Guest WiFi issues accessing internal websites.

  • Hi folks, I've been using pfsense for years but only finally decided to join the forums! :)

    I have been recently involved in a project to redesign WiFi for our head office at work but having a little trouble so with DNS for internal web sites and services such as Exchange over HTTP

    The scope of the project is to create two Wireless SSIDs, a Guest WiFi network and a Production WiFi network, and VLAN off the traffic to each.


    pfsense 2.1.5 amd64 running on a Dell PowerEdge 2950 II with 2 onboard NICs and an Intel Quad Port card (1 LAN/1WAN connected)
    3x Dell PowerConnect 5548 Switches in a Stack Configuration
    2x Ubiquiti Unifi AP 300 Access Points

    pfsense Interface Configuration:

    2 VLANs present on the LAN interface with IDs 1 and 4 (1 Primary VLAN and 4 Guest VLAN)
    VLAN 1 assigned to existing LAN interface (
    New OPT1 interface created and assigned to VLAN 4 for Guest Network
    Static IP of assigned to OPT1 interface
    DHCP enabled on OPT1 for scope

    Switch Configuration:

    Switch port going to the pfsense LAN connection set to tag VLAN IDs 1 and 4
    Switch ports connected to Unifi APs set to tag VLAN 4 and VLAN  1 untagged

    Access Point configuration:

    APs controlled from the primary LAN with a 2012 R2 VM and assigned static IPs
    Guest SSID tagged to VLAN 4

    pfsense Firewall Configuration:

    Outbound NAT rule to pass traffic from the WAN to Guest Network ( on 1 public IP
    Outbound NAT rule to pass traffic from the WAN to the primary LAN ( on 2 public IP
    Firewall Rule on Guest Network to pass any IPv4 but block access to primary LAN networks
    Firewall Rule to block all IPv6 traffic

    The Guest WiFi works as expected with internet access, however if I try and access our internal websites I get presented with an SSL cert error. Similarly if I try connecting to Exchange using ActiveSync it errors out.

    I had read that I either need to look at NAT Reflection or using Host Overrides in the DNS forwarder. I tried configuring both of these including host overrides for our internal web servers/services but with no joy.

    I’m probably missing something really basic here that’s staring me in the face, just can’t think what it is?

    More than happy to provide any additional details if need be.

  • Run split DNS.  Your internal DNS should resolve the hostnames to their private IP addresses and not their public IP addresses.  NAT Reflection is not recommended unless it's your only option.

  • Hi KOM, that's for the fast reply!

    How would I go about setting this up in the DNS Forwarder?, Right now I have this configured as below:

    pfsense in General Setup has three of our ISPs DNS servers listed and uses the WAN Gateway which is our primary public static IP address. None of our internal AD/DNS servers are listed here.

    DNS Forwarder enabled on all interfaces.


  • Services - DNS Forwarder - Host Overrides

Log in to reply