[Feature Request] mulitple green networks

Hey there,

I know, I know, this feature was requested many times before and the developers said that it is too complicated or at least too time consuming and not worth the effort to implement in IPFire 2x but will be part of IPFire 3x. But since IPFire 3x probably won’t be there for quite some time I wanted to repeat the request and (in my humblest opinion) it should not be so difficult.

Thing is, we have a lot of customers, who want to improve their network-setup / internet-security / remote-accessibility etc. and I always really want to recommend IPFire. I really like it because it offers everything you need (plus a lot more), is easy to manage (even for beginners) and has reasonable prices (compared to other distributors). All pretty good aspects to pitch it to customers, who would need a support-contract anyway, so no more reason to not make a contract / subscription with LWL (for support and/or development).

But I always stumble at the point where you need to put different departments (legal, sales, management, etc.) in different networks (mainly for security reasons but also for a better performance) and you do not want an additional device for this.

I checked a few config-files and scripts within IPFire (I’m no programmer, so please no shooting) and basically to “create” additional networks, you would only have to rename every “GREEN…” to “GREEN0…” (simplified) and create “GREEN1…”, “GREEN2…” and so on. Within those networks all the devices are able to see each other, so no need for additional configuration there, copy & paste from “GREEN0” should do it (maybe with the exception that only GREEN0 has access to the WUI, so it’s the “admin-net”). Between the networks, they need to be seperated from each other by default but all need access to red, so it’s exactly like it is with blue.

That should be it for the first step or do I miss something here?

The second and a bit more complicated part would be to assign multiple networks to one interface, because you need to implement trunking at whole. But the basis for this already is part of IPFire too, or isn’t it?

That’s it and IPFire is a serious and complete competitor for all the needs of 90% of the customers out there.

Would this really be that complicated?

Greetings and a happy new year to all of you! :slight_smile:

Your idea of segmenting your LAN in IPFire by creating multiple GREEN networks like GREEN0, GREEN1, etc., presents severe technical problems that make this extremely difficult in the current IPFire 2.x framework.

First, IPFire 2.x is designed with a single GREEN network in mind. Introducing multiple GREEN networks would require significant alterations to the core architecture and policy enforcement mechanisms.

Second, in your proposed setup, traffic within the same subnet (e.g., GREEN0 to GREEN1) wouldn’t pass through the firewall but would be managed by a switch. This limits IPFire’s ability to control or apply policies to this intra-network traffic. This is unlike the BLUE zone, when traffic is controlled using the WIFI protocol at the access point level, allowing the isolation of each host. This feature is called “Wireless Client Isolation” or “Access Point Isolation”.

Third, to effectively segregate different departments, each would need its own network interface or a VLAN setup, which is not straightforward in the current version of IPFire.

A more feasible approach with IPFire 2.x is to use VPN protocols, like IPSec or OpenVPN (probably easier to setup), to create distinct, manageable networks. This method allows for effective segregation and control within IPFire’s existing capabilities.

In alternative, you could use a “smart” switch that can operate at the data link level (layer 2) and the network (layer 3) level to segment the network in a more granular way.

4 Likes

I wonder if a smart switch (VLAN??) could do something like this?

(keep in mind my only VLAN knowledge is spelling the word “VLAN”).

1 Like

@jon It seems we share a similar understanding of VLANs (probably yours is better than mine), however, I can speculate.

Given IPFire 2.x’s limitation to distinct zones like GREEN, ORANGE, and BLUE, it’s true that while a smart switch can regulate local traffic using VLANs, IPFire will treat all outbound traffic to the RED interface uniformly. So, in your setup, despite the local segmentation by VLANs, all traffic directed to the RED interface should be considered as coming from a single GREEN subnet by IPFire.

Instead of VLAN, maybe the right device is a managed network switch.

I wonder if they allow a network (GREEN0) to segregated into two networks (GREEN1 and GREEN2)

Once again this is over my head!


EDIT - these could be the exact same thing and I just dont get it!

My limited understanding of vlans is this.
Green would have trunk to switch. Native vlan0
switch
trunk vlan0 on port 1
vlan20 port 2-10
vlan30 port 10-15
vlan60 port 15-24
problem
Who is router for vlans? the switch itself?
Does everyone have a fixed IP?

Reading the original post I believe that the poster is expecting all the vlan interfaces being run in IPFire via one green NIC, presumably so that different firewall rules can be assigned to each of the different greenX zones.

This would require re-writing of the iptables and ipset code to work with multiple green interfaces.

Also all the WUI pages that have perl code dealing with the green zone would need to be re-written to include multiple green zones.

Any changes made to IPFire must always be able to function with all existing installations.
However the requested change would end up touching the two core functions of IPFire, Networking and Firewalling, and I believe the chances of ending up with changes that result in breaking existing systems with an upgrade would be high, due to the number of changes needed at the same time.

This is why IPFire-3.x is a fresh start development. No historical structure to have to take account of. Networking, Firewalling and Routing are all able to be constructed to work with multiple interfaces and zones that can be defined as users desire right from the start.

4 Likes

Also… Zone is a bigger concept than network adapter or subnet. But not all subnets are equal, even in the same zone.
Firewall rules requires to report zone and subnet (or IP) as source, so we can have multiple subnets on the green zone, however with different (wanted) behaviours.

From a networking perspective this also does not make any sense because IPFIRE is built around the principals of a “zone based firewall” this means that all logical IPv4 interfaces that are in the same zone pass traffic unfiltered. If you want to filter traffic for security then you put the logical IPv4 interface into a different zone. Currently IPFIRE supports 4 zones I believe (red,green, blue, and orange). Keep in mind that IPFIRE could us a single physical interface to the switch and different “VLAN tagged sub interfaces”(your IPv4 bound logicals) in each of the four available zones.

I do see this capability under network>Zone Configuration>. there should be instructions somewhere on enabling all 4 zones if your initial install did not include all 4?

1 Like

I think extra colours if it were to be implemented in v2, which i would like to see if v3 is still years away. (the extra colours would be treated the same as orange, no access to anything but internet and it’s own vlan).

I use;

  • green lan (hypervisors / mains pcs)
  • blue wifi and all iot stuff that i don’t want touching pcs
  • orange dmz - webservers

the ipfire box has 5ethernets, so phsyical or vlan tag either way…

recently i was testing a service with access from wan, would have been nice to have chucked that into it’s own vlan / zone seperate from everything else… ie different subnet, different vlan, different zone…

I’d love to see a roadmap of planned stuff in the next 6-12 months going into ipfire in particular v3 and some sort of eta for v3.

If I may suggest a following compromise,

I think a simple solution for this feature request would be just a check mark to have BLUE on the same subnet as GREEN.

I understand there is bridging in IPFire WUI - Zone configuration but I could never get the bridging to work and last time I tried it, I messed up so bad that I had to reinstall the whole firewall.

Basically a lot of routers and access points have a feature to “isolate wireless clients” or not to isolate, it usually is a simple check mark.

image

So @Lexus Polaris if you prefer, you could plug in a wireless access point into BLUE or you could plugin a wired switch into BLUE and if checked, GREEN would be connected to a single seamless network