Can´t reach my server behind the IPfire

Networking Static/Dynamic Routing
1

IPfire 2.25 (i586) Core Update 144

I have an ISP with a range of IP´s - 217.xxx.xxx.192 - 217.xxx.xxx.198
.193 is the gateway-adress
.194 my first useable IP (for the mailserver behind the IPfire)
.195 not used/free
.196 my webserver
.197 not used/free
.198 Broadcast

My Setup:

RED 217.xxx.xxx.194
GREEN 192.168.0.200
Gateway 217.xxx.xxx.193
DNS from my ISP

I created aliases for the IP´s from 217.xxx.xxx.195 to 217.xxx.xxx.197

I wrote a firewall rule like
Source: all Dest.-NAT 217.xxx.xxx.196 Destination 192.168.0.201 (my Webserver) TCP 443

I log everything and i see, that i have a lot of bad traffic which is denied/dropped -
but nothing is written in the log about a allow/deny to 217.xxx.xxx.196 or to Port 443.

I can´t see my mistake or what i have forgotten.

Can anybody help me?

2

Well… Currently you have no referral on IPFire for 217.xxx.xxx.196.
So why should it report anything about that?

3

I am not shure what you meen?
Where must i write any references? I have checked the box in the firewall to log everything.

4

I mean that IPFire only manage/connect public ip address 217.xxx.xxx.194, unless you configure more ip addresses on it’s RED.

5

i thought for this reason i have to create aliases

6

is it possible that the aliases won´t work correct?

7

On Zyxel 4.x USG Devices the name is “Virtual interface”.
Aliases should be the right way to add public/red addresses to IPFire … and for me it worked on a test machine.

Do your firewall/NAT rules have been double checked?
Also: do you configured the right routing for use the right address outogoing?

8

Hello Pike,

my config you´ll see in the first post.
How/where do i configure the right routing for use the right address outgoing?

Thx

Ralph

9

I do not have the environment to test correctly the thing. My test installation is a VM without anything on the green zone, i’m sorry.

But you can post your firewall rules for doublecheck… obviously hiding the info you don’t want to share.

10

thanks for wanting to help - but
>…you can post your firewall rules for doublecheck…<
haven’t you seen my first post? There is nothing more added

11

Would you please consider to take a screenshot? In english, if possible.
Feel free to hide/edit any “personal” information with some understantable placeholder.

12

sorry Pike - what is your intention - to make the most posts?

13

No, Ralph. You can believe that if you prefer, but it won’t change that maybe you wrote the exact thing you made, and it’s maybe perfect. But it’s not working as you want/intend.

So, take a look to the firewall rules (which contains also NAT settings) maybe can make me understand what’s wrong in your setup… if there’s anything wrong.
This is my setup, the only rules i have on my test installation

immagine
immagine993×513 15.3 KB

The only Incoming Firewall Access rule is the one i added. 172.31.110.0/24 is my subnet, but for allowing ipFire to update and not mess up i had to connect Green and Blue to virtual devices currently with no phisical connection. Maybe this guest, sooner or later, will land on a host which can be used as environment test.
The installation is a VmWare Player guest, i wrote the Howto on the wiki for helping people to install, gain access and start to configure
https://wiki.ipfire.org/virtualization/vmwareplayer

A screeshot like that, redacted from the information that you feel comfortable to hide, maybe it will help me to pinpoint if there’s something to tune-up

2 Likes