How to give DMZ WiFi WAP access to LAN web server
Posted on 2011-02-25
Goal: corporate visitors using WiFi should have full access to the Internet, zero access to the LAN.
I have a SonicWall PRO 2040 Standard and a set of HP ProCurve switches. I have created a VLAN on the switches so that a WiFi WAP connected to a specific port can hit the SonicWall DMZ port but nothing else. The SonicWall has DHCP configured on the DMZ's IP range (192.168.20.0:24). There is a reservation for the WAP's MAC address, and a nice wide range for DHCP leases. DNS is hard coded to the ISP's name servers. The WAP is configured to use DHCP. The LAN's subnet is 192.168.1.0:24.
Works perfectly. You get a WiFi connection that lets you out to the Internet, but you can't see anything on the LAN. But it works a little TOO perfectly. We have an exchange server on the LAN, and have opened up the necessary firewall ports to allow our employees to use OWA when traveling. There is an external DNS A record for mail.FooCorp.com that points to our SonicWall's external IP address (say, 184.108.40.206). The SW has a firewall rule that sends port 80 traffic to the IIS server on our Exchange box. This has worked well for ages.
The problem is this. When an *employee* uses the WiFi connection, the employee can surf the net just like anyone else. But when the employee tries to hit mail.FooCorp.com, they get a DNS error: server not found. I need to tell the SonicWall that when it hears a request for 220.127.116.11, it should send the traffic to our internal web server. Can I do that with a firewall rule, or do I need to define a static route of some kind?