Guest WiFi that does not go through VPN

Hello

Hope you’ve all had a great start into 2022.

My question is about a special set-up. I have two sites. On both sides I have a cablemodem and an IPFire box. They connecto to each other with OpenVPN. I can access every device, printer etc. from both sides and across the VPN. Works great. On both networks there is a Wifi-Router attached (creating a seperat sub-network) so I can walk around with a laptop and reach all devices on both sides and across the VPN. This works great too.

But now the problem is that I have customers who ask for a Wifi connection. What would be the best way to offer them Wifi internet and keeping them out of my internal network? They should be able to access the internet (for browsing, youtube etc.) but not the VPN-channel or my internal network server, printers etc. Is there a way to use a 3rd LAN-port on the IPFire Box where could connect the Wifi router and tell the IPFire box to only let that port access the web but not the VPN tunnel or the green network?

Pretty much the setup for the blue zone. If you need to add more restrictions it is easy to do it by adding few rules on the firewall and if you setup a proxy server also in the proxy configuration.

You could also install Captive Portal.

OK, thanks for your reply. I haven’t got a deep understanding for BLUE and ORANGE.

So from BLUE you cannot access GREEN, right?

And ORANGE to GREEN is closed too, right? The only difference is that ORANGE is exposed to RED/Interenet. correct?

That’s correct. If you go to the Web User Interface, Firewall/Firewall Rules you will see the default policy (which of course you can change if you so desire). This is the image you will see:

Therefore, green can do everything, Orange and Blue can only go to the red, with the difference that Orange has even more restricted rules. Concerning the internet exposure, any network is exposed to internet only if you set up rules in the firewall to forward incoming packets in a given service (i.e. port) to a given machine of your network. This is true for any zone. However you should open a service only in the orange zone because any owning of the machine from an hacking or a malware infection will be way more difficult to spread to the rest of the network than say blue or even worst, green.

By the way, this is called destination NAT. As long as you do not do that, nothing should allow a traffic initiated from the red zone to reach any machine, including the ones in the orange zone.

Here you have more details concerning what the orange can and cannot do.

2 Likes

Hello

I’ve given it a try and maybe I simply don’t understand the concept of BLUE or ORANGE.

I have a PC running IPFire and used to have just GREEN and RED. RED gets its IP by DHCP from the ISP (cable modem) and GREEN set to 192.168.10.1 and giving 192.168.10.200 to 192.168.10.240 to the clients by DHCP. Things work great so far.

Now I’ve added a 3rd Network card and changed the setting to GREEN, RED, BLUE by logging in as root, running Setup and I’ve assigned BLUE to the 3rd Network card. Then I had to set an IP for the BLUE interface so I set it to 192.168.15.1.

In the Wiki I read that it is best to attach an access point to the BLUE NIC. But any access point or PC I connect to the Blue NIC doesn’t get any IP address or can access the web. I read in wiki.ipfire.org - Blue Access that I have to disable MAC filtering. So I followed those instructions but still no client on the Blue NIC can access the internet or even gets assigned an IP address, standard gateway etc. I haven’t found out how I can enable DHCP server on BLUE.

It seems like I don’t understand the concept of BLUE or do I simply have to turn on DHCP server on Blue somewhere? Can someone please give me a hint?

Thank you!

On the dhcp server page you should now have a table for blue as well as for green. You will need to enable the blue dhcp and set the start and end address of the dynamic ip’s you want to provide.

Tadaaaa!!! Thanks Adolf Belka for your hint! On the command line I didn’t see the possibility to define DHCP but when I used the WebGUI there was the option to use DHCP on the BLUE interface. Works like a charm, great!!

2 Likes