How to allow Incoming Firewall Access ? [Policy:Blocked]

Hi, I have multiple Aliases on my IPFire server. And I’m trying to spin up Port Forwarding for one client.

I allowed without issues: from Alias IP to my Client IP in Orange zone subnet.

But I’m strugling to allow from Client IP in orange zone subnet to Alias IP because right under the Incoming Firewall Access rule is this written with red background: Policy: Blocked.

Does anyone know how to change Incoming Firewall Access from Policy: Blocked to Policy: Allowed ?

Like the Outgoing Firewall Access is allowed.

[I use GUI IPFire web interface to access and manage my IPFire server.]

But i have also access to the root IPFire itself if needed.

This defeats having a firewall.

Where is the client located? Which zone?
To which zone? Just to be clear.

Thank you for answer.

The Moderator explained me the situation pretty well. In the post above.
So my specific issue i was trying to achieve was already solved.

But let’s say i have some service running on the same server where my IPFire is running for example want to access the SSH.

IPFire has amazing well envolved web interface so how I can simply change Incoming Firewall Access Policy from Blocked to Allowed?

Many users on this website were already trying to ask about this years back. But still have recieved no proper solution to this problem so far.

You don’t want to change that.
A firewall rule is the way to go.
Much like your other post.
If you need access to multiple servers.
Than wan side aliases would work or a VPN.

1 Like

Well, I have another issue…

I’m setuping another client client-2 and I get the same Public IP from Alias 1 on Client 2 as i get on Client 1.

I want to specify Client 2 to use Alias 2 public IP.

How can i specify a IP address in Orange zone to use different Alias public IP?

Ok solved it this way is it correct?

Source address: x.x.x.x [client-2]

Use NAT: Source NAT: New source IP address: IP-2 [x.x.x.x] [My Alias 2 IP]

Destination: Standard Network: Any

Protocol: All

SN 3

That looks wrong.
I have little idea what you are trying to do here.
You should look at firewall groups.

You can make a group of administrators.
Then make a firewall rule for that group.
You can make a service group.
To allow them access to assorted ports.

Oh… Didn’t explain properly.

I’m trying Client 2 to use Alias IP 2 instead of Alias IP 1.

Both clients 1 and 2 are in same Orange zone. But each is supossed to have it’s own Alias public IP address.

after i tried to set the new rule above.
Source: Client 2 IP : Source NAT: Alias 2 IP Destination: Any Protocol: All.

Client 2 seems to be using the right Public IP address when I google myip it seems to have the right IP address from my Alias 2.

If you are setting up 2 mail servers.
Than my understanding is you will need SNAT ruled. So the response is returned from the correct ip.
But I don’t have a mail server.
So I can’t help with that.
But this I have seen discussed in the forum in the past.
Hope that helps

Not neccessarily two mail servers. I´m setting up a general Internet connectivity for my client. Which has multiple applications running on it and some of them also needs port forwarding…

I used Source NAT rule from message above to force it to use a specific [second] alias on my IPFire server.

and it seems to work fine however I’m not sure if this is correct. and some other rule isn’t missing to force a specific client to use specific Alias IP on IPFire.

A reverse proxy may be easier.
But your plan will probably work.