There is no problem with using dhcp in the DMZ.
I do that myself.
However the dhcp is supplied by a dhcp server running on a Raspberry PI and it only supplies leases to the Orange zone.
If a security bug is found in the dhcp software then any person with access to the Orange zone can only compromise the dhcp server in the orange zone and not the one inside IPFire that supports and accesses the green and blue networks.
Once you make it an option then there will be people who turn it on without understanding the security implications and often once those sort of options are turned on they never get turned off again because people forget about it.
The IPFire core developers made a security policy decision that the Orange Zone (DMZ) would be able to access the least parts of the network possible and that included that the IPFire dhcp and dns services would be blocked from access by any machines in the Orange Zone.
Using the ORANGE network for this is not a good idea. It is designed as a DMZ and there are many places throughout the entire system where things have been coded that way.
I agree with those goals, but repurposing ORANGE is not the right way.
If we are talking about adding the option to add more network zones that follow the āGREENā schema, then I am not against that at all. However, the development team has made the decision to rewrite the entire network stack and release that with IPFire 3. The legacy code that IPFire 2 uses would make this a lot of work.
I will close this with CANTFIX because we donāt have an option for āWill do this laterā.
If youāre reading this, thank you for responding in detail Michael!
So, can please anyone think of a way to solve this problem in a bespoke way ?
Require a DHCP server for Orange.
Do not wish to run another computer (or a VM on IPFire) to achieve this.
Avoid unique changes to IPFire which would cause the WUI to break the configuration.
If I try to use IPFire to do this, I canāt seem to meet the third requirement.
ISC dhcpcd is simple to configure, it seems likely that the IPFire WUI would overwrite my 3rd zone and remove it.
Adding firewall rules using the WUI for DHCP (from the IPFire IP in Orange) didnāt seem as elegant as I had hoped. I canāt use the DHCPINPUT and DHCPOUTPUT chains, but would have to set up my own āservicesā in the WUI.
How is using the ORANGE network any worse than using the modem/router supplied by my ISP to access the internet?
The ORANGE network does not allow incoming connections from the Internet (by default) and it provides NATāed internet access for clients. IPFire even has other hardening on ORANGE, like the Intrusion Prevention System which my ISPās modem/router doesnāt!
I want to isolate devices which I donāt completely trust from those which I do. These devices cannot be in GREEN or BLUE to be isolated, however they require basic internet access. ORANGE is ideal for this use case and Iām yet to read any reason in this thread or the documentation why this isnāt the case. Please let me know what Iām missing.
PS: Iām not using ORANGE for any other purpose. It has never been set up as a DMZ on my system as I mentioned earlier in this thread.
Into DMZ you put services/servers/devices that are under your control, that youāre aware might (or might not!) become unsafe/compromised so you define strict traffic control policies Orange ā green and Orange ā Red. Or refining the thingā¦ DMZ<-> inner LAN and DMZ ā Internet.
Your desire neither fit guest network (which currently is not available in IpFire) because these devices are not arriving and leaving, but simply will stay there with some additional access control rules.
IMO the most fitting role is Blue, with a specifict subnet and separate rules for define network traffic.
Blue by default canāt access Green, with some rules you can have more controlled internet access from hosts of that subnet.
Still do not fit your desires, however itās viable without modifing Ipfire behaviours, only adding more firewall rules.
Orange, currently, itās not.
From developers view I can say that is really not good to misuse the IPFire networks.
IPFire is designed ( as its predecessor IPCop ) with 4 networks:
RED ā¦ the whole internet outside
GREEN ā¦ the local network connected by controllable wires
BLUE ā¦ a further local network, connected by wireless standards; a wireless connection is less under control of the central device ( wireless protocols vs. wires with dedicated plug sockets )
ORANGE ā¦ a network located locally which can be accessed from outside ( connection is established by a device in the RED network )
This basic design is part of the implementation of the IPFire device. The attributes of the networks are not defined inside the software, but āinside the brainsā of the devs.
For IPFire 3 a new network design is planned. This includes defintion of attributes inside the software. With this is possible to define a 3rd local network as suggest by the thread opener.
For the release of IPFire3 to become true in the near future, it would be counterproductive to invest time in change of ORANGE into an universal 3rd LAN.
AFAIK GREEN, BLUE, ORANGE and RED are zones, not networks.
IPfire 3 has no release date, alpha, beta or anything published yet, except for goals, wishes, āthis has been doneā.
Itās worse than Beckettās Godot, because the text is not available.
How do you differentiate between āzonesā and ānetworksā?
Everone with some skills in software design is invited to contribute to the IPFire3 project. This is better than pointing to missing features of a DWIM machine.
It will help also, if some real āwork horsesā join the active members.
You can put more than one network interfaces (virtal or physical) in a zone but all of them are in the same bridged network. So networks and zones are the same. We have it named zone to not confuse network which mean it als layer2 network and network interface (nic).
I am also using the DMZ as a 4th network. However, a little different. I am using it for internet facing servers in the DMZ, and also for my guest traffic from the WLC controller. It is sending guest data out to the DMZ and the controller is handling dhcp. I am using orange as both dmz and guest in this configuration, but, it would be nice to get the benefits described here as well as the proxy server and update proxy. - ie a check box to turn (proxy, dhcp, dns, update proxy) for orange.
I think we have discussed the reasons for the actual state enough.
A separate net for guests etc. should be build using equipment in the green or (better) the blue network. It is possible to establish a sub network and filter the devices in the associated router/AP. IMO