Feature request: Allow Orange to be used as a 3rd network (not a DMZ)

There is no problem with using dhcp in the DMZ.
I do that myself.
However the dhcp is supplied by a dhcp server running on a Raspberry PI and it only supplies leases to the Orange zone.
If a security bug is found in the dhcp software then any person with access to the Orange zone can only compromise the dhcp server in the orange zone and not the one inside IPFire that supports and accesses the green and blue networks.

Once you make it an option then there will be people who turn it on without understanding the security implications and often once those sort of options are turned on they never get turned off again because people forget about it.

The IPFire core developers made a security policy decision that the Orange Zone (DMZ) would be able to access the least parts of the network possible and that included that the IPFire dhcp and dns services would be blocked from access by any machines in the Orange Zone.

1 Like

Michael responded to my bug report (feature request):

Using the ORANGE network for this is not a good idea. It is designed as a DMZ and there are many places throughout the entire system where things have been coded that way.

I agree with those goals, but repurposing ORANGE is not the right way.

If we are talking about adding the option to add more network zones that follow the “GREEN” schema, then I am not against that at all. However, the development team has made the decision to rewrite the entire network stack and release that with IPFire 3. The legacy code that IPFire 2 uses would make this a lot of work.

I will close this with CANTFIX because we don’t have an option for “Will do this later”.

If you’re reading this, thank you for responding in detail Michael!

2 Likes

So, can please anyone think of a way to solve this problem in a bespoke way ?

  • Require a DHCP server for Orange.
  • Do not wish to run another computer (or a VM on IPFire) to achieve this.
  • Avoid unique changes to IPFire which would cause the WUI to break the configuration.

If I try to use IPFire to do this, I can’t seem to meet the third requirement.

ISC dhcpcd is simple to configure, it seems likely that the IPFire WUI would overwrite my 3rd zone and remove it.
Adding firewall rules using the WUI for DHCP (from the IPFire IP in Orange) didn’t seem as elegant as I had hoped. I can’t use the DHCPINPUT and DHCPOUTPUT chains, but would have to set up my own “services” in the WUI.

Don’t use ORANGE segment… period. Not suitable for your use.
Evaluate which suits best between BLUE and GREEN.

1 Like

How is using the ORANGE network any worse than using the modem/router supplied by my ISP to access the internet?

The ORANGE network does not allow incoming connections from the Internet (by default) and it provides NAT’ed internet access for clients. IPFire even has other hardening on ORANGE, like the Intrusion Prevention System which my ISP’s modem/router doesn’t!

I want to isolate devices which I don’t completely trust from those which I do. These devices cannot be in GREEN or BLUE to be isolated, however they require basic internet access. ORANGE is ideal for this use case and I’m yet to read any reason in this thread or the documentation why this isn’t the case. Please let me know what I’m missing.

PS: I’m not using ORANGE for any other purpose. It has never been set up as a DMZ on my system as I mentioned earlier in this thread.

IMVHO DMZ/ORANGE is not suitable for your needs.

Into DMZ you put services/servers/devices that are under your control, that you’re aware might (or might not!) become unsafe/compromised so you define strict traffic control policies Orange ↔ green and Orange ↔ Red. Or refining the thing… DMZ<-> inner LAN and DMZ ↔ Internet.

Your desire neither fit guest network (which currently is not available in IpFire) because these devices are not arriving and leaving, but simply will stay there with some additional access control rules.

IMO the most fitting role is Blue, with a specifict subnet and separate rules for define network traffic.
Blue by default can’t access Green, with some rules you can have more controlled internet access from hosts of that subnet.
Still do not fit your desires, however it’s viable without modifing Ipfire behaviours, only adding more firewall rules.
Orange, currently, it’s not.

1 Like

From developers view I can say that is really not good to misuse the IPFire networks.

IPFire is designed ( as its predecessor IPCop ) with 4 networks:

  • RED … the whole internet outside
  • GREEN … the local network connected by controllable wires
  • BLUE … a further local network, connected by wireless standards; a wireless connection is less under control of the central device ( wireless protocols vs. wires with dedicated plug sockets )
  • ORANGE … a network located locally which can be accessed from outside ( connection is established by a device in the RED network )

This basic design is part of the implementation of the IPFire device. The attributes of the networks are not defined inside the software, but ‘inside the brains’ of the devs.
For IPFire 3 a new network design is planned. This includes defintion of attributes inside the software. With this is possible to define a 3rd local network as suggest by the thread opener.
For the release of IPFire3 to become true in the near future, it would be counterproductive to invest time in change of ORANGE into an universal 3rd LAN.

3 Likes

AFAIK GREEN, BLUE, ORANGE and RED are zones, not networks.

IPfire 3 has no release date, alpha, beta or anything published yet, except for goals, wishes, “this has been done”.
It’s worse than Beckett’s Godot, because the text is not available.

How do you differentiate between ‘zones’ and ‘networks’?

Everone with some skills in software design is invited to contribute to the IPFire3 project. This is better than pointing to missing features of a DWIM machine.

It will help also, if some real ‘work horses’ join the active members. :wink:

4 Likes

You can put more network connections in one zone, but not the other way around.
Network connections currently are network cards and vLAN.

You can put more than one network interfaces (virtal or physical) in a zone but all of them are in the same bridged network. So networks and zones are the same. We have it named zone to not confuse network which mean it als layer2 network and network interface (nic).

2 Likes

I am also using the DMZ as a 4th network. However, a little different. I am using it for internet facing servers in the DMZ, and also for my guest traffic from the WLC controller. It is sending guest data out to the DMZ and the controller is handling dhcp. I am using orange as both dmz and guest in this configuration, but, it would be nice to get the benefits described here as well as the proxy server and update proxy. - ie a check box to turn (proxy, dhcp, dns, update proxy) for orange.

@jacob1980 , welcome to our project.

I think we have discussed the reasons for the actual state enough.

A separate net for guests etc. should be build using equipment in the green or (better) the blue network. It is possible to establish a sub network and filter the devices in the associated router/AP. IMO

2 Likes