I have a small home network split into two sections. I guess it’s similar to a DMZ situation and it may become that situation eventually. The outer section is where all the wireless devices in our house connect. I didn’t originally have the inner section of the network, so I don’t have ethernet cabling everywhere in my house right now. Now that I have installed IPFire and set up the inner section of the network, I can’t access the inner section of the network with my wireless laptop. I don’t want to access my application server through the internet, I just want to connect to the WAP between my cable modem and my IPFire router with my laptop, come through the IPFire router and access my application server. I’m not sure if I need a VPN, a VLAN or just do port forwarding through the router. Right now all I’m accessing is the web interface on a Redmine setup, but I will do more later. Eventually I’d like to set up the Redmine server (and other apps) so my family/friends can access it from the internet, but baby steps Bob. I’ll try to attach a PDF of my network to help explain. Thanks.
Don
P.S. Ok, I see PDF’s are not allowed. I’ll convert and try again.
An option (don’t know if would be best): Move the WAP to the unused NIC as your “blue” network zone – connecting “Red” NIC to the cable modem. For access from “blue” to your “green” zone, you could Roadwarrior connect with OpenVPN
OO, can’t do that. That would put my kids’ machines behind my router with all their games and “apps” and viruses and BS… I guess I left that out of my initial description. I put that IPFire router in there to protect my network from my network. It’s just not as bad as THE network. I have an extra NIC in my apps server also and I have considered adding a WAP on that one so only I have wireless access behind the IPFire router. I was just trying to spare that expense because my house was built in the 40’s and it’s solid… pain in the rear getting wireless to bounce around. I also considered some of the Powerline adapters to get the signal upstairs, but I’ve seen good and bad reviews on those, so…
Was thinking about this… I guess I should still put a WAP on the IPFire box and create a blue zone and let the router control that instead of putting a WAP on the additional NIC on my apps server. I would still leave the current setup coming into the network from the cable modem. I’d still like to know how to come in through the red port, or maybe that’s not the right way. Maybe I need to go ahead and set up a DMZ if I’m planning to access the box from the internet at some point in the future.
One other question… If I use Roadwarrior to connect with OpenVPN, is there really a difference if I connect to the current WAP and come through the red port versus coming through the blue port and exposing my red port to the internet? I mean I trust IPFire more than I trust my Netgear router, but it’s still nice having that extra layer in there. But if I come in through the red port, maybe I’m creating the same problem. I have a basic understanding how most of this works, but I don’t know what the security vulnerabilities are involving each option.
I am a novice at this sort of stuff myself. My minimal understanding of the “blue wireless” zone is that it isolates your wireless traffic from your secure “green” zone. I was suggesting to use Roadwarrior OpenVPN only if you want/need to get from “blue” to “green” for some specific nodes/laptops/whatever. I was not suggesting the VPN to provided access through IPFire “red” to your secure “green”.
Gotcha. I have to admit, I’ve only primarily read documentation for what I’ve set up so far and I haven’t read it thoroughly for a “design concept”. I need to pull the docs up on my tablet (can’t see my phone well enough) and carry it into the bathroom with me. That’s where the REAL research gets done.
Somewhere along the way I got the fuzzy notion that Roadwarrior VPN from blue nodes into green was better/more secure than using fw rules. Seems this was something I picked-up on old forum. Being a home-gamer novice at this network and security stuff, I don’t know whether or not there is any value to the VPN thing in this situation. Any insight from resident gurus would be appreciated.
I’m no ipfire expert guru (been a home office user of ipfire for around two years) but have been working in the field of security for several decades> My thoughts / comments are therefore of a general nature and not ipfire specific:
I’d be running the ipfire on your perimeter and then establishing a Green and Blue zones accordingly as has been suggested earlier.
If Firewall rules are setup correctly (for laptop access to your internal LAN) I’m not sure there’s a benefit in doing this using a VPN.
I’m a big believer in KISS myself Robert. I think if I was coming in from the internet a VPN would definitely be the way to go, but since all machines are at my physical location I’m guessing just a firewall rule to allow that one machine through would be the easiest way to go. Maybe a script to open the hole when I want to use it and then close it when I’m done. I basically am only on that laptop in the evenings for a couple hours, never during the day, so maybe that would work ok.
