Hello.
I am new to firewall’s. And IPFIRE got my interest.
My network topology currently is:
Fritzbox 6890 — (LanPort1) IPfire---- switch—NAS, SERVER
F!b ip address(192.168.200.1)
IPfire(192.168.100.1) — NAS, SERVER (192.168.100.x)
at F!B lan port 2:
F!B 6890 ---- (Lanport2) Switch---- 2pc, 3 laptops (192.168.200.x)
Behind the ipfire, I can ping any device in x.x.200.x and also can surf the internet. no problem at all. But I want the 2 laptop from 192.168.200.x to access the NAS(192.168.100.10).
Im totally new to this.
Thank you in advance…
So the 2pc and 3 laptops are NOT protected by the firewall. I suggest adding a 8 port switch after the firewall and the 2pc, 3 laptops, and NAS can be on the .100 subnet. Then, ALL devices with be protected by the firewall plus they can access each other since they belong to the same .100 subnet. Something like:
Internet – Fritz (.200.1) – ipfire (.100.1) – switch – 2pc, 3laptop, NAS
your IPFire firewall has one input (the red zone), and several outputs (all the machines connected to the switch behind it);
IPFire needs to know where to send the packages.
If the traffic is coming from the inner side of the firewall (machines on the switch, the green network 192.168.100.X) going out, it keeps track of the outgoing traffic and therefore it knows automatically where to send the returning packets coming from the red zone as a response.
However, if the traffic is initiated from the WAN side (internet or 192.168.200.x it is still a WAN for IPFire) coming in, the firewall needs to know to which machine it should send those packets. Therefore it has to have a table to keep track of where to send the traffic, based on the port number. This is called destination NAT or port forward and requires to write a rule in the firewall, similar to the one you would use to have a web server accessible from internet.
In the source, I believe you can restrict the traffic only to 192.168.200.X not to open the NAS to the world but to me this opens also a potential surface of attack (*).
You can use the grouping functions of the firewall to define all the hosts you want to open to the NAS. The groups you define will appear in the firewall user interface as a selection for the source field.
You also need to define to which ports should the traffic be forwarded. For example if you are using NETBIOS or NFS the port number will change accordingly. Keep in mind that the ports too can be grouped in services and services groups, the most common ones are already defined for the user by the developers, but you can create your own if you have several services you want to open.
Speaking of DNAT, keep in mind that you will have two NATs for the traffic initiated from internet, one of the Fritz and the other in IPFire, this can create potential problems and unexpected consequences. If you decide to have a home server to be reachable from internet you might want to get rid of the double NAT, (E.G. by putting the fritz box in bridge mode).
(*) If I were you, I would put everything behind the firewall, in the green zone. Definitely this looks to me the most secure option and the simplest one.
Thank you for the information. Unfortunately, I think I cannot put all devices behind the IPfire. The image attached is the network topology of our small office. I’m so sorry if its not that good.
Both F!B, in Mesh mode. MasterF!b(port2) - - - - - ClientF!b
The Master F!b located at our basement and only 2 connection goes to the office room (lanport1 ipfire and lanport2 F!b client) all patch panel already occupied, and the reason we mesh it with another F!b is to use the Fax, and telefony and also wifi. Dsl connection wont reach to our main room. And the Mesh failed if the ipfire where put in between the two F!b.
The F!b client---- laptops and pcs (192.168.200.x) and the
switch(192.168.100.x)--------devices(nas,server, printer, 2workstations) are all in the office room.
Thank you for the information. Unfortunately, I think I cannot put all devices behind the IPfire. The image attached is the network topology of our small office. I’m so sorry if its not that good.
Both F!B, in Mesh mode. MasterF!b(port2) - - - - - ClientF!b
The Master F!b located at our basement and only 2 connection goes to the office room (lanport1 ipfire and lanport2 F!b client) all patch panel already occupied, and the reason we mesh it with another F!b is to use the Fax, and telefony and also wifi. Dsl connection wont reach to our main room. And the Mesh failed if the ipfire where put in between the two F!b.
