Do I need two independent computers for green and orange? Or a DMZ Pinhole?

Hi all,

my current network topology looks like that:

The Raspberry pi is supposed to carry a file server, accept scanner jobs, manage a zigbee network and more. Its the current generation 4b with 8 gb ram. It is possible to overclock it to 2 Ghz at 4 cores (massive heat spreader is installed).

In Ipfire, there is a 4 zone concept. Red is internet, orange is reachable from the web, blue is wifi (is in green for me) and green is the home network.

Now I am wondering: When the raspberry is working as a workhorse in the home network, is it wise to work with DMZ pinholes to also add a web and mail server, maybe even FTP and other stuff to it that are accessible from RED? (Green is only accessible via a VPN in my current network). Or would you say its better to have two independent machines running separately GREEN and ORANGE? Using the DMZ pinhole would allow me to use the Raspberry more efficiently but I am not sure how great the trade off in security is?

I recently acquired a new Firewall, so the the APU will lose its current job. In theory I could use it as a webserver for orange, (Or as server for green and use the raspberry in orange).

What would you recommend?

The way you stated the question I believe is confusing. A pinhole is a way to connect a subsection of your network to another subsection that otherwise would not be accessible. For example, the web server on the orange network could communicate with the Raspberry PI in the green (e.g. sending logs to it) when normally it would not be allowed to do it by the firewall.

What you are talking about when you mention having a mail server or a web server or an FTP server on the PI accessible from the red interface, it is not simply a pinhole but it means opening that specific network service to the world by doing a destination NAT on its traffic from the firewall to the machine in the green zone, which would be a very bad idea.

Of course you could setup a reverse proxy in the DMZ orange zone, exposed to internet (being the destination of the DNAT of the firewall), and forward the traffic to another server in the PI, in the green zone. That I guess would be a better architecture of the network, but I cannot give any informed opinion on the security of such a layered system. I hope someone more knowledgeable can do that.

A side comment about having a personal mail server, where it is not just the green vs orange the issue. It is 100X more difficult than a web server or an FTP server in so many different ways, especially in the security department, due to the constant abuse by spammers. Even if you do everything right (and there are so many moving parties on setting a mail system that makes everything else a joke in comparison), you will likely have your server blacklisted by everyone just because it is in a residential IP range. You would need to have a mail provider accepting to forward your mail traffic in order to be able to reach your destination.


first, thanks for providing such a detailed description of your setup. That really helps a lot, and I’d wish we would have something like that for similar occasions… :slight_smile:

Just a minor comment for clarification: You will need to create firewall rules (commonly referred to as DMZ pinholes) though, so not very machine located in ORANGE is automatically fully reachable from the internet.

Since all the services (web, mail, FTP, etc.) you intend to provide should be reachable from RED one day, placing the machines offering them in ORANGE is the better choice, so a compromised system cannot mess with your clients in BLUE/GREEN easily. Also, you have better control on the traffic exchanged between the server machine in ORANGE and your internal clients in BLUE/GREEN.

I would recommend against placing another server in GREEN. Should you need a second machine, please place it in ORANGE as well, and set up local firewall rules to stop lateral movement in case one server gets compromised. (IPFire usually cannot inspect traffic within the same network zone, since it does not even reach the interface of the IPFire machine.) A relatively trivial iptables or pf (depending on the operating system you want to run) ruleset should do the trick.

Also, it might be a good idea to restrict logins to SSH and other administrative services to your GREEN/BLUE network, or whatever network those connections will come from. That way - again -, a second machine in ORANGE being compromised cannot login into the other one easily, and neither can clients located in networks where no administrative machine is used.

This is true. Mail servers are different to other servers, and require special attention.

Personally, I run many of them, and prefer to have the mailboxes being stored on systems at my (or my families/friends) homes rather than on some rented server in a data center. To get around the fact of my DSL connections IP being listed at Spamhaus PBL and others, I use a VPS to relay messages back and forth to the “internal” mail servers - which are only reachable to VPN clients.

That way, one has better control on security and privacy aspects of the mail storage, a “clean”, static IP address with good sending reputation, and a relatively decentralised, restricted setup. :slight_smile:

Just adding this in case some inspiration is needed… :smiley:

Thanks, and best regards,
Peter MĂĽller


Thanks for that. May I ask a question on your set up? How do you do that? Do you use two MTA like postfix, one locally and the other one in the VPS? Or do you transfer the mailbox content by other means, like mounting it from the local network to the VPS by nfs or smb protocol?



yes, that’s basically it. Both MTAs are Postfix, and run an additional smtpd process on a custom high port (say, 10025) to enforce mandatory TLS encryption and a valid SMTP client certificate (sadly, you can’t do this on a public mail server on port 25).

On the VPS, you’ll need these directives in your configuration file:

# Keep blank, the VPS is not the final destination for any messages
mydestination =

# A list of domains the VPS should handle
relay_domains = $mydomain,,,

# Relay messages to these domains to your internal MX - the braces are important to suppress MX lookups
relay_transport = [FQDN]:10025

On the local mail server, you’ll need:

# The same list of domains specified in $relay_domains above
virtual_mailbox_domains = $mydomain,,,

# Relay outgoing messages to the VPS
relayhost = [FQDN]:10025

Please refer to the Postfix documentation, especially this one, for further information. I can provide further details via DM as well, but would back off from doing that here to keep this thread on topic. :slight_smile:

Thanks, and best regards,
Peter MĂĽller


@cfusco @pmueller
Thanks for your insights. Currently I am low on time and not able to comment on this. But I read your answer and I follow up on this during this week.

1 Like

Finally I am able to catch up on that. In the meantime I was experimenting with the raspberry pi, because I was going for a non standard installation. Finally it works as intended.

Well, I think you convinced me in favor for a strict separation. You’re right, when one makes a machine reachable from the web, it should be isolated from the private network as tight as possible. I will place the webserver in orange, and the homeserver in green. I am not yet settled which machine will take on which exercise yet. Do you think a 2,6 Ghz quadcore for a firewall is overkill? (IPS + VPS)

I am also wondering, if it make sense to place the fritzbox (my wifi access point) in blue and than manually add pinholes for trusted clients? Currently the fritzbox is in green and every client that connects to it is automatically is in green if I am correct. Is there an easy way to restrict clients to internet access and avoid them to connect to different clients in green without using the blue network zone?

For example I would consider an ubuntu client as trusted, but maybe an android phone not so much…

Regarding the mail server: Yes, I was aware that this can be kind of problematic because spam policies. However, when a VPS is used as a mail server and you use the home server as a final starting and receiving point, than you do not have full control of the messages right? I am wondering If you still have the problem with the spam policies if you can get a fixed IP from your provider?

If the fritzbox acting as a wap can do vlans then I would set up to vlans, one for green and one for blue each with their own ssid and password. Then you would need to have a managed switch that can send the vlan packets to the correct location. Set green and blue on IPFire to have the correct vlan tag and you have wireless for both green and blue but separated.

I have this on my home network, where I can access green via my laptop but guests only access blue with a separate password that I give them on a separate ssid.