To test and configure ipfire, I have set it up as an internal router using DHCP on the Red interface. I plugged my computer into Green, ignoring others for the moment. I have made no other configuration changes. IPfire obtained its DHCP address on Red and distributed one to my computer on Green (separate nets of course) so I have normal access to it via the web interface.
I have found that if I tunnel out using a VPN client to my provider, then I get normal internet action. If I disconnect the VPN, I have apparent connectivity, some packets flow, but web pages do not load, or do so very reluctantly.
There are also two other internal routers working quite normally, one on the same sub-net alongside IPfire and another in a different sub-net on the OPNsense main firewall. If I connect through either of those, all web access is normal.
For clarification, after I understand IPfire better and configure it then I intend that it replace OPNsense as a dedicated firewall with a dedicated 8-port router below that, so two boxes for one but separation of primary functions for easier management.
Welcome to the IPFire community.
I am not if sure I understand your network layout. As you have three routers, including the IPFire system, it would be good to have a simple diagram of the various routers and their path to your ISP connection to better understand the path things would/should take.
Thanks Adolf. Here is a rough diagram of the current situation. I have dotted in the ipfire in its test situation (red upstream with DHCP, green down). Normally, that computer goes straight to the switch.
If I connect the computer via either of the WiFi routers (whether by ethernet or WiFi) then all behaviour is normal. For ipfire, see my earlier post. Both are configured essentially as they come out of the box, as interior routers with their own sub-nets. The fact that the Linksys and Mikrotik are routers is less important than their WiFi. OPNsense already controls them. Still, they provide a comparable option from a routing perspective, and the ipfire should have whatever rights exist when it is not there.
I have been reading the documentation, as it may be simply that ipfire’s defaults are not the same as the others, though if you have anything you could quickly point out that may quicken my learning.
In the future, ipfire will replace OPNsense with some other changes.
I would start here.
Hopefully All of these devices do not share the same Network ip ranges.
Rest assured there is no confusion of IP ranges. This network has been paddling along happily for a while, with all prior changes and expansions implemented successfully.
Your suggestion of checking over DNS is worth a look. Given that in the test arrangement the ipfire should simply be getting its DNS from OPNsense (which asks my authoritative server) via DHCP there ought not to be a problem, but there might. I shall look into that.
Edit: I’ll double check the IPs as well. Better to verify than believe I am right.
Shaun, while the IP ranges were OK as expected, it appears there may be a problem with DNS config or the entire path to it. I shall have to brush up my BIND and start tracing. The DNS server is old with some known superseded and missing entries anyway, and now possibly an error. It is on the list for upgrade / replacement, so I shall have to prioritise that task I think.
I’ll be back when that is resolved. Thanks for the prompt.
That sounds like you have your own DNS server running. Do you have DNSSEC validation setup and enabled on it. For IPFire DNSSEC is mandatory on DNS servers that are being used.
Hi Adolf, DNSSEC is enabled. The immediate problem was configuration, call it a dead neuron in the private half of the split brain (rDNS failed). I am revising/rebuilding/replacing the DNS server before I come back to the rest of the major network overhaul anyway. IPfire will still ultimately be the internet-facing firewall in what is conceptually a dual-firewall system, although more complicated than that owing to exigencies of how the house is wired, and extremely limited space where the patch panel is.