Connect 2 homelabs; help with fw rule, please

joeyseym · 20 October 2025 11:46

Dear community,

I’m trying to connect 2 homelabs. My configuration looks like in the attached illustration.

I have to fritz boxes connect per ipsec vpn; the vpn is up and running.

What works:

homelab A can connect to my testservers in front of ipfire (e.g. ssh 192.168.222.10) (green 1)
homelab B can connect to homelab a (green 2)

What doesn’t work:

homelab A cannot connect to homelab B (e.g. ssh 192.168.178.20) (red 3)

I guess IPFIRE is blocking the connection like it’s supposed to.

In my understanding I need to:

define a static route on Fritz box 7430 (192.168.222.1) to IPFIRE (192.168.222.2) as Gateway to 192.168.178.0/24 (see attachment)
create a firewall rule on IPFIRE:
Input: red interface
Forward: 192.168.178.0/24

Unfortunately I cannot get it to work. Can someone give me a hand please?

Thanks in advance, Joey

tphz · 24 October 2025 14:26

I wonder if the 7530ax has information about where the 192.168.178.0/24 network is located?
Maybe this route should be added to 7530ax.

joeyseym · 27 October 2025 14:40

Thank you for your proposal!

I tried to add a static route like you described … unfortunately the proposed route doen’t seem to be valid.

tphz · 27 October 2025 15:10

Try change 192.168.222.1 to 192.168.222.2

joeyseym · 28 October 2025 09:01

Unfortunately the route to 192.168.222.2 isn’t created either.
The error ist the same: “The route is not permitted”.

tphz · 28 October 2025 11:55

Can you show the current routing table in 7530ax?

tphz · 28 October 2025 12:24

Another solution/workaround occurred to me – setting up a second Net-to-Net tunnel between 7530ax and IPFire.

firecherry · 3 November 2025 21:05

Routings in avm-boxes always had an spookey look. I never understood what avm does.

I used avm’s manual to connect two fritz boxes with wireguard instead of ipsec. I used myfritz. No additional routing.

No access to fritz-box allowed (means: no access to “fritz-box menu itself from internet” but has nothing to do with automatically allowed access from distant network to home net..)

fritz “portfreigabe” / “port forwarding” is necessary for openvpn data port. Same port for local and internet port. BUT: local port has to be opened to just one device: ipfire-red ip.

Management port is not needed and my additionally blocked in ipfire.

Than have a look at the different netmasks showing up automatically in your fritz boxes just for interest.

Now I set up openvpn n2n in my ipfires on both sides using “ipfire red ip” on opposite homelab as distant host vice versa.

firewall rules depend on general firewall policy (all blocked?) If “all blocked” you need a firewall rule vpn-n2n to green vice versa. You may need your fritz.box home ip as dns in ipfire networking / domain name servers. This is needed, if you use dns-servers in ipfire which are not used in your fritz box.

No special routing needed in ipfire.

At the moment one of my ipfires is on 197 and the other one on 195.

Access 197 (client) → 195 (server) works. 195 → 197 not tested until now.

Keep in mind n2n seems to be client/server and (as iptom said) establish another openvpn-n2n vice versa if needed.

joeyseym · 5 November 2025 16:30

Thank you for your suggestions @tphz and @firecherry .
I will dig into this in the next days and report back how it goes.

tphz · 15 November 2025 17:50

You could add the following solution to the tests

Regards