Can't reach Orange on port 81 from Green

Hi,

I have some trouble to reach the web GUI of my reverse proxy (SWAG from linuxserver.io) on the orange network.

My setup:

grafik726×380 69.5 KB

To reach my server from the internet I have added the following port forward firewall rule:

Bildschirmfoto_20250220_072056986×901 43.6 KB

To reach the SWAG GUI from the green network I try this rule without success:

Bildschirmfoto_20250220_072154986×901 44.3 KB

A ping from the green network to orange network works (Even with deactivated firewall rule from above)!

ping 192.168.100.11
PING 192.168.100.11 (192.168.100.11) 56(84) Bytes an Daten.
64 Bytes von 192.168.100.11: icmp_seq=1 ttl=64 Zeit=0.310 ms
64 Bytes von 192.168.100.11: icmp_seq=2 ttl=64 Zeit=0.234 ms
64 Bytes von 192.168.100.11: icmp_seq=3 ttl=64 Zeit=0.226 ms
64 Bytes von 192.168.100.11: icmp_seq=4 ttl=64 Zeit=0.213 ms
64 Bytes von 192.168.100.11: icmp_seq=5 ttl=64 Zeit=0.260 ms
64 Bytes von 192.168.100.11: icmp_seq=6 ttl=64 Zeit=0.237 ms
^C
--- 192.168.100.11 Ping-Statistiken ---
6 Pakete übertragen, 6 empfangen, 0% packet loss, time 5076ms
rtt min/avg/max/mdev = 0.213/0.246/0.310/0.031 ms

Any idea how to fix my problem?

That is because by default the green subnet can access the orange subnet so you don’t need any firewall rules for your orange PC to access your machine in the orange subnet.

As you are using a non- standard port are you adding this to your browser url when trying to access it?

That is clear for me.

Yes, I use http://192.168.100.11:81/ in the browser.

Do you have any firewall rules that already have 192.168.200.21 as the source?

Also in the logs for the 192.168.100.11 server are there any signs that traffic from 192.168.200.21 are reaching it at all?

Does the server webgui require a list of allowed IP’s to access it and is 192.168.200.21 on that list?

I have searched the internet to see if the GUI requires any settings. It looks like it does not.

I figured out that the browser try to get a connection. After some minutes I get the error message Der Server unter 192.168.100.11 braucht zu lange, um eine Antwort zu senden. (The server at 192.168.100.11 takes too long to send a response).

Tomorrow I will follow up on your other suggestions.

Your green port forward rule looks all wrong. Isn’t it saying forward anything from green to 192.168.100.11? If you really want it (and it should not be necessary), remove the NAT.

6 posts were split to a new topic: Firewall rule doesn’t work with IP - need to use a firewall group containing the IP

Have you read this.

A strange idea that may not have anything to do with it.

Are you using a proxy?

81 is not a standard port for “http”. You may need to allow it at the Squid level.

Hope this helps.

Regards.

Rob

Yes, that is why I am going to add the gold zone so don’t have to set up orange as an inside network and I can have a DMZ zone again.

I’ve worked with most of the Linux modules ipfire uses longer than the existence of ipfire. The reasons why I need to ask dev question on is what files I have to edit in their automation programs of the Linux networking and where they stuck certain configuration files since the directory structure is not a common one.

No, I don’t. This are my firewall rules:

grafik984×522 44.5 KB

I have not found anything in the configuration or in the documentation for the webGUI. I connected my laptop to the Orange network as a test. Then I can access the webGUI. I therefore assume that it is due to the firewall rules or the setup.