Firewall rules: send traffic from one IP address to another on same nework

I don’t understand setting up a firewall rule.
To me, the job of rule is to receive traffic directed at a certain ip address and get another IP address to deal with it.
If a NAT is used, then the originating party does not know that anything like this is happening; the firewall is in the middle. NAT works at level 3, IP level (MAC not relevant), I think.

So on my Green zone, there is no device on but there a machine at which responds to ping.

I set up a firewall rule with source
NAT to

Protocol: ALL

If I then ping to I get this output:
tim@black:~$ ping
PING ( 56(84) bytes of data.
From icmp_seq=1 Destination Host Unreachable
From icmp_seq=2 Destination Host Unreachable

If NAT is active, why is it reporting Or maybe that is in the ICMP message.
But why then do I get Destination Host Unreachable.

If I try to ssh to the error is no route to host.
I have requested that the rule be logged, but in Logs → Firewall Logs I see nothing matching this traffic.

This is only one of many jobs you can assign to a rule.


here I am very confused. Can you explain what do you want to achieve and why?


Yes. Also because, as many studies and tests as I have done, setting a firewall rule in IPFire (green to green) in my opinion does not make sense.
I have great doubts that IPFire can somehow “handle” it. Green + Green = Same network = works even with IPFire turned off (except for a possible DHCP assignment).
Am I right, @cfusco ?

In your case, it seems to me that you are trying to create rules between
which are two Green machines, right?

Two machines on the same GREEN communicate with each other independently of IPFire.


By cutting the thread, GREEN still works if the three machines have static IPs. the information that these machines exchange over the network (among them), does not “go through IPFire.” The rules created in the firewall between and in my opinion will never be executed. Regardless of whether the wire is cut or not.

The solution might be…

Then you create the rules as you wish :wink:.


First you need a device to ping.
NAT is not used in this fashion.

1 Like

I feel compelled to “add to my previous post” that NAT cannot be applied to my example either, which refers instead to internal firewall traffic.

1 Like

That was a contrived example, sorry. The real problem I wanted to solve was to allow people on the one subnet (blue) to discover a IPP printer on green, and then have print traffic sent to it once it has been discovered. I think my concept of the solution, a phantom printer IP on the blue they users could , was completely wrong.

Okay. Maybe then my example is valid :+1: :+1: :+1:.
By default you should not be able to access from BLUE to green.
Whereas you should be able to access from Green to Blue.
These are the default rules on how IPFire handles internal traffic. So, in your case, you need to create an internal traffic rule pe “open a gap” between the BLUE network and the GREEN IP of your printer. I have already experimented with this. I can send you a screenshot of my rule…

I rewrote it. I had personalized it too much. This should be the easiest way. I hope he said it right.

That question seems to have already been asked by yourself in another post and appeared to have been solved with the use of the mDNS Repeater addon based on your last reply in that thread.


yes, you are 100% correct. Routing typically refers to the process of forwarding packets from one network to another, which is a Layer 3 (Network layer) operation, handled by routers. In a single subnet, we usually talk about “switching”. Communication within the same subnet is primarily a Layer 2 job handled by switches, which use MAC addresses to forward frames to the correct destination.


@cfusco , I sincerely thank you for the confirmation. Just think that I have come to think this way with practical tests done with IPFire itself over the past few years. I am enjoying this simple and powerful firewall more and more and it allows me to learn and experiment with many things at the network level.

Forgive my drawings. Maybe there is free software suitable for making these patterns?

@casabenedetti , just fundamental thought from an old informatics guy.
Learning new things ( in your case networking/firewalling/… ) should be done not only by experimenting with products in this ‘new world’. It is necessary to learn the basics from literature.

  • every product contains errors, it isn’t desirable to take these as ‘feature’; especially because these bugs are not easily recognisable, otherwise they would have been corrected. :wink:
  • literature usually describes the topic in general, not based on a single SW product.
  • ( asking questions based on knowledge in the thematical field doesn’t bind working effort of devs and mods more than necessary :wink: )

your drawings are clear. That’s what matters.


Yes, I acknowledge the above to be true. And before I do that, I think I will also have to study English well. I see on the net that these topics are covered in English. Very often I struggle to understand them. And so I am forced to resort to proof. As a result, I always have doubts whether what I understand is true or not.

you are doing both at the same time. That is the best way to go. ChatGPT 3.5 is quite good at translating to and from English. By observing how the model does it, you will absorb more than you realize, and learn. Keep going. You will be amazed how far you will progress if you keep trying.


Yes. I am already experimenting with ChatGPT 3.5 as you suggested in a private message. Really amazing. I will also use it for English :wink:.

I cannot agree more.

By the way, in addition to what you have listed, one more reason for learning the hard way is to avoid the risk of creating spurious correlation between two events that have nothing to do with each other.

Personal case point, where I associated two things that had nothing to do with each other.


Perhaps this applies to all disciplines: a good culture, then you put what you learn into practice.

1 Like

Yes. I read. I am also of the opinion that to err is human.

1 Like

more than that. Error correction is how we (and also AI) learn. Think how a child learns to walk. Making mistakes is the foundation of human knowledge. Error-correction does not work only when we let our intrinsic need to protect our self-image to interfere. Our ego is sometimes the worst enemy we have.

EDIT: after I understood how the LLMs learn to answer questions, I realized that there is nothing intelligent about it. Yet, the world is full of people that are inferior to AI because their ego makes them a worst learner than a stupid language model. I find this depressing.

1 Like