Hi
When I am logged onto ipFire CLI, and then ping the device on Orange, I get a return.
So I can ping the device on Orange from within ipFire, but not from Green.
there’s no need to Hide/Masquerade private IP’s form your local Network.
No one can access from outside…
1 Like
are you sure there is no Client Firewall blocking from Green to Orange Subnet?
1 Like
How is the topology of your network? Physical or virtual? If the former, are all your switches working properly, If the latter, are you correctly routing the virtual network? You might discover that your problem is not IPFire configuration at all but something outside its domain. To test this hypothesis I would connect directly to IPFire green interface one machine and the same to the orange assigned ethernet card so to simplify the system. Also, I would make sure as mentioned by @luxskywalker that is not the routing inside your green machine or orange machine the problem due to a local firewall rule. Finally, are you messing with the ICMP traffic?
Check also the arp table in all your machines (also route command can be helpful), maybe you can figure something out from there.
1 Like
You can have dhcp on orange but it requires you to install a dhcp server onto a machine on orange. That machine usually the must have static ip but all others can then be run from dhcp.
I have that setup and running on my orange zone.
1 Like
I added this to the wiki.
1 Like
sure, but Out of the Box it’s not possible with IPfire 
Based on the definition of the orange network
- a local network with servers, which shall be accessible from outside
- to accomplish this, there must be firwall rules to allow inbound traffic for this network
- iptable rules work with IP addresses
there cannot be am ‘out of the box’ solution. A DHCP server for orange needs fixed leases for the servers in the network. How to guess them?
The effort to do this is nearly the same compared to setting static IPs.
Can you ping successfully from your pc in orange to the internet?
Have you added any rules into the firewall.local file?
2 Likes
Hi
Just to finish this off, I can now access the Orange server from Green.
It has been a while since I looked at this issue I’m sorry I don’t recall what I did to get it working.
I can now ping from Green to Orange.
I can ping from Orange to the Internet.
The only firewall rules I have added are for Blue to Orange access, which doesn’t yet work.
1 Like
Hi
I have this exact same problem again and I don’t know why or how to fix it.
I have done the following trouble shooting:
From the device in the Orange zone (a Raspberry Pi):
I can ping the internet.
I can ping the orange network interface to ipFire vvv.xxx.yyy.1
The device has a fall back profile in dhcpd.conf that assigns a static ip address in the absence of DHCP. The device has the correct ip address.
From the green zone:
I can ping the Orange interface vvv.xxx.yyy.1
but I can’t ping the device in the Orange zone.
I can use PuTTY to ssh into ipFire CLI.
I can no longer use PuTTY to ssh into the device in the Orange zone (connection times out).
From ipFire:
When I look at the ipFire WUI > Firewall Rules, it says Green to Orange is allowed.
I can ping the Orange interface vvv.xxx.yyy.1
I can ping the device in the Orange zone.
I have installed the “Who Is Online” addon. It shows the device in Orange is connected and active.
I can ssh from ipFire into the device in the Orange zone.
Other
I don’t have an internal firewall.
It was working, then it stopped. It may have coincided with an ipFire update but I am not sure if this was the cause, or just coincidence.
This sound scary (to me!). Please explain in more detail.
The Raspberry Pi should be setup with it own static IP address.
Orange devices should only have Static IP addresses (unless you setup a separate DHCP server in Orange).
See: https://wiki.ipfire.org/configuration/firewall/rules/dmz-setup#notes
This sounds scary also… This is what the IPFire does. Please explain in more detail…
You should see messages in the Firewall Logs.
EDIT: see:
3 Likes
Hi
There is no DHCP service on Orange by design. My Raspi dhcpcd.conf is setup to use dhcp by default. If there is no dhcpd service, it defaults to a static address. That all works. It has the correct ip address.
I don’t have a firewall except ipFire. There is nothing behind ipFire that might block ip traffic. There is no other firewall to interfere.
I will make some fresh attempts to make a connection and see what is in the logs.
dazz, to what address does the Raspi default?
The address I set it to. It is a nice feature of DHCPD that allows a static ip to be setup on Orange. There is no dhcp service by ipFire on Orange. The Raspi has to set a static address. So dhcpd.conf is setup to take a ip lease if there is a dhcpd service, or fallback to set a static ip address.
I have had the network setup for years. I haven’t made any changes that I think could block GREEN->ORANGE traffic.
When I try to make a connection from my PC on Green to the Raspi on Orange.
Direct inspection of the logs (messages) in ipFire. When I attempt to log into the device on Orange with PuTTY, there is nothing in the logs.
This the same PuTTY that I use to log into ipFire to watch the logs.
I am stuck. I don’t know what to look at next???
I tried adding a firewall rule to provide access from my PC on GREEN to the Raspi on ORANGE. I know this should not be necessary but it didn’t work.
Troubleshooting this issue involves determining whether the Raspberry Pi (RPi) is receiving ping requests from the GREEN zone or if there is a breakdown in communication. Here’s a step-by-step guide on how to check this on a standard Linux distribution:
-
Identify the Network Interface: Begin by identifying the network interface on the RPi that is connected to the ORANGE zone. Use the
ip aorifconfigcommand to list all network interfaces and their corresponding IP addresses. -
Run tcpdump: Next, use
tcpdumpto monitor ICMP (ping) packets on the relevant interface. The command should look like this:sudo tcpdump -i [interface] icmpReplace
[interface]with the actual network interface name, such aseth0orwlan0. -
Initiate Ping from GREEN Zone: From a device in the GREEN zone, send a ping to the RPi’s IP address in the ORANGE zone.
-
Observe tcpdump Output: Watch the output of
tcpdumpon the RPi. If the RPi is receiving ping requests, you’ll see lines displaying incoming ICMP echo requests. These lines detail the packet’s source IP address, destination IP address, and the ICMP message type.Example output if the RPi is receiving ping requests:
12:34:56.789012 IP [source_ip] > [rpi_ip]: ICMP echo request, id 1234, seq 1, length 64This indicates an ICMP echo request from
[source_ip]in the GREEN zone reaching the RPi at[rpi_ip].
Note: tcpdump requires administrative privileges and is executed with sudo. If it’s not installed on your RPi, it can typically be installed via the package manager (e.g., sudo apt install tcpdump on Debian-based systems).
If tcpdump confirms the arrival of ICMP requests but pinging the RPi from the GREEN zone is unsuccessful, the issue likely lies either with the RPi’s response mechanism or a routing problem between RPi and IPfire preventing the response from reaching the GREEN zone. Conversely, if the ICMP packets are not reaching the RPi, this suggests a need to investigate potential routing issues within IPFire.