[Feature Request] mulitple green networks

Hey there,

I know, I know, this feature was requested many times before and the developers said that it is too complicated or at least too time consuming and not worth the effort to implement in IPFire 2x but will be part of IPFire 3x. But since IPFire 3x probably won’t be there for quite some time I wanted to repeat the request and (in my humblest opinion) it should not be so difficult.

Thing is, we have a lot of customers, who want to improve their network-setup / internet-security / remote-accessibility etc. and I always really want to recommend IPFire. I really like it because it offers everything you need (plus a lot more), is easy to manage (even for beginners) and has reasonable prices (compared to other distributors). All pretty good aspects to pitch it to customers, who would need a support-contract anyway, so no more reason to not make a contract / subscription with LWL (for support and/or development).

But I always stumble at the point where you need to put different departments (legal, sales, management, etc.) in different networks (mainly for security reasons but also for a better performance) and you do not want an additional device for this.

I checked a few config-files and scripts within IPFire (I’m no programmer, so please no shooting) and basically to “create” additional networks, you would only have to rename every “GREEN…” to “GREEN0…” (simplified) and create “GREEN1…”, “GREEN2…” and so on. Within those networks all the devices are able to see each other, so no need for additional configuration there, copy & paste from “GREEN0” should do it (maybe with the exception that only GREEN0 has access to the WUI, so it’s the “admin-net”). Between the networks, they need to be seperated from each other by default but all need access to red, so it’s exactly like it is with blue.

That should be it for the first step or do I miss something here?

The second and a bit more complicated part would be to assign multiple networks to one interface, because you need to implement trunking at whole. But the basis for this already is part of IPFire too, or isn’t it?

That’s it and IPFire is a serious and complete competitor for all the needs of 90% of the customers out there.

Would this really be that complicated?

Greetings and a happy new year to all of you!

Your idea of segmenting your LAN in IPFire by creating multiple GREEN networks like GREEN0, GREEN1, etc., presents severe technical problems that make this extremely difficult in the current IPFire 2.x framework.

First, IPFire 2.x is designed with a single GREEN network in mind. Introducing multiple GREEN networks would require significant alterations to the core architecture and policy enforcement mechanisms.

Second, in your proposed setup, traffic within the same subnet (e.g., GREEN0 to GREEN1) wouldn’t pass through the firewall but would be managed by a switch. This limits IPFire’s ability to control or apply policies to this intra-network traffic. This is unlike the BLUE zone, when traffic is controlled using the WIFI protocol at the access point level, allowing the isolation of each host. This feature is called “Wireless Client Isolation” or “Access Point Isolation”.

Third, to effectively segregate different departments, each would need its own network interface or a VLAN setup, which is not straightforward in the current version of IPFire.

A more feasible approach with IPFire 2.x is to use VPN protocols, like IPSec or OpenVPN (probably easier to setup), to create distinct, manageable networks. This method allows for effective segregation and control within IPFire’s existing capabilities.

In alternative, you could use a “smart” switch that can operate at the data link level (layer 2) and the network (layer 3) level to segment the network in a more granular way.

I wonder if a smart switch (VLAN??) could do something like this?

simple green only network w smart v12358×924 165 KB

(keep in mind my only VLAN knowledge is spelling the word “VLAN”).

@jon It seems we share a similar understanding of VLANs (probably yours is better than mine), however, I can speculate.

Given IPFire 2.x’s limitation to distinct zones like GREEN, ORANGE, and BLUE, it’s true that while a smart switch can regulate local traffic using VLANs, IPFire will treat all outbound traffic to the RED interface uniformly. So, in your setup, despite the local segmentation by VLANs, all traffic directed to the RED interface should be considered as coming from a single GREEN subnet by IPFire.

Instead of VLAN, maybe the right device is a managed network switch.

I wonder if they allow a network (GREEN0) to segregated into two networks (GREEN1 and GREEN2)

Once again this is over my head!

EDIT - these could be the exact same thing and I just dont get it!

My limited understanding of vlans is this.
Green would have trunk to switch. Native vlan0
switch
trunk vlan0 on port 1
vlan20 port 2-10
vlan30 port 10-15
vlan60 port 15-24
problem
Who is router for vlans? the switch itself?
Does everyone have a fixed IP?

Reading the original post I believe that the poster is expecting all the vlan interfaces being run in IPFire via one green NIC, presumably so that different firewall rules can be assigned to each of the different greenX zones.

This would require re-writing of the iptables and ipset code to work with multiple green interfaces.

Also all the WUI pages that have perl code dealing with the green zone would need to be re-written to include multiple green zones.

Any changes made to IPFire must always be able to function with all existing installations.
However the requested change would end up touching the two core functions of IPFire, Networking and Firewalling, and I believe the chances of ending up with changes that result in breaking existing systems with an upgrade would be high, due to the number of changes needed at the same time.

This is why IPFire-3.x is a fresh start development. No historical structure to have to take account of. Networking, Firewalling and Routing are all able to be constructed to work with multiple interfaces and zones that can be defined as users desire right from the start.

Also… Zone is a bigger concept than network adapter or subnet. But not all subnets are equal, even in the same zone.
Firewall rules requires to report zone and subnet (or IP) as source, so we can have multiple subnets on the green zone, however with different (wanted) behaviours.

