DMZ with Orange and Green

I am a little bit confused with DMZ with Orange and Green. I have a BT download server, for the other router like PFSense, TP or Netgear, I just need to set DMZ to my download server. If I have a web server, I can set a port forward to the web server. But with IPFire, I couldn’t find a way that just DMZ to my download server. Is the Orange zone just for isolate the network from Green? What is the purpose of the Orange zone, since I have to set port forward any way.

Hi @seantree

Welcome to the IPFire community.

The Orange and Green zones are fully isolated networks. By default anything in Green can connect to Orange but nothing in Orange can connect to Green without a rule to open a pinhole.

You also need to do a port forward rule from Red to Orange.

Generally you don’t want your internet facing servers being in Green because if there is a vulnerability then a hacker can then access all your machines on Green.

See this wiki page on DMZ

1 Like

Hi Adolf,

Thank you for your reply. I have read that page and did a research before I post. Is there any way to DMZ my BT download server and the rest servers will use port forward?

If you mean have the BT Download server in Green and protect it from access from the internet, this can be done if the BT Download Server uses a different port from all the other servers by not port forwarding to that port. However it will still be in the same subnet so if someone finds a vulnerability that allows them to access the port forwarded ports and break out of them then anything in that subnet will be at risk.

If the BT Download Server uses the same port as is port forwarded for the other servers then there is nothing that can be done to separate access to it from the other servers.

A proper DMZ is a separate subnet (hence orange vs green zone) that has firewall rules that prevent all access from/to other subnets without firewall rules being created to allow it. This can not be done within a single subnet unless you are referring to a DMZ host which some commercial routers provide which does not proved the security that a separate subnet provides. IPFire does not provide so-called DMZ Host capability.

See this wikipedia article about DMZ and the section on DMZ Host.

If I am misunderstanding what you are trying to achieve then please provide a few more details of the network topology you are trying to create.

1 Like

That’s a good idea to have an Orange zone. But it’s better to have a DMZ server function, too. BT needs to use a lots of ports, it’s hard to do the port forward.

I have my ISP’s router as the first line. The problem is I can’t do port forward there. I am not going to play it much since it’s ISP owned and may have some specific settings. So, I am looking for a light simple router/firewall to setup it in between my ISP router and my PFSense. I setup an IPFire, but I can’t do DMZ to my BT download server. So, 90% chance I won’t choose it.

Another weird thing is, my IPfire Green port connected to my PFSense WAN port, but my phone in PFSense LAN port get DHCP from the subnet or IPFire Green. My IPFire is in virtual machine, there is no wireless connection. Do you know why?

Your config seems a bit complicated to me.
You are using three devices with similiar functionality ( internet gateway with some kind of firewall ).
How are they connected?
Each device does its own NAT ( the ISP router and IPFire do! ). There are some possible pitfalls.
Isn’t it possible just to use the ISP device as a pure modem ( converting the WAN technology to IP based ethernet )?
What is the purpose of your pfsense device?
How are your networks organised and what do they contain?
What do you mean by DMZ server? A server in a DMZ ( in the IPFire interpretation ) or a device building a DMZ ( of what kind? ) ?

As before, I only have two router/firewalls. One is from ISP, LAN port to my PFSense WAN port, and created a simple secure zone. I put my BT server, Calendar/cloud server, and test server in this zone. BT server is setup for DMZ, the rests are using port forward. PfSense LAN1 creates a secure zone for my home network, all my personal data will be here. LAN2 creates a smart home network, all the smart things are in this zone. LAN1 can go to LAN2, but LAN2 can’t go to LAN1.

But now, I have to add another router/firewall in the middle since the ISP router/firewall can’t configure port forward. So, the plan is, ISP DMZ to the new router/firewall, the new router firewall to PfSense.

My ISP is EBOX, they use vlan+PPPOE connection. I tried to configure it with my DDWRT, but no luck.

If you really want to create a DMZ Host in the IPFire Green Zone then this can be done. It is just not a single button operation.

Place the port forward commands for your Calendar/Cloud server and test server into the IPFire Firewall Rules at the top of the list so they will be operated on first.

Then place a port forward rule as the last rule in the IPFire Firewall Rules that has source as RED or ANY, the destination as the IP Address of your BT server, the action as ACCEPT and the Protocol as All.
This rule will then forward all connections from the Internet to your BT Server, except for those destined for your Calendar/Cloud and test servers.

The above duplicates what commercial routers call DMZ Host but is a bit counter intuitive in that you install IPFire with its firewall that allows you to only allow the access from the Internet that you want and you then open the internet to your BT server and rely on it carrying out the DMZ function. Presumably you have firewall software of some sort on it to deal with all the packet probes and accesses that will come from the internet.

You mention that your ISP’s router/firewall does not allow you to do port forwarding but if it is a firewall I would expect that any packet communication from the internet would be blocked by that firewall, which would require port forwarding to be able to be set up on it to forward the required packets from the internet.
If it is just a router and does not firewalling then it should forward all packets and just do a network address translation from the subnet of your ISP to the subnet defined for the output of your ISP’s router and then IPFire and PFSense would only need the required port forwards.

If I understand correctly none of the systems on the lan side of your PFSense system should be accessible from the internet so then no port forwarding is required on it and only on IPFire.


I’m guessing you planning to use ISP router DMZ to new router.

Ipfire should be able to connect to your ISP directly. From my understanding.

I guess you are right. But I want a physical device to connect my ISP, not a VM since PFSense is already a VM. If I can install IPFire in a cheap router, it will be a great solution for me.