Help with DNAT rules to redirect a service

save · 27 November 2021 08:58

Hi,
Thanks to the developers and volunteers behind IPFire!

I’ve been using IPFire a little while but am struggling to configure rules to redirect a service.

I’ve read all the Wiki pages I could find but cannot achieve what I want using the examples there. I’ve tried various Destination NAT (port forward) rules but cannot get what I want.

I want to make all NTP traffic (UDP/123) from an internal network (BLUE) be redirected to one of the time servers I run (the time server is on GREEN).

I have found that a combination of rules can cause an NTP query addressed to the BLUE IPFire interface to go to the GREEN NTP server, but this is not want I want. I want to forcibly redirect any traffic coming from BLUE to the NTP server which uses a GREEN IP. This is so systems trying to go to the internet for time will be forced to use my time server.
Is this possible using the web interface or will I need some advanced rules?

I notice that choosing a source of “Firewall” “GREEN” is very different to choosing “Standard Networks” “GREEN”. The first (correctly?) creates an outgoing firewall rule while the second creates a standard firewall rule. Sadly neither of them do what I was hoping and I am confused.

Thank you
Save

pmueller · 1 December 2021 21:51

Hi,

first, welcome to the IPFire community and sorry for my tardy reply.

Yes, please refer to this wiki page in case you haven’t done already.

I notice that choosing a source of “Firewall” “GREEN” is very different to choosing “Standard Networks” “GREEN”.

This is true: The first one applies to the GREEN interface of your firewall only, while the latter applies to the entire GREEN network including your IPFire’s IP address within that network.

The first (correctly?) creates an outgoing firewall rule while the second creates a standard firewall rule.

True. A “standard” firewall rule is also called a “forwarding firewall rule”.

Just for the sake of completeness: You might want to have a look at this and this blog post for some configuration recommendations.

Thanks, and best regards,
Peter Müller

jon · 2 December 2021 18:55

I’ve never understand the difference either! I basically just try stuff until it seems to work (bad, bad, bad!).

It sounds like:

the Standard Networks GREEN applies to 192.168.1.1 > 192.168.1.254
and the Firewall GREEN does 192.168.1.1
with the IPFire is at 192.168.1.1 and the green network 192.168.1.1 to 192.168.1.255

Could you explain this is more detail? Maybe add an example why someone would use one over the other?

[verbose mode on] please!

save · 6 December 2021 08:17

Thanks @pmueller

I had read the wiki page which you linked, but I cannot make it redirect a service to a different IP. I don’t want to redirect to the IPFire router itself but use my own time server. Are you able to help me do that please?

As soon as I change the “destination” from “Firewall: All” to “Hosts” and then specify one of my internal hosts it does not seem to work how I need.

Thank you for the link to your security posts! I’ll read them in detail.

Thank you,
Save

save · 19 December 2021 04:28

Is it impossible to redirect all outgoing traffic from one network to a device on another network (not IPFire)?