DMZ with RED and Green Zone

Hallo my Englisch is very bad!!!
I hope someone can help me or give me a few tips.
I have a FritzBox at home that operates DHCP: in this network is my server with Proxmox I want to create a DMZ on the server with two firewalls. The DMZ should be so 6 clients. In the DMZ there is a DNS that is supposed to communicate in the subnet So port 53 for DNS and actually 80 and 443 for HTTP and HTTPS. I have already tried several variations.
IPFire RED and Green Zone, in the RED my DMZ and Green was my LAN but despite routing and rules I had no access to the Internet from the DMZ in the Green Zone
I then tried IPfire with three zones, i.e. RED Green and Orange. Orange was my DMZ and Green LAN. Again no communication from the DMZ to the LAN. thank you for your help

LAN with Internet

IPFire (Orange)
Fritzbox (Internet & DNS)

Maybe you could draw a diagram using

If ipfire a physical box with 4 nic, you can have fritz → ipfire → green (proxmox), orange (dmz), blue (wl)

if ipfire as a vm within proxmox, you can configure br0, br1, … as you wish. - Network topologies and access methods explains the communication between interfaces.


What exactly am I going to do:
Green is my network, you can access the Internet via on the Fritz.
Red is the DMZ, with the IP
In the DMZ I created a client (Debian) this client will eventually become my DNS, I can get from Green to Red via SSH without any problems. Now I would like to give the new client in the DMZ Internet, i.e. 80 and 443. But everything goes Not !!
I have already created some rules with Fire, but no internet is possible on the client in the DMZ. I’m still new to the Fire!
I already thought about using the Fire as RED, Orange, Green but then I wouldn’t need Red because I have Internet in Green.

Hi @sascha

Welcome to the IPFire Community.

Your diagram seems to be using colours in a completely different way to how they used with IPFire and that may be causing a lot of confusion.

The normal way of operation is for the Internet connection to come into IPFire on the red interface. Then your internal lan would be on the Green interface and your DMZ would be on the Orange Interface.

In your diagram on the first IPFire box, which you have named IPFireRed, which IPFire interfaces do you have the Karte:net0 and Karte:net1 connected to. Red, Green or Orange? The same for the second IPFire box which you have named IPFire3 Green.

Your setup has three routers/firewalls in series. The Fritzbox, followed by IPFireRed and then IPfireGreen. This gives you a Triple NAT’d situation which means you have to have Firewall rules in all three systems that are aligned.

What is the purpose behind making such a complicated setup?

I have an exam in 5 months and that gives my project. A virtual DMZ on my server. The colors don’t really play that big a role.
The fact is: I have an existing, functioning network.

LAN with Internet

IPFire (Green)
IPFire (RED) or (Orange)
Fritzbox (Internet & DNS)

And in this network there should be a DMZ with clients who can and are only allowed to do what I specify.
But somehow it doesn’t really work with the Red / Green, I can get into the DMZ but not get out !!! This is actually my main problem. I haven’t really done much with the IP Fire yet.

From the info you provided it looks like you have IPFireRed connected the wrong way round

Your IPFireRed machine should have its Red interface connected to Its Green interface should be connected to

Your IPFireGreen machine should have its Red interface connected to and its Green interface connected to

This will allow clients in the right hand LAN to connect to the DMZ and the Internet. Clients in the DMZ will be able to connect to the internet but not to the right hand LAN unless you set up Port Forward rules in IPFireGreen

Your server will be able to connect to the internet but will not connect to the DMZ or the right hand LAN.You need Port Forward rules in the IPFireRed machine to access the DMZ and in IPFireGreen to connect to the right hand LAN.

The Wiki Firewall info will provide you with what/how you need to setup.


Here is an example of a typical network:


My best guess is that there’s a lack of or misconfiguration of network routes somewhere in the DMZ.

I’m having difficulties digesting what needs to happen but to help you diagnose problems, I’m giving you a requirements list to successfully load websites AKA working internet:

  1. Successful DNS resolution. Can be checked using Windows nslookup or Linux dig commands.

  2. Working network routes that lead to the internet AKA appropriate setting of default/ route and specifying the correct network interface. Can be checked using Windows/Linux “ping” command and it generally is a good idea to be pinging DNS servers like and
    If you are getting responses using ping then the culprit is clearly DNS.

  3. Verifying that your physical/virtual network interfaces are working and properly configured. Can also be checked using ping and additional checks can be performed using ifconfig/ipconfig.

Good luck!

1 Like

Sorry that I couldn’t get in touch for so long and thank you for the many answers and help. I have now changed my network plan and left the IP Fire open for the first time.
As you can see on the new map, I’ve created three zones and four subnets
I sit in zone as an admin, have internet access and can ping everything. I use an Asus router as the gateway.
The firewall is of course switched off. I have created routes in all networks and can also ping everything and jump to the clients via SSH.
there is an intermediate network between my Asus router WAN and the server in the neighboring house
Gateway on the server:
Gateway on the Asus router WAN
On the server at the second NIC is the gateway to the Red Zone: and Internet with DNS makes the Fritzbox with
In the server (Proxmox) there is the DMZ with the IP and of course the IPFire.
IPFire has three interfaces:
Server input (RedZone)
Server output (GreenZone1)
Now to my problem:
when I jump into the DMZ on client 3 via SSH
and ping nothing happens, no ping. I can ping 2.6 from If I ping the 3.1 from then I get:
From icmp_seq=1 Redirect Host(New nexthop:
If I hang a client virtually in the to test, then I can ping everything in all directions. Something seems to be wrong with the firewall between Red and Green.
Route IPFire: via dev orange0 proto static via dev red0 proto static via dev green0 proto static via dev green0 proto static
Route Asus:
Network Subnet Gateway> via>LAN> via>WAN> via>WAN
Fritzbox: > via > via> via


Sorry for the super late reply on this - real life sure is a pain in the arse lol
For starters, I’m not sure why you’re trying to reach Green from Red when it isn’t really designed that way and tbh, that’s a big security issue right there.

Same goes for DMZs, DMZs weren’t designed to be able to reach the internal network but are designed to be a zone that’s specially designed for services accessible from the public internet. Likewise, DMZs can be purposed to be accessible from the machines within the Green zone but vice versa is not supposed to be allowed.

Lastly, I’m not quite sure I follow when you say “client 3” since that’s not marked in your network diagram so I’m afraid to say I’m having difficulty analyzing that part of the problem.

Hey Sascha,

Did you solve the problem i have the same issue !

Perhaps you should read this.

1 Like