Clients with fixed IP addresses blocked through IPFire firewall


I have just set up an IPFire box and it’s working great using DHCP.

However… I have several client computers (in the GREEN interface) that need/must have fixed IP addresses set up on the actual computer. I know IPFire can fix a DHCP allocated IP address to a client using the MAC address (that works fine) but I want to have the IP address fixed/set in the networking setup of the actual client machine.

When a client machine has it’s IP address fixed as static on the actual machine IPFire seems to block that computer even if the IP address of the client is the same at the DHCP allocated IP address which is fixed using the MAC address.

By permanently setting IP addresses on the physical client machine (not using DHCP) IPFire does not seem to allow that computer/system access through the firewall.

It seems IPFire only allows computers with a DHCP address that IPFire has physically allocated through the firewall.

Is it possible to fix/set IP addresses as static on the client computer and still have IPFire let those machines through the firewall? If so how is it done?

Do all computer have to be allocated an IP address by the DHCP part of IPFire to get access through the IPFire firewall?

Thank you in advance for your help :slight_smile:

I don’t seem to follow …

I have one Proxmox server, in ipfire Network> Edit hosts I added it.
When I’m on that server, I can ping outside.

  1. Can you show the configuration of your DHCP??

WUI–>Network–>DHCP Server

  1. Can you show the network configuration of a host with a fixed IP address?

  2. How many hosts with fixed IP address do you need in your GREEN network ?



Thank you for your reply.

I tried adding the client computer in the Network → “Edit Hosts” but it still can’t see the internet…


Thank you for your reply.

Attached are three screen shots showing the config on the client computer (Windows 10), the set up of the DHCP on IPFire and the main IPFire config. Ideally it would be great if 10 computers/devices on the IPFire protected LAN could have IP addresses directly fixed on them.

Thank you in advance for your help :slight_smile:

Screen shot of the IP set-up on the client computer :

IP Config

Screen shot of the IPFire DHCP configuration on the client computer :

Screen shot of the main IPFire configuration on the client computer :

I should add that I am trying to set things up so, if necessary, the IPFire box can be bypassed and the computers attached to the network will still function. Hence the dual DNS servers in the client computer IP configuration.

It all works providing DHCP is enabled in IPFire but if the IP address is set directly on the client computer it doesn’t get through the Firewall.

The static ip’s should be outside the dhcp range. The range you have is .1 - .249
Make your range .100 - .249 the first 99 ip will be statically configured.
Are you sure about the gateway .254


Your green lan has the same subnet as your red network. Green must be a different subnet from red.



Thank you for your solution - it works :slight_smile:

In the unlikely event of the hardware running the IPFire box failing all I need to do is unplug the cable that goes to the GREEN IPFire interface network card and plug it directly into my router. Then I give the router the .250 IP address and everything works just as before but without the protection of IPFire so I have time to get the IPFire box restored.


Thank you for your reply.

I should say that while I am an IT professional my expertise is not in networking.

It seems that GREEN and RED can be the same subnet and the firewall allows it so long as the IPFire DHCP does not overlap any IP addresses that are statically fixed on the client computers. It works if IPFire knows about an IP address (by allocating the IP address by DHCP or the traffic coming to the GREEN interface) to the remote clients that are attached to the GREEN network interface.

It appears the interface (RED or GREEN) the traffic is coming from is the important thing as to how the traffic is treated rather than the subnet. Is this how it’s meant to be (?) because it works…

The basic functionality of IPFire is a router.
This demands that the different interfaces belong to different networks.
All other functionalities running on top of routing rely on that.



Thank you for your reply.

It seems that IP fire can also be used to protect a network from one server/device on the same IP range by connecting the RED interface to the server/device that you want protection from and the GREEN interface to the rest of the subnet (i.e.

In my set up the RED interface is a network containing just the router that provides the gateway to the www and the GREEN interface is the whole of the rest of my network with multiple servers and devices attached. All devices have IP addresses in the range

Providing devices with the same IP address do not exist on both RED and GREEN interfaces/networks it appears to work.

If all IPs are elements of the network the devices on GREEN cannot be protected from the WAN. WAN ( red ) and LAN ( green ) are on the same logical network. Means they can communicate freely with each other. Further the routing function cannot know which interface to use for, for example.

Our wiki contains some articles about basic functionality of the IPFire SW. You can find some links to basic networking articles also.



Thank you for your reply.

Although I have knowledge in the IT field my expertise is not specifically with networking…

So in that case to solve the problem I should use another IP range for the RED interface (e.g. and stay with for the GREEN - will that sort the issue?

Surely IP fire should prevent the RED and GREEN being on the same subnet (e.g. during the setup/configuration phase of implementation? Is this not a potential flaw/bug in the software?