Can't access Orange from Green

Hi
I have the same problem.
I have a device in the Orange DMZ that I can’t access from Green. I should be able to go from Green to Orange but I can’t.
I tried adding a specific rule to permit Green to the IP address in Orange.

image1014×394 16.6 KB

I can’t ping the device. I get unreachable
The device has a webserver running. I can’t reach that from Green.
I should be able to ssh from Green into the device CLI. I can’t do that either.
I don’t see anything in the logs.

The Green subnet is on xx.yy.21.0
The Orange subnet is on xx.yy.23.0

Any advice would be appreciated.

Post moved to new topic as as other post was about trying to block access from green to orange

What does your Zone Configuration look like?

This is my zone config.

image1019×520 21.3 KB

So the zone configuration looks fine.

What do you have for the IPFire console command

ip address show

This will show if orange has been connected or not.

Hi
This is what was returned for orange:

image871×68 4.12 KB

Also, this was done with a puTTY session/connection from my PC over the green network to ipFirewall.
I can ping the Green network, but I can’t ping the Orange from this PC.

That also looks fine.

Then you need to check on your PC in the orange zone what IP has been set on that.

I presume that you have set the IP on the Orange PC as a static IP or you have a DHCP server on Orange to provide the IP.

Hi
I don’t have DHCP enabled on Orange. It was my understanding that everything on Orange needed a static address to be accessible from the Internet.
The device I have on Orange has the correct static IP address. I have confirmed that.

so as far as I can tell, everything is setup correctly, but I still can’t ping/connect from Green to Orange.

correct - there’s no way to enable DHCP on Orange Network. You must use static Address on Orange.

you don’t need any Rule to access from Green → Orange!

what about Firewall / Firewall Options / Masquerading/NAT - NAT enabled?

Hi
When I am logged onto ipFire CLI, and then ping the device on Orange, I get a return.

So I can ping the device on Orange from within ipFire, but not from Green.

there’s no need to Hide/Masquerade private IP’s form your local Network.

No one can access from outside…

pls show a Screenshot from System/Home/Network:

network909×127 3.46 KB

are you sure there is no Client Firewall blocking from Green to Orange Subnet?

How is the topology of your network? Physical or virtual? If the former, are all your switches working properly, If the latter, are you correctly routing the virtual network? You might discover that your problem is not IPFire configuration at all but something outside its domain. To test this hypothesis I would connect directly to IPFire green interface one machine and the same to the orange assigned ethernet card so to simplify the system. Also, I would make sure as mentioned by @luxskywalker that is not the routing inside your green machine or orange machine the problem due to a local firewall rule. Finally, are you messing with the ICMP traffic?

Check also the arp table in all your machines (also route command can be helpful), maybe you can figure something out from there.

You can have dhcp on orange but it requires you to install a dhcp server onto a machine on orange. That machine usually the must have static ip but all others can then be run from dhcp.
I have that setup and running on my orange zone.

I added this to the wiki.

• https://wiki.ipfire.org/configuration/firewall/default-policy
• https://wiki.ipfire.org/networking
• https://wiki.ipfire.org/configuration/firewall/rules/dmz-setup

sure, but Out of the Box it’s not possible with IPfire

Based on the definition of the orange network

• a local network with servers, which shall be accessible from outside
• to accomplish this, there must be firwall rules to allow inbound traffic for this network
• iptable rules work with IP addresses

there cannot be am ‘out of the box’ solution. A DHCP server for orange needs fixed leases for the servers in the network. How to guess them?
The effort to do this is nearly the same compared to setting static IPs.

Can you ping successfully from your pc in orange to the internet?

Have you added any rules into the firewall.local file?