I’ve been losing my mind to connect my Hue smart lights and Sonos to my network:
The Hue Bridge is connected via GREEN while my phone that is running the Hue app is in BLUE.
In order to set up my Sonos I have to first connect it to GREEN, configure it with my phone being in BLUE and then unplug the Sonos so it can connect to BLUE.
None of that works. I’ve tried to add all kinds of firewall rules - specific and less specific and my phone never finds any of those devices, making it impossible for me to set them up.
The las rules I tried were the most general I could think of:
Why have you put the smarthome devices or bridges in the GREEN segment? Isn’t it supposed to be the most secure segment in your network topology? Are you sure that these smarthome devices do not perform unnoticed and unwanted requests (“auto updates”) to the outside world (aka RED) and maybe introduce trojans etc. into the GREEN segment? I’m inviting you to considering putting these devices directly in the BLUE segment, or even better, in the ORANGE segment (DMZ).
In my case I have put smarthome devices in ORANGE and monitor its DNS and https requests with both the IPS of IPfire and also a PiHole in ORANGE that acts as DHCP server plus DNS resolver for any device in ORANGE. This way I can and minimize its DNS requests and connections to whatever manufacturer servers it contacts in RED.
Are you using also orange network and last ipfire version because without NAT activated it doesn’t work for me?
It was the addition that solves my connection problem from wifi network (blue) to my private Samba server (Green).
Hi Data Morgana,
I have updated the rule to allow access only to some services
On my side I have activated IPS on all networks and the only alert I have seen are related to some hacking attempts on Orange network.
Jon,
I have the same setup, maybe the only difference we have is the wifi access point.
On my side I’m using another router without WAN port plugged and with all possible services disabled (dhcp, dns etc…)
Hi there,
after getting a wifi module that’s working with hostapd I removed my external wlan-router (attached to green) and enabled the hotspot on blue.
Finally I ran into the similiar problems like the OP and Sébastien.
The solution by Sébastian made it!
I think the different experiences of Jon and others maybe due to their proxy settings?!
After enabling the internal proxy access BLUE to GREEN and Proxy I could access the webserver of a device - BUT I still wasn’t able to access other services like ssh on the device.
Enabling the source nat finally did it!
Effectively that is saying that you have a machine on the blue network (192.168.2.0/24 in the case of @s8bordes ) but you are going to pretend that the machine actually has an IP of 192.168.0.254 on the green network.
I just set up a blue to green pinhole rule on my testbed vm system and it worked fine with no problems, both with the proxy enabled or disabled.
The rule is specific to only allow the machine blue1 on the blue network to access green1 on the green network.
NAT was not selected at all.
With this rule enabled I can access green1 from blue1 with no problems. With the rule disabled then there is no connection from blue 1 to green1.
Often when people have a problem having machines on the blue network recognised it has turned out that they have not defined the mac addresses for the blue machines in the mac filter section of the wui menu Firewall - Blue Access.
In the Blue Access section you need to either specify the mac addresses that are allowed or you need to put an entry that says that all mac addresses on blue are allowed.
This is what I have on my IPFire Blue Access page
there is an argument to be made that maybe the default should be changed NOT to have the blue access filter ON. The first argument could be this user interface attrition, but more importantly the default setting of new android phones (ios as well?) of randomizing the mac address. Finally, the security advantage of a mac address filter ON by default can be argued is minimal, at least against a mildly determined attacker.
I am just putting out there the argument, not necessarily advocating for such a change. In my personal situation, the present setting is not a problem whatsoever.
