Ok, the good things first, I have learned something about VLANs. I configured some VLANs on my switch and got it connected to my AP.
But the problem why I started this thread still exists. When connected to the guest wlan network (BLUE) it is separated from the GREEN. I can’t ping none of the other clients, but the IPFire, it is still possible to connect to it from the BLUE network. The GREEN and BLUE network has different subnets and the IPFire routes between both subnetworks.
Any idea where to check to get the BLUE restricted?
1 Like
By connecting to the IPFire I take it you mean the WUI.
This is the default situation. You can access the WUI from both Green and Blue, but whoever accessed the WUI would still need to know the password.
However you can prevent all blue accessing the WUI by following the section titled
“Deny blue clients access to the IPFire web interface” near the bottom of this wiki page link.
Yes I mean to connect to the wui from the blue.
That’s what I did, I followed the mentioned guide above, but for some reason there’s still Access to the wui?
After adding the lines into firewall local, did you reload the firewall or reboot IPFire. That is needed to include the rules.
See following link for reloading the firewall with firewall.local
https://wiki.ipfire.org/configuration/firewall/firewall-local
If you did reload the firewall, then I have no idea why blue can still access the wui.
1 Like
What if…
Some enabling rule is “higher” than the blocking rule in WUI → Firewall Rules?
1 Like
My understanding is that the firewall.local rules are run before you even get to the WUI rules so any “enabling” rule would have to be earlier than firewall.local.
Somewhere in the wiki there is a diagram showing the order of all the firewall rule chains in IPFire and you can then look at the actual rules in each chain in the WUI under the iptables menu item.
I rechecked both entries for any mistakes, but everything is like in the guide mentioned, of course I changed the IP adresses matching the blue zone.
Yes I reloaded and rebooted the script/IPFire.
That was one of my ideas as well, but have only some rules for the ORANGE zone set, not for the BLUE.
Just to be sure I unchecked/disabled all firewall rules temporarily to check if one of these rules is misconfigured, but no changes, the wui ist still available.
Are you using the proxy as well? See: Example entry in the squid.conf file to deny to the blue network access to the IPFire machine.