Hi Michael,
I hope you are well. My name is Sean, and I am new to IPFire. I have used Smoothwall since its early years. Recently, I have been testing IPFire as a possible replacement for Smoothwall (SWE). The testing has gone well so far, but I do have one question. In Smoothwall, you can add alias IPs when you install a “Full Firewall Control” module. When you add the alias IPs, there is also a field called “Map from IP address”. So whenever that Alias is used in a rule to the internal LAN address of the system you specified on the “Map from IP address”, it will show the public IP as the alias IP remotely (not the default red IP). In IPFire, the only way I see to do this is to create 2 rules. One DNAT rule to access the system, and another SNAT rule to change the source IP to the alias.
The difference I have found here lies the following scenario:
We may open an SSH port to an internal system for a client using the default red IP, with a unique port externally. For example port 55522 externally, forwarded to port 22 internally. When you access the internal system this way, you see the red IP remotely as the public IP being used. If the client needs a public IP assigned, you create an alias with the “Map from IP address” to the LAN address of the internal system. Then, when you create the rule from the alias to the internal system (port 22 externally to port 22 internally), you see the alias IP remotely as the public IP being used. However the difference is, you can still connect via the 55522 port and it shows the default red as the public. With the way IPFire does it, the SNAT rule forces all connections from the internal systems to be the alias IP, regardless of which public IP you used to connect to the system.
Welcome. I have made your PM a public post because this question might be interesting for more people.
This is possible in IPFire with a standard Port Forwarding rule with just a different external port.
What is the use-case for this?
I am sure you can do the same by creating a second SNAT rule to NAT everything to the firewall’s addresses, but I would regard this as bad network design. There is no apparent need for this.
If you want to connect to the public alias IP address from an internal network on port 22, you would have to create a second DNAT rule as the first one (using port 55522) would not match.
As in, the SNAT rule matches even though you are coming back to the internal system? That is pretty much how this is designed. You can of course use a separate destination network to make the rule more conditional.
Why would you even go to the firewall and back when you want to connect to an internal host? This would not really scale.
Just a thought about this. Smoothwall uses the iptables framework as does IPFire.
So, how are the functionalities described are realised in SME? This may give a hint for the realisation in IPFire.
Thanks for the welcome! I am enjoying learning more about using IPFire. While it has several similarities to Smoothwall, it is more robust and much more up to date.
I just did more testing on my Smoothwall, and I was incorrect about how the SNAT rule is working. When you specify the internal host IP on the “Map from IP address” field, it creates the SNAT rule for you in iptables (you never see it in the GUI). It DOES in fact make all traffic outbound from the host show that it is coming from the alias IP (no matter which IP you use to connect to it). So, the SNAT rule in IPfire is doing the same thing Smoothwall is doing. The only difference is the convenience in the ability to map an alias to a host, and it will internally create the SNAT rule for you. It doesn’t show the SNAT rule in the GUI, but I can see it in iptables.
So, in IPfire, you would create 2 rules (DNAT to the host, then SNAT to set the source IP to the alias). The alias needs the SNAT rule for things like mail servers and other pieces of software were it matters that the public IP matches for incoming and outgoing traffic, when using an alias.