We have two static IPs from our ISP. They both share the same WAN gateway. Currently, we have IPFire on our internal network as the firewall. The 2nd (guest) network is on its own consumer router. Both routers feed into a switch, which then goes to the ISP gateway. So both networks are sharing the same bandwidth the ISP provides, but cannot communicate with each other.
I would like the outgoing traffic from the guest network to go through IPFire so that IPFire can manage the QoS of that network’s outgoing traffic. Is there a way to set this up through Static Routing? Do I need to configure both IPFire and the guest router’s Static Routes? Or is it even possible?
So for example, our two static IPs from the ISP are
50.50.50.1
50.50.50.2
and both share the same gateway of
50.50.40.1
I was thinking that some communication could be set up through the shared gateway.
Because this is a guest network, I don’t want guest traffic to be able to access IPFire’s network devices. I just want guest internet traffic to go through IPFire’s QoS before heading out to the internet.
I do not believe you can achieve your goal with static routes. However I might be wrong. I would follow instead another strategy.
Can you connect the router of your 2nd network (guest network) directly to the BLUE interface of your IPFire system, effectively isolating it from your main network (GREEN)? You should also set up appropriate firewall rules on IPFire to ensure that there’s no access from the guest network to the main network.
Considering your multiple static IPs from your ISP, you could leverage the IP aliasing feature on IPFire’s RED interface. This allows you to handle both IP addresses and route them based on whether they originate from the BLUE or GREEN interface using SNAT rules for the outbound traffic. If you have machines in the guest network that need to be reachable from the RED interface, you can do DNAT as well.
If you do not have a static connection on the red interface but a ppp one, you can still have multiple public IPs using this hack.
Currently, the Web User Interface (WUI) of IPFire doesn’t offer built-in support for Policy-Based Routing (PBR). However, underlying the WUI is a fully-featured Linux router which can be configured to implement PBR using the ip command via the console or through a script placed in firewall.local. Unfortunately this requires an experienced network engineer.
