Allow port 80,443 from Red to Green

You have to select a single host for DNAT. Groups or networks are not allowed.
I have the default selection in ipfire:

So from a green computer, i can ping google… ping and receive answer…
But from browser i can receive anything…

So i think i have to allow traffic in port 80,443 from red zone( probably at the end would be ANy) to the Green network. So i have to allow Red → Green (80,443)

How can i get to work ? How can i made it ?


Hi @egutierrez ,

Do you mean you cannot receive anything?

I cannot understand what do you want.
If you ping google you initate the connection, so everything is fine.
If you browse the internet, you initiate the connection so everything is fine again.
and you do not need a port forwarding for these scenarios.

Sorry for my bad english, yes i wanted to say cannot…
So the problem is that from Windows 7 client in green zone, i can ping…and receive data.
So everything seems ok.
But when i go to the browser, firefox, and i put or whatever it gives and error of server not found…i have tried many webs both http and https and none of them works.

One problem could be that green to red is allowed but red to green is closed. Id need to make port forwarding…but is only a thought.

I hope its more clear now

if that does not work you may have a problem with DNS


No, that should not be necessary

You were right… ping works
But ping
It says that the name could not be resolve…try to change name and try again…

But in ipfire i have the dns working properly…

I see that it is working in IPFire.

ipconfig /all
should show you which DNS Server you are using.
If it is the IP Adress of the IP Fire or something else ore nosense.
As Workaround you could configure directly on the Windows PC,
to check if it would work.

I cannot see if you use DHCP für the Windows PC or static IP but i believe there is definetly something wrong.

Hi Eduardo,

from the image of Windows 7 the gateway is, from the image of ipfire dns page the ipfire is that is a different subnet.
Seem that pc is not in green zone


I somehow solved the problem changing the DNS of Windows 7 Client:

( image is next post as newbie i only can attach one image per post).
I supposed that the client was going to get DNS from ipfire.

@cibgiu my windows client is which is in green zone, which netowork adapter in ipfire is setup to and …and is the ipfire address ( virtualmachine of ipfire with the network adapters).

Im facing now, that my machine is ipfire.empresa… but i can only access it via, not https://ipfire.empresa:4444.

Thanks in advance

The dns setup in windows 7 that actually works:


Hi @egutierrez ,

I think @cibgiu is right, your Windows PC is not in the IPFire Green Zone.

From your writing

it seems that you do not use IPFire as firewall but as an additional machine in the network.
Your Gateway on WindowsPC is so all packages do not use which is the ipfire.

To use the DNS from the IPFire you have to write in the Windows PC static settings instead of

There is an additional setting in Ip fire where you can set DNS for IPs in your network.
This one:

@florom i was going to write a post…changing dns to did the trick.

But im using ipfire as firewall ( virtual machine that runs as firewall), and green zone has the gateway…because if i want to connect another vm to for example orange zone, i had to use the gateway and so… Is there any other way to implement this ?

in a near future, the next days, i plan to use a dns and a web server in the orange zone. Both have to be static address, lets say… then id have to change the dns in all the machines and set this one no ? for example in the windows 7 client in green zone, use dns instead of the new dns in orange zone …


Hi @egutierrez

I do not know your network setup but
as long as the Gateway of your Windows PC does not match the IP Address of LAN in ipfire Main Page you are not using the IPFire in my opinion.

Just power the virtual IPFire down. You should be able to ping

1 Like

So i have ipfire installed in virtualbox, with four adapters:

One for the red network, bridged ( connected to home/institute network).
One for green network, i created a Internal network called empresa in vbox.
Another for orange network, i created another internal network called dmz in vbox.
Another for blue network, i created another internal network called wifi in vbox.

So as ipfire documentation shows:
Green to Red is open. Red to Green is closed.

So i had the problem with Windows7 vm, as client in green network. The problem from the beginning is that i thought that i had to open some ports from red to green ( to get the response from internet). but the problem was the dns. I had to setup that dns server was on ipfire machine

So i get back to original problem: what means that green to red is open and red to green is closed. If ipfire policy by default is allow. Why red to green can pass the response if seems closed?


Read Stateful firewall - Wikipedia

1 Like

Hi @egutierrez ,

I think this is a highly unsecure setup. If you really want to protect something you need hardware with different physical interfaces and then connect switches.


Is for educational purpose, im a teacher in vocational education and i have to teach how to install dns, web server, mail server, ftp server, ssh, telnet in a network. So we have to deal with virtual machines

Hi @egutierrez ,

Ok, glad to hear that.
So you do not need a firewall for that and you could avoid to make the impression that this setup is secure.

1 Like

How do you think is a better way to explain an practice network services ?
Well as far as i know this setup is recommended ( the image below).

Id like to reproduce this ( in spanish but quite self explanatory).
Origen - Origin
Destino - Destination
Permitido - Allowed
Denegado - Denied

So i need a firewall, as i want my students would install server, dns and so on in one or two machines in orange network.

I also need how to allow traffic from Red to orange ( a person outside the network, internet…can connect to the web server located in the orange dmz). As far as i know this is the best or one of the best ways to implement a network and the services on it.

Thanks for your help

Hi @egutierrez ,

The image you have posted represents a part of the standard configuration of the ipfire.
“Red local” (image) = LAN (table) = GREEN
Internet (image) = Internet (table) = RED
DMZ (image) = DMZ (table) = ORANGE

but since you are not going to make a real world setup and this is an image of a real world setup,I would recommend reading

including the explanatory links in it. This will give you a good understanding how the firewall works and how the network will work in a non-real world setup.
This in turn will give you the skill to explain what your students are doing and answer questions without posting it first to the forum.


Only two questions left:
1 - I understood well, this setup is a recommended to real case ? ( students have to reproduce it in a virtual environment, but the rules are ok, in orange network we put the services, dns, web server, ftp srever, mail… its ok ?

2 - To reproduce the image i would have to allow or open traffic from Red to orange.
( a person outside the network, internet…can connect to the web server located in the orange dmz). As your links show by default is closed in ipfire… but i cant or i dont know how to open traffic from red to orange ( at least in ports 80,443).

Thanks for your help