 interface
      DHCP enabled on OPT1 for 192.168.0.2-192.168.0.254 scope

      Switch Configuration:

      Switch port going to the pfsense LAN connection set to tag VLAN IDs 1 and 4
      Switch ports connected to Unifi APs set to tag VLAN 4 and VLAN  1 untagged

      Access Point configuration:

      APs controlled from the primary LAN with a 2012 R2 VM and assigned static IPs
      Guest SSID tagged to VLAN 4

      pfsense Firewall Configuration:

      Outbound NAT rule to pass traffic from the WAN to Guest Network (192.168.0.0/24) on 1 public IP
      Outbound NAT rule to pass traffic from the WAN to the primary LAN (10.0.0.0/23) on 2 public IP
      Firewall Rule on Guest Network to pass any IPv4 but block access to primary LAN networks
      Firewall Rule to block all IPv6 traffic

      The Guest WiFi works as expected with internet access, however if I try and access our internal websites I get presented with an SSL cert error. Similarly if I try connecting to Exchange using ActiveSync it errors out.

      I had read that I either need to look at NAT Reflection or using Host Overrides in the DNS forwarder. I tried configuring both of these including host overrides for our internal web servers/services but with no joy.

      I’m probably missing something really basic here that’s staring me in the face, just can’t think what it is?

      More than happy to provide any additional details if need be.

      1 Reply Last reply Reply Quote 0
      • KOMK
        KOM
        last edited by

        Run split DNS.  Your internal DNS should resolve the hostnames to their private IP addresses and not their public IP addresses.  NAT Reflection is not recommended unless it's your only option.

        1 Reply Last reply Reply Quote 0
        • M
          Mitchell
          last edited by

          Hi KOM, that's for the fast reply!

          How would I go about setting this up in the DNS Forwarder?, Right now I have this configured as below:

          pfsense in General Setup has three of our ISPs DNS servers listed and uses the WAN Gateway which is our primary public static IP address. None of our internal AD/DNS servers are listed here.

          DNS Forwarder enabled on all interfaces.

          Thanks

          1 Reply Last reply Reply Quote 0
          • KOMK
            KOM
            last edited by

            Services - DNS Forwarder - Host Overrides

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.