Can't connect to port forward from green

I have many public IPs and our preferred method of working is to put specific services behind it’s own IP and IPFire firewall (e.g. web services on its own IP/firewall, mail on its own IP/firewall, etc). We’ve had this type of setup for years with no issues. Place servers in green (there is nothing else there besides servers) and set up port forwarding on red for those specific services.

The problem I am running into now (seemingly out of the blue) is trying to connect to some of our port forwarding rules from the green network is now being blocked. For example, running Nextcloud and Collabora. You need to be able to reach each server from the other via https. This was working up until recently. Even trying a very specific port forward (pick a random unused port, forward to 443 on an internal server) and logging it, I just get “connection refused” on the client side and nothing in the IPFire logs. Any help or guidance would be appreciated!

Maybe you are another victim of tightening the rule concerning reverse path filtering. Try what @pmueller suggested in this post and see if the problem disappears.

I did try this when it first started happening and there was no change. I’m just at a loss on this one.

How are all these IPFire boxes connected to your uplink? Can you describe the topology of your network? Is it physical or are all virtual machines?

Mostly VMs on isolated host machines. Fiber link comes in from provider, from their equipment to a switch, switch connection to each of the hosts on a dedicated “external” link. Topology hasn’t changed. In fact, on some other IPFire setups, the same situation works with no issue. It’s basically just our web service setup.