Hello. I have an issue that is probably my own doing. My network is currently setup as follows.
Cable modem connected to the machine running IPFire (red - Class A).
IPFire connected to my home router (Green - Class B) and I have it assigning DHCP as 172.16.0.1 and the router is 172.16.0.3.
The router then connects to all devices on my network and hands out class C addresses.
I am currently blocking a specific outbound port from my green zone, and that rule is doing its job well. The problem is that I would like to know what devices are sending the outbound traffic on this port that I have forbidden. The logs do show that the traffic is being blocked, but it shows the source address as the routers class B address (172.16.0.3) instead of the IP of the devices (192.168.0.X).
To clarify, everything is working well and the only issue I have is that the log currently is not giving me the information I want about what is being blocked, probably due to something in the details of my network setup.
Additional details:
-My Router: A lame Netgear AC router with limited configurability and is not Open/DD WRT compatible.
-I originally had the Redzone of IPfire class C as well (192.168.0.1) but then traffic would only work if I put the green interface in bridge mode, by changing it to a class B I was able to change the green interface back to default mode. The firewall logs showed the routers IP address instead of the device for blocked outbound traffic in both situations.
-IPFire version installed: IPFire 2.25 (x86_64) - Core Update 153
-My router isnt actually the one handing out DHCP leases for the class C network. I have DHCP turned off in the router. I am using PiHole to resolve DNS and hand out DHCP leases on the Class C.
-My PiHole is resolving DNS using DNS over HTTPS on port 5053.
-The outbound port that I am blocking is 53.
As you have another router between your client machines and the IPFire machine then the IP address being shown for all recorded actions in IPFire will be the Netgear Router WAN IP Address. The local IP’s are not communicated onwards by the router.
If you want to have the IP’s of your client machines recorded then the Firewall rule and looging needs to be on your Netgear router or preferentially remove the Netgear router and connect your clients directly to the IPFire Green network. Then all client IP addresses will be correct.
Why have you got both the IPfire and Netgear routers in place? The Netgear router should not be needed.
The initial idea was to have a sort of plug and play solution. So that if I wanted to, I could remove the firewall between the modem and router, have the router hooked directly to the modem, and not skip a beat other than the WAN of the router needing to refresh its address. I like this concept as it provides flexibility.
So you’re saying because of NAT occurring on the router, that data is scrubbed entirely from those packets?
To the best of my knowledge yes. The data is still known on the firewall from the connections table so that the Firewall knows that a communication sent back related to an outgoing communication is part of the same connection process.
If IPFire was between your clients and the Netgear router then there is an IPFire WUI page showing the connections. In your layout you need the connections data from the Netgear router as that is in between IPFire and your clients.
It may provide flexibility but it also adds complexity with double NAT. That can be managed but you have to remember that all Port Forward rules have to be entered into both routers.
With a double router situation, my personal preference would always have IPFire as the router nearest to the clients. It enables you to have better control and logging visibility.
I see, Thanks for the information Adolf. I know double NAT typically is a bad idea, but now I see that in addition to extra overhead it makes logs somewhat crippled.
I have now setup my network as follows:
Modem connected to IPFire (IPFire runs a Class C DHCP network), Router connected to Green zone of IPFire and is in AP only mode (no NAT, just SSID broadcast and switching), everything else connected to the router including PiHole running DNS.
The logs are now information rich and showing the addresses of each individual device. I had a feeling that the logs not showing the data was due to my network setup. Thank you for confirming.