Connect two green networks through two ipfire boxes

Hi Everyone

I have a question around how to connect two separate networks (two logically separate subnets on green) with two ipfire boxes, the connection between the ipfire boxes is red, my test setup is as follows

I want to control access between the two networks, either web client can connect to either web server

Is this possible with ipfire? I want something scalable as in setup my firewall rules, then I could add as many devices as I want on the chosen subnets for each network, without having to add in more firewall rules e.g. I could add another two devices on ip address and

I imagine I would have to correctly setup static routes in each ipfire device as well

Could anyone please outline the basic steps needed with the web GUI?

Any help is greatly appreciated


The simplest approach I can think of is to set up a net-to-net openvpn connection between the two IPFire’s.

Thanks for your reply Adolf

This would be perfect if my use case needed security built in, my use case is a project where security will be done on top of the ipfire solution, I just need a way to connect the two networks in an unsecure connection

At a later stage security would be added, at this early stage I want to prove out that I can connect devices on separate green networks, and have a scalable solution

Is there a way to do this with ipfire?


Create a Port Forward firewall rule in the lower IPFire system to allow the green machines from the upper IPFire to be forwarded to the two specific web servers in the lower green network.

For testing you could just create a port forward rule that allows everything on the red network of the lower IPFire to be forwarded to the whole green network of the lower IPFire with all protocols allowed.

Looking at your diagram, I may have misunderstood how it is connected together.
Is the red network of the lower IPFire connected to the green network of the upper IPFire or is the red network of the lower IPFire connected to the red network of the upper IPFire and the admin laptop?
Which IPFire has its red network connected to the internet and are the red networks connected via dhcp or via a static IP?

If the two IPFire’s are connected together on their red networks then the above port forward approach should still work.

The upper IPFire will have the clients access traffic going from green to red and this is enabled by default so the traffic will not be blocked.

The traffic arriving at the lower IPFire’s red interface will be blocked from going to the green interface without a port forward rule in place.

Hi Adolf

There is effectively three separate networks, green at the top, red between the two ipfire boxes and green at the bottom (the admin laptop would be connected to the red network and there would be no connection to the internet for the red network)

I want to have the ability to add devices to either green network (the added device would have to be on the subnet)

All devices on either the red or green networks have static IP addresses

green network 1 subnet: 192.168.0.X
green network 2 subnet: 192.168.1.X
red network subnet: 192.168.2.X

Could I setup firewall rules to allow any devices in the red network (192.168.2.X) to pass traffic to the green network?

Currently I can only setup port forwarding rules to send data through a port to a specific device