For test purposes I have set up a Linux PC as router. The PC has 2 network cards with static IP addresses, the one from the greeen network, the other from a test network. In IPFire I have set a static route into the test network:
green network: 192.168.0.0/24
test network: 192.168.1.0/24
router PC: 192.168.0.250 connected to green, 192.168.1.192 connected to test network
static route in IPFire: network 192.168.1.0/24 gateway: 192.168.0.250
I can ping PCs behind the router from the green network, nothing else works. The firewall log shows entries with DROP_CTINVALID. In a separate environment (PC – router – PC) all is working as expected, in both directions.
No, the router has no vpn. It is a simple Ubuntu machine, and we don’t want to spend a lot of time to configure it. We did this because we want to access customer PCs with their final configuration.
I guess my ubuntu “router” is set up correctly, because it works as expected in an environment without IPFire, see 2nd diagram. The difference is, in the installation with IPFire (1st diagram) the PCs in the green network have IPFire as default gateway and IPFire has a static route to the ubuntu router. In contrast to this without IPFire (2nd diagram) the PCs in the green network have my ubuntu router (192.168.0.250) as default gateway. So I think IPFire is already involved. My question is why ICMP from green to test network is working and nothing else, and only in this direction? What needs to be set to allow all traffic?
created container pc1 (based on ubuntu 20.04 template)
root@pc1:~# ip route
default via 192.168.0.250 dev eth0 proto static
192.168.0.0/24 dev eth0 proto kernel scope link src 192.168.0.100
created container ubu (based on ubuntu 20.04 template)
iptables -A FORWARD -i eth1 -j ACCEPT
iptables -A FORWARD -o eth1 -j ACCEPT
sysctl -w net.ipv4.ip_forward=1
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
root@ubu:~# ip route
192.168.0.0/24 dev eth0 proto kernel scope link src 192.168.0.250
192.168.1.0/24 dev eth1 proto kernel scope link src 192.168.1.129
created container testpc (based on ubuntu 20.04 template)
root@testpc:~# ip route
default via 192.168.1.129 dev eth0 proto static
192.168.1.0/24 dev eth0 proto kernel scope link src 192.168.1.200
From pc1
root@pc1:~# ping -c2 192.168.1.200
PING 192.168.1.200 (192.168.1.200) 56(84) bytes of data.
64 bytes from 192.168.1.200: icmp_seq=1 ttl=63 time=0.104 ms
64 bytes from 192.168.1.200: icmp_seq=2 ttl=63 time=0.027 ms
From testpc
root@testpc:~# ping -c2 192.168.0.100
PING 192.168.0.100 (192.168.0.100) 56(84) bytes of data.
64 bytes from 192.168.0.100: icmp_seq=1 ttl=63 time=0.077 ms
64 bytes from 192.168.0.100: icmp_seq=2 ttl=63 time=0.034 ms
In the 2nd diagram pc1 has an address from the green network and ubuntu as default gateway. In this scenario all is working, it was just to test the ubuntu routing settings.
In both scenarios ubuntu has the same settings.
I’m having the same issue. I’m using a TP-Link ER605 router to deploy VLANs on the ipFire Green network. I am writing this from a PC connected to the ER605. Internet access works fine. I can ping other devices on the Green network. I can access the ipFire GUI on its Green ip address. I cannot access the Windows file server, nor the intranet on Green. The firewall log shows lots of DROP_CTINVALID and DROP_NEWNOTSYN messages. ipFire appears to be blocking legitimate traffic on Green. IPS is not running on Green. Creating a rule to Allow All from the Green IP of the ER605 to the Windows file server, for example, does not fix the problem. Traffic is still blocked by ipFire.
I took the ER605 back to the lab to replicate and troubleshoot the problem. However, in the lab, I cannot replicate the problem. My lab ipFire is runnning the same Core version of ipFire and I restored the field config from backup to the lab ipFire. The lab firewall log has no DROP-CTINVALID entries and I can access network resources on the Green network. The only difference between the setups is that the field ipFire has an Orange NIC with a “default DMZ” configuration (no hosts in the DMZ however). The lab only has 2 NICs, Green and Red. More to follow.
I think I am struggling with the same issue. I have narrowed my problem down to ipFire connection tracking being overly aggressive. When using ipFire as a gateway to another network, even with static routes and firewall rules, connection tracking will block traffic if it only sees 1 side with DROP-CTINVALID.
My Setup
I use opnsense as my primary router at home but wanted to test ipFire vpn performance head-to-head so I setup an ipFire VM.
Both routers are connected to the same LAN/GREEN network (192.168.3.0/24) where I have my main desktop (192.168.3.99). Opnsense LAN interface is 192.168.3.1 and ipFire GREEN interface is 192.168.3.15.
Each router also defines its own open VPN client network: 192.168.21.0/24 for opnsense and 192.168.15.0/24 for ipFire.
There are reciprocal static routes and firewall rules on both routers for the VPN networks.
Testing
When using ipFire as my desktop computer’s gateway, opnsense VPN clients cannot connect. Looking at the ipFire firewall logs I can see my icmp replies are blocked with DROP-CTINVALID. The icmp request came straight from opensense to the desktop which then replies using the ipFire gateway and is blocked.
Everything is working as expected when the desktop uses opnsense as its gateway. I can connect to either VPN and ping the desktop successfully. I cannot find any settings that allow me to modify the connection tracking in ipFire to fix this issue. Very frustrating as it took a while to figure out why this setup wasn’t working.
