If i understand you correct, you can ping a server in orange from green, but you can not access this server from green in orange with ssh? If so your network settings must be already ok if ping works and you are still on a default firewall policy / have nothing blocked. So this sounds then for me i would first look if you have firewalled (ssh) your server itself.
If i understood your setting wrong, please describe it more precisely what you exactly do and what you have setup.
I thought about the same but that’s not the case. Then I went ahead and gave the server in orange a second network interface card, wired to the same switch and gave him a green static ip. So that server now has two interface cards, one with an orange ip and one with a green ip. I can SSH from green (my mac) to the green ip of that server, but not to the orange ip. And I verified that ssh is listening on 0.0.0.0. Also http or http are working/not working in the same way.
So you confirm that the desired behaviour is that I should get an answer, right?
Then I went ahead and gave the server in orange a second network interface card, wired to the same switch and gave him a green static ip. So that server now has two interface cards, one with an orange ip and one with a green ip. I can SSH from green
Please, don’t ever do this! You certainly do not want a second (unhardened) router to bypass your firewall! Also, re-think enabling SSH from ORANGE to GREEN. What is it you’re trying to achieve, a jump host to get into GREEN?
Have you tried “Destination NAT and Firewall interface: automatic” for the host in ORANGE to the host in GREEN, while defining the source and destination hosts by IP address and protocol as TCP, port 22 (for SSH)?
BTW, are you trying to establish an SSH connection from GREEN to ORANGE or from ORANGE to GREEN? Your posts seem to swap these scenarios.
The server in the DMZ is reachable from red. I want to maintain it from green. So trying to establish an SSH connection from green to orange and I thought with the default policy (allow) this should be doable without any additional rules - or am I missing something?
I get the return to my ping but not ssh or http(s). So maybe ICMP is handled differently. Or is it a missing routing entry?
SSH from GREEN to ORANGE is straight forward. See screenshot. I have added the hosts at first in Firewall -> Firewall Groups -> Hosts to be able to select them in the pull-down menu. Subdomains “.green” and “.orange” are for illustrational reasons only, I have used unqualified names here and host1.green is in fact a whole group of hosts.
let’s take a step backwards: @ttrepper, if I understood this correctly, you are simply trying to establish a communication between a machine within GREEN and one in ORANGE.
Unless such communication is denied by a firewall rule, this has to work out of the box, without any changes to IPFire or introducing NAT crutches.
Are you sure the network settings on the ORANGE host (such as default gateway) are set correctly? What operating system is it running?
By using traceroute-like tools (personally, I prefer mtr on Linux/BSD systems), you can find out how far a packet gets, and which machine processed it. This, however, should not be necessary as well - in almost all similar cases, there were misconfigured network settings.
This being said, could you please check the machine in ORANGE again and provide more details (routing table, etc.) about it?