DMZ with RED and Green Zone

Hallo my Englisch is very bad!!!
I hope someone can help me or give me a few tips.
I have a FritzBox at home that operates DHCP: 192.168.1.0/24 in this network is my server with Proxmox 192.168.1.100. I want to create a DMZ on the server with two firewalls. The DMZ should be 10.0.0.0/29 so 6 clients. In the DMZ there is a DNS that is supposed to communicate in the subnet 192.168.1.0. So port 53 for DNS and actually 80 and 443 for HTTP and HTTPS. I have already tried several variations.
IPFire RED and Green Zone, in the RED my DMZ and Green was my LAN but despite routing and rules I had no access to the Internet from the DMZ in the Green Zone 192.168.1.0.
I then tried IPfire with three zones, i.e. RED Green and Orange. Orange was my DMZ and Green LAN. Again no communication from the DMZ to the LAN. thank you for your help

FritzBox 192.168.1.1
Server 192.168.1.100
LAN with Internet 192.168.1.0/24
DMZ 10.0.0.0/29
NewDNS 10.0.0.3/29

Gateways:
IPFire 192.168.1.200(Green)
IPFire 10.0.0.1(RED)or (Orange)
Fritzbox 192.168.1.1 (Internet & DNS)

Maybe you could draw a diagram using http://draw.io/

If ipfire a physical box with 4 nic, you can have fritz → ipfire → green (proxmox), orange (dmz), blue (wl)

if ipfire as a vm within proxmox, you can configure br0, br1, … as you wish.

wiki.ipfire.org - Network topologies and access methods explains the communication between interfaces.

2 Likes

What exactly am I going to do:
Green is my 192.168.1.0 network, you can access the Internet via 192.168.1.1 on the Fritz.
Red is the DMZ, with the IP 10.0.0.0/29
In the DMZ I created a client (Debian) this client will eventually become my DNS, I can get from Green to Red via SSH without any problems. Now I would like to give the new client in the DMZ Internet, i.e. 80 and 443. But everything goes Not !!
I have already created some rules with Fire, but no internet is possible on the client in the DMZ. I’m still new to the Fire!
I already thought about using the Fire as RED, Orange, Green but then I wouldn’t need Red because I have Internet in Green.

Hi @sascha

Welcome to the IPFire Community.

Your diagram seems to be using colours in a completely different way to how they used with IPFire and that may be causing a lot of confusion.

The normal way of operation is for the Internet connection to come into IPFire on the red interface. Then your internal lan would be on the Green interface and your DMZ would be on the Orange Interface.

In your diagram on the first IPFire box, which you have named IPFireRed, which IPFire interfaces do you have the Karte:net0 and Karte:net1 connected to. Red, Green or Orange? The same for the second IPFire box which you have named IPFire3 Green.

Your setup has three routers/firewalls in series. The Fritzbox, followed by IPFireRed and then IPfireGreen. This gives you a Triple NAT’d situation which means you have to have Firewall rules in all three systems that are aligned.

What is the purpose behind making such a complicated setup?

OK!!
I have an exam in 5 months and that gives my project. A virtual DMZ on my server. The colors don’t really play that big a role.
The fact is: I have an existing, functioning network.

FritzBox 192.168.1.1
Server 192.168.1.100
LAN with Internet 192.168.1.0/24
DMZ 10.0.0.0/29
NewDNS 10.0.0.3/29

Gateways:
IPFire 192.168.1.200 (Green)
IPFire 10.0.0.1 (RED) or (Orange)
Fritzbox 192.168.1.1 (Internet & DNS)

And in this network there should be a DMZ with clients who can and are only allowed to do what I specify.
But somehow it doesn’t really work with the Red / Green, I can get into the DMZ but not get out !!! This is actually my main problem. I haven’t really done much with the IP Fire yet.

From the info you provided it looks like you have IPFireRed connected the wrong way round

Your IPFireRed machine should have its Red interface connected to 192.168.1.200. Its Green interface should be connected to 10.0.0.1

Your IPFireGreen machine should have its Red interface connected to 10.0.0.5 and its Green interface connected to 192.168.2.1

This will allow clients in the right hand LAN to connect to the DMZ and the Internet. Clients in the DMZ will be able to connect to the internet but not to the right hand LAN unless you set up Port Forward rules in IPFireGreen

Your server 192.168.1.100 will be able to connect to the internet but will not connect to the DMZ or the right hand LAN.You need Port Forward rules in the IPFireRed machine to access the DMZ and in IPFireGreen to connect to the right hand LAN.

