You have to select a single host for DNAT. Groups or networks are not allowed.
I have the default selection in ipfire:
So from a green computer, i can ping google… ping 8.8.8.8 and receive answer…
But from browser i can receive anything…
So i think i have to allow traffic in port 80,443 from red zone( probably at the end would be ANy) to the Green network. So i have to allow Red → Green (80,443)
I cannot understand what do you want.
If you ping google you initate the connection, so everything is fine.
If you browse the internet, you initiate the connection so everything is fine again.
and you do not need a port forwarding for these scenarios.
Sorry for my bad english, yes i wanted to say cannot…
So the problem is that from Windows 7 client in green zone, i can ping 8.8.8.8…and receive data.
So everything seems ok.
But when i go to the browser, firefox, and i put www.marca.com or whatever it gives and error of server not found…i have tried many webs both http and https and none of them works.
ipconfig /all
should show you which DNS Server you are using.
If it is the IP Adress of the IP Fire or something else ore nosense.
As Workaround you could configure 8.8.8.8 directly on the Windows PC,
to check if it would work.
I cannot see if you use DHCP für the Windows PC or static IP but i believe there is definetly something wrong.
from the image of Windows 7 the gateway is 192.168.0.1, from the image of ipfire dns page the ipfire is 192.168.1.51 that is a different subnet.
Seem that pc is not in green zone
I somehow solved the problem changing the DNS of Windows 7 Client:
( image is next post as newbie i only can attach one image per post).
I supposed that the client was going to get DNS from ipfire.
@cibgiu my windows client is 192.168.0.5 which is in green zone, which netowork adapter in ipfire is setup to 192.168.0.1 and 255.255.255.0 …and 192.168.1.51 is the ipfire address ( virtualmachine of ipfire with the network adapters).
I think @cibgiu is right, your Windows PC is not in the IPFire Green Zone.
From your writing
it seems that you do not use IPFire as firewall but as an additional machine in the network.
Your Gateway on WindowsPC is 192.168.0.1 so all packages do not use 192.168.1.51 which is the ipfire.
To use the DNS from the IPFire you have to write in the Windows PC static settings
192.168.1.51 instead of 8.8.8.8.
There is an additional setting in Ip fire where you can set DNS for IPs in your network.
EDIT:
This one:
@florom i was going to write a post…changing dns to 192.168.1.51 did the trick.
But im using ipfire as firewall ( virtual machine that runs as firewall), and green zone has the gateway 192.168.0.1…because if i want to connect another vm to for example orange zone, i had to use the gateway 192.168.2.1 and so… Is there any other way to implement this ?
in a near future, the next days, i plan to use a dns and a web server in the orange zone. Both have to be static address, lets say 192.168.2.10… then id have to change the dns in all the machines and set this one no ? for example in the windows 7 client in green zone, use dns instead of 192.168.1.51 the new dns in orange zone 192.168.2.10 …
I do not know your network setup but
as long as the Gateway of your Windows PC does not match the IP Address of LAN in ipfire Main Page you are not using the IPFire in my opinion.
Just power the virtual IPFire down. You should be able to ping 8.8.8.8
So i have ipfire installed in virtualbox, with four adapters:
One for the red network, bridged ( connected to home/institute network).
One for green network, i created a Internal network called empresa in vbox.
192.168.0.1
255.255.255.0
Another for orange network, i created another internal network called dmz in vbox.
192.168.2.1
255.255.255.0
Another for blue network, i created another internal network called wifi in vbox.
192.168.3.1
255.255.255.0
So as ipfire documentation shows:
Green to Red is open. Red to Green is closed.
So i had the problem with Windows7 vm, as client in green network. The problem from the beginning is that i thought that i had to open some ports from red to green ( to get the response from internet). but the problem was the dns. I had to setup that dns server was on ipfire machine 192.168.1.51
So i get back to original problem: what means that green to red is open and red to green is closed. If ipfire policy by default is allow. Why red to green can pass the response if seems closed?
I think this is a highly unsecure setup. If you really want to protect something you need hardware with different physical interfaces and then connect switches.
Is for educational purpose, im a teacher in vocational education and i have to teach how to install dns, web server, mail server, ftp server, ssh, telnet in a network. So we have to deal with virtual machines
So i need a firewall, as i want my students would install server, dns and so on in one or two machines in orange network.
I also need how to allow traffic from Red to orange ( a person outside the network, internet…can connect to the web server located in the orange dmz). As far as i know this is the best or one of the best ways to implement a network and the services on it.
The image you have posted represents a part of the standard configuration of the ipfire.
Where
“Red local” (image) = LAN (table) = GREEN
Internet (image) = Internet (table) = RED
DMZ (image) = DMZ (table) = ORANGE
but since you are not going to make a real world setup and this is an image of a real world setup,I would recommend reading
including the explanatory links in it. This will give you a good understanding how the firewall works and how the network will work in a non-real world setup.
This in turn will give you the skill to explain what your students are doing and answer questions without posting it first to the forum.
Only two questions left:
1 - I understood well, this setup is a recommended to real case ? ( students have to reproduce it in a virtual environment, but the rules are ok, in orange network we put the services, dns, web server, ftp srever, mail… its ok ?
2 - To reproduce the image i would have to allow or open traffic from Red to orange.
( a person outside the network, internet…can connect to the web server located in the orange dmz). As your links show by default is closed in ipfire… but i cant or i dont know how to open traffic from red to orange ( at least in ports 80,443).