Block LAN (red network), but allow internet access

Getting Started with IPFire
1

hello,

I am new to ipfire and all the functions are unfortunately not yet clear to me. I am running a simple setup to firewall some devices behind the ipfire.

my setup:

modem - [isp] router [10.10.10.0/24] - [red, 10.10.10.0/24] ipfire [green, 10.10.11.0/24] - client B1 (10.10.11.2), B2 (10.10.11.3)
                 |
                 |- client A1 (10.10.10.2), A2 (10.10.10.3), etc.

The clients A1-x are old ones and they should work as before without restrictions within the LAN and also on the Internet. It’s fine.

The plan: the new clients in the green network (B1-x) should have access to the Internet, but not to the devices A1-x (red network). Actually, if I block the red network for the clients B1-x, they unfortunately also have no access to the Internet.

Is it possible to allow internet access for clients from the green network without having access to clients from the red network without any additional hardware?

Thanks a lot :slight_smile:

2

I think so. This is what I would do in the Web User Interface:

  1. define a group of hosts, using firewall/firewall groups (first create the host list to be protected from green, then group it with a name)
  2. firewall/firewall rules/new rule
  3. Source: standard network/green
  4. Destination: network/host group/the group defined in 1.
  5. Protocol: all
  6. Reject
  7. save
  8. apply new rule

Here you will find the complete documentation of the firewall.

4 Likes
3

hi cfusco,
thanks a lot! this works like a charme. :slight_smile:

one further question: it would be great if i could block all clients from the red-network without entering them individually (for example temporary dhcp clients). then you could allow individual hosts with a whitelist and set this rule higher up. would something like this also be possible?

1 Like
4

Yes, that way should work as well; as you said, allow before block.

5

yes, this works, thanks a lot.

solution was to reject access to a custom created network (10.10.10.0/24 in my case) instead of selecting the red network (which is actually the same network, but never mind).

thank you! :slight_smile:

1 Like