Cannot reach Orange from Green

x9060 · 22 March 2020 03:59

ISSUE: I cannot ping Orange firewall interface from Green zone.

I have a PC Engines APU 2E4 with 3 NICs. Installed IPFire to mSATA, and installation worked fine. I’ve caught a Public IP from my ISP on red via DHCP, and am able to reach the Internet from both the Green and Orange zones. I want to be able to reach the Orange zone from the Green zone, and not visa versa, which I believe is the default. For example, I want to deploy a application server in Orange, and be able to reach it from Green (and also from Red via a firewall rule in the future). However, I’m not able to reach even the Orange firewall interface by default.

I’ve literally setup no firewall rules, and the firewall options are set to [the default?] ALLOW for both the FORWARD and OUTGOING options.

QUESTIONS:

Do my settings look good, based on how I intend to use these zones?
Should I be able to ping the Orange interface from the Green zone by default?
What changes do I need to make to fix this lack of connectivity?

My firewall rules and interfaces are setup as follows:

Then from my Laptop, connected to green0, it successfully receives the IP 172.27.0.2, but I cannot ping the Orange firewall interface at 172.22.132.1… Shouldn’t this be possible by default??

Thank you!

x9060 · 23 March 2020 17:57

Can I get any guidance on this please? Totally stuck. I’m referring to the documentation here about the default firewall policy: https://wiki.ipfire.org/configuration/firewall/default-policy

I understand Orange is intended to be used for DMZ, accessible from Red/Internet, but I thought it would also be accessible in the private space directly from the Green zone as well? Especially the NIC on the IPFire hardware itself.

Thank you.

jon · 23 March 2020 19:15

I can ping the Orange firewall interface (.1) and I can ping the device in the DMZ (.2) EDIT: from the Green zone and from the IPFire command line .

Sorry I’m not one of the experts and I am not sure why you’re experiencing trouble.

I do see my broadcast (Bcast) and mask are different for both Orange and Green.

orange0   Link encap:Ethernet  HWaddr 00:xx:xx:xx:xx:xx  
          inet addr:10.7.4.1  Bcast:10.7.4.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:82118 errors:0 dropped:0 overruns:0 frame:0
          TX packets:55451 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:7054800 (6.7 Mb)  TX bytes:4278884 (4.0 Mb)
          Memory:d0700000-d071ffff

anon42188109 · 23 March 2020 19:38

the masks (green, orange) are not the usual 255.255.255.0
Is that by design?

hjkl · 23 March 2020 20:46

Yes, it is by default…
Orange spells DMZ while Green = LAN. No traffic is allowed from DMZ to LAN unless you build that rule.

Same from OpenVPN to Green…you have to build those rules…otherwise FW denies that.

H&M

x9060 · 23 March 2020 20:58

Yes, this is by design. I deliberately made the netmasks smaller than the default /24.

x9060 · 23 March 2020 21:00

So, I need to add a ICMP rule for Orange to Green to allow ping to work?

For example, I want to have an Apache web server in Orange, and see the website from Green. Do I need a rule for port 80 to allow traffic which way in IPFire? Or is it possible without any custom rules?

anon33261557 · 23 March 2020 21:02

They look unusual but functional for me. You have 2 ip for green. So its ok.

Yes

Are you sure orange is up while you test from green? Are you have anything pluged in orange while test? I guess if not then probably orange is down. Iam not sure about just a guess.

hjkl · 23 March 2020 21:25

Yes, if I remember this right…

An old but good example is on the old forum: https://forum.ipfire.org/viewtopic.php?f=27&t=1831&p=13489&hilit=ICMP+from+Orange+to+green#p13464

x9060 · 24 March 2020 00:50

I’m still getting 100% packet loss… any other diagnostic info I can provide to help troubleshoot? Logs from IPFire UI or console?

I’ve verified, all Interfaces are up. I can ping orange0 from the IPFire console…

Just cannot ping orange0 from a device attached to green0 (172.27.0.2). I can only ping the green0 interface, 172.27.0.1.

x9060 · 24 March 2020 18:39

What should be my next steps? I’m wondering if it’s a hardware problem? I was hoping PC Engines APU boards were fairly standard. Is there a way I can go back to “factory” OS settings? Or should wipe the mSATA and restart?

x9060 · 25 March 2020 07:15

Changing the NIC Assignments to MacVTtap seems to help, but I’m not sure this is best practice here?