[DMZ] Green to Orange and back?

Hi all,
I am trying to get my DMZ set up but I am struggling on getting an answer from the DMZ hosts. I have

  • red connected to my ISP (public IP via DHCP) (currently I am using NAT for certain ports to forward into green. This should be replaced by forwarding into orange. (works).
  • orange (192.168.2.0/24)
  • green (192.168.0.0/24)

What works is:

  • NAT for certain ports from red to orange (and getting an answer, for example website (HTTPD))
  • Ping from green to orange and getting an answer

What does not work:

  • getting an answer from orange back to green. For example SSH, telnet etc.

I have looked and searched, I found that it could be a routing problem (but how do I solve it?). I think I do not need DMZ-pinholes because orange is not actively initiating traffic into green.

Any help is more than appreciated. Thanks a lot in advance.

If i understand you correct, you can ping a server in orange from green, but you can not access this server from green in orange with ssh? If so your network settings must be already ok if ping works and you are still on a default firewall policy / have nothing blocked. So this sounds then for me i would first look if you have firewalled (ssh) your server itself.

If i understood your setting wrong, please describe it more precisely what you exactly do and what you have setup.

1 Like

Hi Tulpenknicker,
I thought about the same but that’s not the case. Then I went ahead and gave the server in orange a second network interface card, wired to the same switch and gave him a green static ip. So that server now has two interface cards, one with an orange ip and one with a green ip. I can SSH from green (my mac) to the green ip of that server, but not to the orange ip. And I verified that ssh is listening on 0.0.0.0. Also http or http are working/not working in the same way.

So you confirm that the desired behaviour is that I should get an answer, right?

Tried again, works from green to green interface-ip but not from green to orange interface-ip. When I try to open a connection to the service on range I see something like this in my fw-log:

DROP_NEWNOTSYN green0 TCP 192.168.0.221 57613 192.168.2.86 443

Any ideas? Thanks a lot in advance

Then I went ahead and gave the server in orange a second network interface card, wired to the same switch and gave him a green static ip. So that server now has two interface cards, one with an orange ip and one with a green ip. I can SSH from green

Please, don’t ever do this! You certainly do not want a second (unhardened) router to bypass your firewall! Also, re-think enabling SSH from ORANGE to GREEN. What is it you’re trying to achieve, a jump host to get into GREEN?

Hi Data Morgana,

as I have said I have added the second network interface card to isolate the error. My problem is still the same - I cannot get from green to orange, for example via SSH for server maintenance.

Any ideas?

Have you tried “Destination NAT and Firewall interface: automatic” for the host in ORANGE to the host in GREEN, while defining the source and destination hosts by IP address and protocol as TCP, port 22 (for SSH)?

BTW, are you trying to establish an SSH connection from GREEN to ORANGE or from ORANGE to GREEN? Your posts seem to swap these scenarios.

The server in the DMZ is reachable from red. I want to maintain it from green. So trying to establish an SSH connection from green to orange and I thought with the default policy (allow) this should be doable without any additional rules - or am I missing something?

I get the return to my ping but not ssh or http(s). So maybe ICMP is handled differently. Or is it a missing routing entry?

SSH from GREEN to ORANGE is straight forward. See screenshot. I have added the hosts at first in Firewall -> Firewall Groups -> Hosts to be able to select them in the pull-down menu. Subdomains “.green” and “.orange” are for illustrational reasons only, I have used unqualified names here and host1.green is in fact a whole group of hosts.

You missed the check box.

Would a static route work?
https://wiki.ipfire.org/configuration/network/static
Or is that the wrong application?

You missed the check box.

Actually I was referring to this :slight_smile:

Would a static route work?

I don’t see the need to touch anything here.

A static route did not work for me. The only thing working was source-nat like in the screenshot. Of course more fine-grained with ports - this was for testing and works. But I don’t understand it.

Is anyone able and so grateful explaining this behaviour please? What am I missing?

1 Like

Hi all,

let’s take a step backwards: @ttrepper, if I understood this correctly, you are simply trying to establish a communication between a machine within GREEN and one in ORANGE.

Unless such communication is denied by a firewall rule, this has to work out of the box, without any changes to IPFire or introducing NAT crutches.

Are you sure the network settings on the ORANGE host (such as default gateway) are set correctly? What operating system is it running?

By using traceroute-like tools (personally, I prefer mtr on Linux/BSD systems), you can find out how far a packet gets, and which machine processed it. This, however, should not be necessary as well - in almost all similar cases, there were misconfigured network settings.

This being said, could you please check the machine in ORANGE again and provide more details (routing table, etc.) about it?

Thanks, and best regards,
Peter MĂĽller