Green pc to AP blue

old_men · 14 May 2024 16:02

Access AccessPoint in the Blue Network with PCs in the green network, somehow I still have a bug in my firewall rule! Away, someone can tell me was wrong about since?

And there is a German department in the forum?

hvacguy · 14 May 2024 17:43

If you have not changed you firewall default behavior. You need no rule for green to blue.
So rule 4 is not needed.
And there is no German forum anymore.

old_men · 14 May 2024 17:46

Ok Thank you, what do you think you didn’t change with the default behavior of the firewall?
Somehow I can’t get from the green to my AP in the blue.

hvacguy · 14 May 2024 18:09

Some AP’s you can not access there WUI from a different subnet. So green can’t always access a WUI in blue.

trish · 14 May 2024 18:16

I wish someone would figure out how to properly use bridging of both GREEN and BLUE

hvacguy · 14 May 2024 18:38

If they are bridged what is the point of having 2 networks.
If you have a wifi card as AP bridge it to a nic. Everyone on blue.

hvacguy · 14 May 2024 18:48

Green can talk to blue.
Blue can not talk to green

And you can change the firewall default
Behavior from allow to block.

Allow green to red or blue
Blocked green to red or blue.

This is a great read.
https://www.ipfire.org/blog/firewall-configuration-recommendations-for-ipfire-users

roberto · 14 May 2024 18:50

An idea, you may have to make a SNAT rule since the AP’s response may not be able to reach Green.

Or make a static route on the AP so that it knows how to reach the Green range.

Saludos,.

old_men · 15 May 2024 16:21

The reading is nice, but doesn’t really help me.

What is a SNAT rule or how do I do this

roberto · 16 May 2024 06:48

This may help you:

https://docs.openstack.org/neutron/pike/admin/intro-nat.html

and how to do this:

Saludos.

nickh · 16 May 2024 10:13

No route should be needed for Blue to Green or vice-versa. Automatically the traffic will pass through IPF and it is aware of routes to both interfaces.

The main possible issue is what was mentioned before, the AP not responding to traffic outside its own subnet. To get round that, you need an SNAT rule something like:

Source = green subnet or narrow it down to a particular IP
NAT = Source NAT
New Source IP address = blue0
Destination = AP IP (or you can do the whole subnet if you really want)
Protocol = HTTP or HTTPS or whatever you were using to access the AP, or even ANY.

With respect to the destination, the Windoze firewall often rejects packets from outside its subnet. If you set to destination to ANY then you have a better chance of accessing resources on those PC’s. The downside of it is that, from the PC’s perspective, it no longer knows who is trying to access it as it just sees traffic from blue0.

old_men · 16 May 2024 17:10

Thank you very much, I think I understand it now. I created the following rule (picture attached) and I now go from green to the blue AP