Because I’ve not disabled the internal proxy access, the solution is
Use a blank password
Kenneth,
The only problem I see is that if you have the boxes checked to disable internal proxy access to green or blue, might cause a problem.
This is somewhat a normal design, and this potentially may be your configuration. I don’t know, but in this architecture, there is a switch setting off the blue connected to a wifi access point only on its WAN port.
OR
It could be like this, where there is a physical WiFi Card in the Firewall broadcasting its SSID, on the Blue Interface.
OR
It could be like mine which is different and I have my WiFi WAN port running to the same switch that the network is hosted on. The DHCP of the WiFi is 10.x.x.0/24 and the DHCP of the LAN is 172.x.x.0/24, but both flow through the green interface.
What I am saying is, depending on your architecture design, will dictate what options should be enabled or disabled.
Eric
You cannot have two networks on green!
And what is the firewall on the red network?
Your second picture is a standard configuration for IPFire. The first picture is also standard if your “switch” on blue is an AP.
Your third picture, which shows your architecture is very “special” and should be explained a much more, to hold as configuation advice.
-Bernhard
Hello Bernhard,
Yes, that is how I chose to design my internal network. Works like a charm too. Wifi is isolated on a second network on green behind the wifi access point I have. Its a special high powered wifi router.
Eric
Berhhard,
When I get a few minutes I will throw together a quick diagram as to how I have it laid out.
Eric
Eric, some postings in other threads don’t sound as “working like a charm” 
Hi Benhard,
Network traffic flow internal and web proxy and url filter work fine. Its the basics of the direct green interface direct with DNS, not so much of which I was having problems with. Did you see that I found most of the problem already Bernhard? Maybe you missed that post?
I wouldn’t be what you call a novice. I work on major corporate firewalls and have done so for 20+ years along with a lot of other major network security appliances. Sometimes however, that doesn’t overrule the GUI to backend code for software that someone wrote. Also, if its just a wrapper for Linux packages, thst wrapper still interfaces with the applications behind it. LoL, honestly I am a hairs throw from tearing the gui down to code and looking at it so I can figure out how the guts work.
That is unless someone has the raw code somewhere I can download and look at? LoL
Eric
Eric, I didn’t think you are a novice. Otherwise your configuration wouldn’t work.
But you nowhere explained, how your installation works.
- what devices have you integrated besides IPFire and how?
- how did you configure your network? WUI settings, special settings from the CLI.
BTW: IPFire is based on LFS. Thus all code is accessible by source, if you want to do read it.
The main structure of IPFire is:
- setup the config files for the modules constituting the system during the installation/setup process.
- configuration is done through the web user interface, these scripts write the parameters to the ‘real’ config files. Special options can be written to xx.local files, these are not overwritten by updates. The settings from the WUI are stored in the associated ‘settings’ files.
- there are up to 4 distinct networks: red(WAN), green(LAN), blue(WLAN, either by internal AP on WLAN adapter or external AP), orange(DMZ). The data flow between these nets is defined in the wiki.
It would be interesting, how your installation fits with this structure.
Bernhard,
Note, What I said above is:
That does not offer up as configuration advise, but in the “real world”, companies don’t always go exactly by the book although there is RFC guidelines. I personally just like pushing the envelope to see what I can and can not get something to do. LOL.
In any event, this is what my network looks like:
My Web Proxy: Works as expected
URL Filter: Works as expected
Firewall: Works as expected
DNS: Ehh, Works OK…
** Note on DNS **
After many hours of looking into why DNS wasn’t working correctly, I think most of it had to do with 8.8.8.8 and 8.8.4.4. Broke like no ones business, however, the second I put in 1.1.1.1 or one.one.one.one, it came right to life. Never in a million years would have thought Google DNS would have been a problem, but lessons learned. Still toying with it when I have a moment or two, but its fine tuning along the way. Eventually I will fully get DNSSEC working.
1 Like
Eric,
okay the shown system is just a somewhat “standard” IPFire RED-GREEN config.
The fact that your wireless devices are attached by a AP on green just doesn’t matter, I think. You just have not to allow traffic between wireless and wired devices, because they logically belong all to GREEN.
Concerning the DNS problems just my honest opinion.
- google isn’t so trustful to me that I choose it as DNS server. So it doesn’t matter whether DNSSEC is handled right by them.
- If you choose one of the DNS servers listed in the wiki as good for DNSSEC, you should have problems with DNS resolution. If you know some other well functioning servers, you are invited to contribute to the wiki. Your account at people.ipfire.org allows that.
1 Like
Hi Bernhard,
Right, logically WiFi does all belong to Green in this case, but as it stands for Blue, I had tried to run cat 8 off of another interface for that WiFi Router and had a hard time getting it to work. I eventually moved it where it is now.
I will look for that Wiki page with the DNSSEC section.
Eric
Eric,
The stumbling block on the Cache Manager was that a ‘visible host’
had been used when none existed. By emptying that box cache manager
appears to operate with any configuration.
Still, Firewall Logs are empty and the logo-graphs. Also when
disabling the squid to green subnets the IPS doesn’t update.
I don’t know the answer to that one Kenneth. I would like to help, but I can’t image this in my mind to resolve from that prospective.
You were very helpful. Went through the entire rotary of possibilities only to discover it was my own mis-labeling - thinking that a Host was necessary: ipfire. When remaining blank the CM opens easily.
Well I am sure glad we figured thst one out. It happened to me too, but at the time I just couldn’t remember the fix.
Just let me know.
- How did you configure the password?
- What user name/manager name do you use in the access page?
- Can you open all topics in the cache manager menu?
Hi Bernhard, Is your reply answered? My configuration error was enabling a “Host” and when that was removed access was and still is normal - Password is blank.
Hi Kenneth,
my questions are not answered, really.
I have success with a blank password only, too.
While the CM is working there are Hidden Files, which could report on the CM system - such that its parameters could be tweaked. Anyone know how to make those files visible or more specifically how to tune the CM for speed - it appears sluggish: ipfire mini with a 1hz CPU , 4GB memory + Clamav?