The F!b client---- laptops and pcs (192.168.200.x) and the
switch(192.168.100.x)--------devices(nas,server, printer, 2workstations) are all in the office room.
your real WAN is connected to DSL(?) by Fritz Master
your LAN consists of NAS, printer and user PCs
Fritz Master provides its LAN with two connections to your local network
one (LAN2) is connected to Fritz Client for Fax and telefony (with wifi activated)
LAN1 shall be used as WAN access for your office
With this configuration I would connect IPFire’s red interface to LAN1.
All local devices are connected to IPFire’s green interface. If there are device with wireless connection, they are connected to IPFire’s blue interface (either realised by an internal wireless card and hostapd or by an external AP).
Above he explained how to do this. (Not recommended)
you need a firewall rule in IPFIRE to allow Fritz clients access to the NAS or the Green Network.
He covered allot in his Explination.
Good luck
cfusco explained how to implement the configuration sketched by @bent0ng, but this doesn’t mean the config is the right solution for the problem. See my post above.
I think it’s the terminology used by the FritzBox people. They have a very nice user interface in the router that hides all the details of the LAN and it shows the overall topology, regardless if the connection is made with ethernet cables, WiFi, cordless phone connection, wired phone connection, “smart” plugs that use radio frequency to communicate, or the electrical network using powerlines. They call all this a mesh network.
Okay, so the ‘mesh’ is the set of local devices, which should connected according to their function.
Phones are connected to the FB Client, your local computer network should be connected to IPFire ( which is connected to FB Master ).
My suggestion.
EDIT: A short look at the AVM page shows that the word ‘mesh’ is used for the WLAN AP of the FB. This is WAN in IPFire view in the planned config.
Hello Everyone, thanks for all the tips/advices.
Though, As @cfusco explained, The Double nat is kinda problem. I open the port from the F!b master and created a firewall rule from the IPFIRe. Using the port tester online, I can determine if the port is open in both f!b and ipfire. By using the Public IP address in any of the red devices, i can access the DSM of the nas. But it is exposed so im quite afraid. And In the future, we discuss to put all devices behind the firewall as everyone suggested. But now, we go for the openvpn from the IPFIRE. which I created account for the 2 laptops(red). Its kinda slow like 30% but its okay we can live with that for just opening documents and accessing some resources.
iPfire sure is convenient and user friendly. I think this will be our firewall for a long term.
Cheers every one.
Yes. Here In Germany, almost 90% of all the home networks, or small businesses use Fritzbox and using MESH to another fritzbox also similar to repeater is quite cool to be honest. @cfusco explained, it is very user friendly and kinda smart.
This 90% ( if really true ) are mostly networks installed ‘the easy way’.
To build a secure internet access you need two functionalities
some sort of modem to convert from WAN technology ( DSL, DOCSIS, Fiber, … ) to ethernet based IP LAN,
a router with firewall for connection of the local network ( wired and/or wireless ) to the WAN.
Fritzboxes contain both, so is just easy to install an internet access with them.
Internet providers usually offer those devices, which is a reason for many just to chose this solution.
If the device is owned by the provider ( customer hires it only ), this imposes a possible problem.
The router part manages the private network, but is possibly configured by the provider.
Therefore I would suggest to divide the internet access function.
a modem, owned by the provider, to convert the WAN protocol to ethernet/IP. This device may be hired from the provider, which is responsible to supply the booked bandwidth at the ethernet port. This device may contain some other functions ( telephony, … ).
a router/firewall, owned by the customer, to distribute the internet access to the local network. Here I recommend IPFire .
In this configuration there is no problem with double NAT, because IPFire is the only NAT router.
Unfortunately there is a tendency for ISPs not to allow the customer to have just a modem or to set the leased router in bridge modality.
I realize that this is probably restricted to residential customers, but now with the fiber becoming more common in Europe and the increasing practice of unjustified broad data collection from big tech, I believe there is market for home or small office servers (e.g. Nextcloud) . This makes the use of a good firewall solution, like IPFire, a must. This hostility of the ISPs to give the customer a minimal control of the band they sell, artificially imposes the double NAT problem.
This was my main motivation for searching an ISP that would allow the freedom to use my own router. Fortunately for me I found one here in Switzerland. I do not know though how difficult this is in the rest of Europe.
I imagine that IPv6 would solve this problem, however the poster child of network effect is exactly the IPv6 protocol. When it was ready, 20-30 years ago? I doubt I will see it becoming dominant in my life time.
.