And easiest from my experience base Shaun. I’ve worked with firewall rules a little bit, but the only time I’ve set up a VPN was adding NordVPN to a laptop a few years ago when I was working out of town. They did all the work for me and all I had to do was set up SSH or whatever it used in my Netgear router and that was pretty easy, so… I’m up to my eyeballs right now, so not sure I can handle a VPN or the blue zone right now unless that’s the only way I can get it going.
Ah, I see the rules creation in IPFire allows me to set an access time. Awesome. Don’t have time to test the laptop this morning, though, we’re taking our youngest off to college today.
Well, I got access to my main page setup with no problem. Just adding a firewall rule to allow that one device through with TCP protocol and set a time limit as to when I’d normally be using it. Then I just had to put a static route in my main router to send that traffic to my IPFire box. That would probably work with RIP or something that broadcasted the networks, but it’s been so long since I worked with that stuff I couldn’t remember. It wasn’t seeing GREEN on the IPFire box, so I put the static route in there and it went right through.
I tried to setup access to the WUI on my IPFire box the same way and it’s just not having it. The main app I’m using is HTTP and of course IPFire uses HTTPS… I don’t know if that has anything to do with it or not. I tried allowing just TCP through to port 444, I tried allowing ALL through to 444 (just to see if it would work and then I’d back it off but it didn’t), and then after reading the manual, I tried doing the NAT options in the firewall rule creation page and also the option to allow access to IPFire in the firewall rule creation page and nothing worked. I also can’t get through to Cockpit on my server, so I’m guessing it’s something to do with HTTPS or I’m just not holding my mouth right. I’m a “manual guy” so I’ll spend some more time there when I’ve got more time available, but if anything jumps out at anyone, I’m not opposed to the “easy way”. I appreciate everyone’s help!
Ah, one last thing, since I’m going to have to spend some time on it, I’ll probably just investigate going ahead and setting up the blue zone like you suggested CBrown… Not knowing much about it, I think you’re probably right that going that route would probably be more secure than keep punching more and more holes in the firewall with rules. Plus, it’d probably be more scalable as I add more apps and such that I want to access with my laptop at night. It would probably be real easy for a novice like me to screw something up by keep adding rules versus going with a hardened solution that should provide exactly what I want to do and letting IPFire control it.
The problem you have is that the Netgear Router does not know or does not know how to reach the range of the IP Green of the IPFire.
To solve it, you have to create a static route in the Netgear telling it to go to the Green range of the IPFire/24 to send it to the RED interface of the IPFire.
Then, in the IPFire you create the rules you want.
That’s what I did to get the first web site working and it worked fine. Then when I tried to add the same type of rule to access ipfire:444, no matter what I tried worked. I didn’t know if it was because the first website was http and ipfire is https or something else. I called myself trying everything I found in the manual, but it was late and I was tired, so maybe I missed something.
Ok, yeah I’m a moron… it’s working now. Part of the problem is I’m color blind and even though the screens in the Firewall Rules page say RED and GREEN on them, I can’t tell the difference in the colors and they don’t jump out at me. Then when I number my networks 66 and 99 like an idiot, that doesn’t really jump out either. I was trying to go to the red interface to route to the inner network and I should have just been going to the green network. Changed destination network from RED to GREEN and we’re good to go now. Thanks for the help everyone!
I’ll try to attach a PDF of my network to help explain. Thanks.
It’s just not as bad as THE network. 
Don’t have time to test the laptop this morning, though, we’re taking our youngest off to college today. 
Part of the problem is I’m color blind and even though the screens in the Firewall Rules page say RED and GREEN on them, I can’t tell the difference in the colors and they don’t jump out at me. Then when I number my networks 66 and 99 like an idiot, that doesn’t really jump out either. I was trying to go to the red interface to route to the inner network and I should have just been going to the green network. Changed destination network from RED to GREEN and we’re good to go now.