Can Blue and Green be on same subnet?

I used to have a simple setup RED and GREEN

GREEN was connected to a LAN switch and aWireless access point

So Wired and Wireless were seamlessly on the same subnet.

Netgear stopped supporting the WAP so I need to discontinue using it.

How could I recreate a seamless Green to Blue Pinhole where all Wired devices could talk to WIreless?. Ideally same subnet. I don’t mind manually addind MAC addressses for Blue

Here is a diagram of my old setup:

What is the problem with two networks connected to two NICs?
From a security aspect it is safe to have two separate networks. Green network ( usually Ethernet ) has a much more stricter physical access mode. You can only connect by wire.
The blue network ( wireless ) can be accessed/used just by sending/receiving on the frequencies of the AP. You can’t know exactly whether all these devices are allowed and trusted,
Seperating these nets allows mechanisms to control the access.

A possible solution ( if don’t have a 3rd NIC ) is to install a wireless card, capable of AP mode, and the hostapd addon. For trusted devices on blue you can allow access to green.

Thank you Bernhard. I understand the security concept of separating Blue and Green. I will use the MAC address filter for limited security but I prefer if the network functions seamlessly without anyone complaining they can’t access printers etc…

I have a wireless card NIC on Blue and using Hostapd addon.
How could I keep BLUE and Green together so they can share NTP, DNS, printers etc…

HOSTAPD Client Isolation is OFF

Hi @trish.

How to do this?. Easy, creating rules in the Firewall that allow communication between Blue and Green.

The simple rule that allows this is:

Now, if you want to make it more secure, it would be to create Services and edit/clone this rule applying only the previously created service.



Further you can define a group of known, trusted hosts in blue and allow only this group the access to green, not just the whole blue0 network.

As stated before, the selection done by cables in wired networks must be done logically by FW rules in wireless ones.

Trying to understand purpose here. Red, Green, Blue, Orange are just interface assignments. Nothing states any are strictly wired or wireless. You can have an AP on green same as you can have one on Blue or Orange. The Blue interface was just created for security reasons to isolate a subnet.

Fairly sure two interfaces cannot have the same subnet. If it is possible I can only imagine it would cause nothing but issues.

Unfiltered access is completely possible between two zones simply by make one firewall rule allowing all traffic to pass from Blue to Green. Green to Blue is allowed by default.

1 Like

Thats right. The network names are not tied to wired or wireless.
To clarify ( if not yet described in the documentation, our wiki ):

  • IPFire2 administers up tp 4 networks ( red, green, blue, orange )
  • For separation each network has to be tied to its own NIC ( called red0, green0, blue0, orange0 )
  • Each NIC has its own characteristic wired/wireless
  • The purpose of the four networks is defined by design
    red is the WAN
    green is the LAN
    blue is a second LAN which isn’t trusted as green, usually established by a 802.11 network
    orange is a network of local servers that can be accessed from outside (WAN) through red0
  • According to the purpose and the trustiness each network has its own access rules, defined by iptable rules.
    These can be altered by further rules. For example to allow access from blue device to green devices.
  • There are no restrictions to the kind of devices placed into the networks.

another option would be the ‘bridge mode’ - Network Modes - I think this is closest to the request…?

Cheers, Stephan

another option that I use is to add an old WiFi AP Ethernet wired to the Green network.
Put the AP in bridge mode, no DHCP. Any connected device (WiFi or one of the 4 Ethernet ports in my case) is just routed to the green as if direct wired.