The Wiki Firewall info will provide you with what/how you need to setup.
https://wiki.ipfire.org/configuration/firewall

2 Likes

Here is an example of a typical network:

4 Likes

My best guess is that there’s a lack of or misconfiguration of network routes somewhere in the DMZ.

I’m having difficulties digesting what needs to happen but to help you diagnose problems, I’m giving you a requirements list to successfully load websites AKA working internet:

  1. Successful DNS resolution. Can be checked using Windows nslookup or Linux dig commands.

  2. Working network routes that lead to the internet AKA appropriate setting of default/0.0.0.0 route and specifying the correct network interface. Can be checked using Windows/Linux “ping” command and it generally is a good idea to be pinging DNS servers like 8.8.8.8 and 1.1.1.1
    If you are getting responses using ping then the culprit is clearly DNS.

  3. Verifying that your physical/virtual network interfaces are working and properly configured. Can also be checked using ping and additional checks can be performed using ifconfig/ipconfig.

Good luck!

1 Like

Sorry that I couldn’t get in touch for so long and thank you for the many answers and help. I have now changed my network plan and left the IP Fire open for the first time.
As you can see on the new map, I’ve created three zones and four subnets
Green1: 192.168.3.0/24
Green2: 192.168.2.0/29
Red: 192.168.1.0/24
DMZ: 10.0.0.0/29
I sit in zone 192.168.3.0 as an admin, have internet access and can ping everything. I use an Asus router as the gateway.
GatewayLan: 192.168.3.1/24
GatewayWan: 192.168.2.6/29
The firewall is of course switched off. I have created routes in all networks and can also ping everything and jump to the clients via SSH.
there is an intermediate network between my Asus router WAN and the server in the neighboring house
192.168.2.0/29
Gateway on the server: 192.168.2.1
Gateway on the Asus router WAN 192.168.2.6
On the server at the second NIC is the gateway to the Red Zone: 192.168.1.101/24 and Internet with DNS makes the Fritzbox with 192.168.1.1/24
In the server (Proxmox) there is the DMZ with the IP 10.0.0.0/29 and of course the IPFire.
IPFire has three interfaces:
Server input 192.168.1.101 (RedZone)
Server output 192.168.2.1 (GreenZone1)
DMZ 10.0.0.1.
Now to my problem:
when I jump into the DMZ on client 3 via SSH
and ping 192.168.2.6 nothing happens, no ping. I can ping 2.6 from 192.168.2.100. If I ping the 3.1 from 192.168.1.100 then I get:
From 192.168.1.1: icmp_seq=1 Redirect Host(New nexthop: 192.168.1.101)
If I hang a client virtually in the 192.168.2.0/29 to test, then I can ping everything in all directions. Something seems to be wrong with the firewall between Red and Green.
Route IPFire:
10.0.0.0/29 via 10.0.0.1 dev orange0 proto static
192.168.1.0/24 via 192.168.1.101 dev red0 proto static
192.168.2.0/29 via 192.168.2.1 dev green0 proto static
192.168.3.0/24 via 192.168.2.6 dev green0 proto static
Route Asus:
Network Subnet Gateway
192.168.3.0>255.255.255.0 via 192.168.3.1>LAN
192.168.2.0>255.255.255.248 via 192.168.2.6>WAN
0.0.0.0>0.0.0.0 via 192.168.2.1>WAN
Fritzbox:
10.0.0.0 > 255.255.255.248 via 192.168.1.101
192.168.2.0 > 255.255.255.248 via 192.168.1.101
192.168.3.0> 255.255.255.0 via 192.168.1.101

Hi,

Sorry for the super late reply on this - real life sure is a pain in the arse lol
For starters, I’m not sure why you’re trying to reach Green from Red when it isn’t really designed that way and tbh, that’s a big security issue right there.

Same goes for DMZs, DMZs weren’t designed to be able to reach the internal network but are designed to be a zone that’s specially designed for services accessible from the public internet. Likewise, DMZs can be purposed to be accessible from the machines within the Green zone but vice versa is not supposed to be allowed.

Lastly, I’m not quite sure I follow when you say “client 3” since that’s not marked in your network diagram so I’m afraid to say I’m having difficulty analyzing that part of the problem.