From a networking perspective this also does not make any sense because IPFIRE is built around the principals of a “zone based firewall” this means that all logical IPv4 interfaces that are in the same zone pass traffic unfiltered. If you want to filter traffic for security then you put the logical IPv4 interface into a different zone. Currently IPFIRE supports 4 zones I believe (red,green, blue, and orange). Keep in mind that IPFIRE could us a single physical interface to the switch and different “VLAN tagged sub interfaces”(your IPv4 bound logicals) in each of the four available zones.

I do see this capability under network>Zone Configuration>. there should be instructions somewhere on enabling all 4 zones if your initial install did not include all 4?

I think extra colours if it were to be implemented in v2, which i would like to see if v3 is still years away. (the extra colours would be treated the same as orange, no access to anything but internet and it’s own vlan).

I use;

• green lan (hypervisors / mains pcs)
• blue wifi and all iot stuff that i don’t want touching pcs
• orange dmz - webservers

the ipfire box has 5ethernets, so phsyical or vlan tag either way…

recently i was testing a service with access from wan, would have been nice to have chucked that into it’s own vlan / zone seperate from everything else… ie different subnet, different vlan, different zone…

I’d love to see a roadmap of planned stuff in the next 6-12 months going into ipfire in particular v3 and some sort of eta for v3.

If I may suggest a following compromise,

I think a simple solution for this feature request would be just a check mark to have BLUE on the same subnet as GREEN.

I understand there is bridging in IPFire WUI - Zone configuration but I could never get the bridging to work and last time I tried it, I messed up so bad that I had to reinstall the whole firewall.

Basically a lot of routers and access points have a feature to “isolate wireless clients” or not to isolate, it usually is a simple check mark.

So @Lexus Polaris if you prefer, you could plug in a wireless access point into BLUE or you could plugin a wired switch into BLUE and if checked, GREEN would be connected to a single seamless network

Sorry for the late response.

@trish

Kind of sounds like a decent idea. Of course it does only make sense if there is no need for a “real” blue/wifi or orange/dmz zone but nonetheless, good idea and I will definitely give it a try. And even if it is only to have some ethernet-connected devices that should not be allowed to access the firewall (which is not possible in green).

Bridging in IPFire, by the way, is the other way around. It is combining different interfaces (for example multiple ethernets and/or wifi) in one zone, so that the traffic does not have to go through the firewall.

I once bridged ethernet and wifi (just for the sake of testing) and it speed up the transferspeed from around 360mbit to about 520mbit (which is pretty neat for a module which has 866mbit/s brutto).

Nevertheless, I would consider @bonnietwin’s posting to be the solution, hence the “simple” solution of “more zones” is not possible with IPFire at the moment.

I totally agree with the need for multiple green networks.
In fact, this has always been the only major concern for me to adopt IPFire as a full fledged business router in the past. On the other hand, considering that some Enterprises and Mini PC appliance infos have recently been published with multiple physical ethernet ports, that begs the question as to whether the issue has already resolved.

But is the solution also available on the downloadable software package side. At the end of the day it shouldn’t be so difficult to achieve this on a limited (fixed) quantity of possible green interfaces. At least 5 should be enough in my view. So how about some additional Network configuration options similar to the number of physical ports available on standard domestic or small business routers involving:

• 1 RED (Wan) and 4 GREEN (Lan) Networks?
  OR
• 1 RED (Wan), 1 BLUE (Wifi) and 3 GREEN (Lan) Networks?
  OR
• 1 RED (Wan), 1 ORANGE (DMZ) and 3 GREEN (Lan) Networks?
  OR
• 1 RED (Wan), 1 BLUE (Wifi), 1 ORANGE (DMZ) and 2 GREEN (Lan) Networks?

This could also help easily leverage on the wide array of MINI PC Routers available on the market that may already contain the right number of physical interfaces compatible for a desired configuration.
https://www.amazon.com/s?k=mini+pc+router&ref=nb_sb_noss
In my view, It’d be tough for any other competitive routing software to match the value of IPFire in terms of cost and feature package if this can be done.

Please see post

https://community.ipfire.org/t/feature-request-mulitple-green-networks/10808/7

in this thread.

Hi,

I understand your concern about IPFire firewalling, networking concepts, and the need rewrite the code that requires great work..
But technically speaking, I can imagine optional code logic that applies at the network and firewall level based on predefined and selected user configurations, including add-ons that could be configurable for use on a single or multiple (LAN IPs) or network interfaces.
So, this probably comes down to a cost/benefit analysis to take IPFire to the next maturity phase. I only hope nobody is pissed off at the idea that I’m trying to help you guys create a greatly improved product that potentially beats any existing competition. The increased popularity of IPFIre in my view, would certainly multiply incoming revenues for both support packages and the sale of preconfigured and optimized appliances. So, somebody needs to think VERY BIG here…
Don’t you think?

No problem with people providing suggestions for improvements.

The next major phase for IPFire is IPFire-3.x

https://www.ipfire.org/docs/roadmap#ipfire-3

This is a major rewrite from the ground up and will be able to have as many interfaces/zones as are wanted. This would definitely meet the requirements for multiple green networks.

As the IPFire dev team is very small and they also have day jobs to pay their bills etc, then the allocation of those resources tends to be focussed on IPFire-3.x except for any IPFire-2.x maintenance and bug/security fix requirements that come along.

Of course as this is an open source project so users are able to submit patches for changes/improvements.

https://www.ipfire.org/docs/devel/submit-patches

It would be good to have early discussions about any potential major patch submissions in the dev mailing list.

https://www.ipfire.org/docs/devel/contact

Thanks for this update.
I sincerely appreciate that, and I’m very relieved to learn that some major and very interesting improvements are in the back burner for IPFire 3.

Best regards