Firewall Rules for Blue <> Green

patrick84834 · 8 March 2021 20:16

Hey there,

I’ve been losing my mind to connect my Hue smart lights and Sonos to my network:
The Hue Bridge is connected via GREEN while my phone that is running the Hue app is in BLUE.
In order to set up my Sonos I have to first connect it to GREEN, configure it with my phone being in BLUE and then unplug the Sonos so it can connect to BLUE.

None of that works. I’ve tried to add all kinds of firewall rules - specific and less specific and my phone never finds any of those devices, making it impossible for me to set them up.

The las rules I tried were the most general I could think of:

(I know this is incredibly unsafe. I was just testing to see if anything works at all - it doesn’t.)

Any advice on how to achieve this?

Thanks!

friseer · 13 March 2021 08:44

Maybe this helps

and this
https://wiki.ipfire.org/configuration/firewall/accesstoblue

s8bordes · 15 March 2021 08:55

Hi,
I’ve been totally crazy for weeks with this topic.

On my side it was impossible to access Green network from any Blue devices even by configuring the DMZ pinhole as documentation advices.

After having read this post, I tried again to configure the Blue to Green rule by playing with NAT options.

I find one that solves my trouble

Into NAT section:

activate => Use Network Address Translation (NAT)
Select Source NAT radio button
Choose Green interface into ‘New source IP address’ combo box

If somebody can validate this fact, maybe it will be useful to update this page : wiki.ipfire.org - Creating a DMZ Pinhole or this one wiki.ipfire.org - Firewall Default Policy into the line related to blue to green default policy.

To sum up here you are the full rule to allow Blue devices accessing Green network

jon · 16 March 2021 02:05

Hi Patrick,
Welcome to the IPFire community!

I don’t have a Sonos so I am not sure how that might need to be configured. Does the first firewall rule not get things working?

Hi Sébastien,

Welcome to the IPFire community!
I tried the Creating a DMZ Pinhole and it works fine for me.

I also tried the your rule above and it works fine without the Source NAT. So I was not sure why it was added or needed.

datamorgana · 16 March 2021 14:25

Just out of curiosity…

Why have you put the smarthome devices or bridges in the GREEN segment? Isn’t it supposed to be the most secure segment in your network topology? Are you sure that these smarthome devices do not perform unnoticed and unwanted requests (“auto updates”) to the outside world (aka RED) and maybe introduce trojans etc. into the GREEN segment? I’m inviting you to considering putting these devices directly in the BLUE segment, or even better, in the ORANGE segment (DMZ).

In my case I have put smarthome devices in ORANGE and monitor its DNS and https requests with both the IPS of IPfire and also a PiHole in ORANGE that acts as DHCP server plus DNS resolver for any device in ORANGE. This way I can and minimize its DNS requests and connections to whatever manufacturer servers it contacts in RED.

s8bordes · 17 March 2021 08:18

Hi Jon,

Are you using also orange network and last ipfire version because without NAT activated it doesn’t work for me?
It was the addition that solves my connection problem from wifi network (blue) to my private Samba server (Green).

Hi Data Morgana,

I have updated the rule to allow access only to some services

On my side I have activated IPS on all networks and the only alert I have seen are related to some hacking attempts on Orange network.

jon · 17 March 2021 18:16

Yes, I am using an Orange network. Only two items currently on Orange.

This is the version of IPFire I am using:
IPFire 2.25 (x86_64) - Core Update 154

I do not use a Samba server on my IPFire box.

s8bordes · 18 March 2021 15:47

Jon,
I have the same setup, maybe the only difference we have is the wifi access point.
On my side I’m using another router without WAN port plugged and with all possible services disabled (dhcp, dns etc…)