IPFire as backend firewall?

Hey there, first post here!

I have a bit of a homelab that I’ve been tinkering with as a pandemic project, and after a few weeks of a simple network behind a pfsense firewall, I’m now trying to create a two-network setup with a DMZ and a protected network. As I understand it, in this configuration, the inner firewall, in this case IPFire, should be setup to only allow traffic from the DMZ, not the external network. From what I’ve read of the IPFire documentation, this is most commonly done with the red-green-orange configuration. However, since I’m trying to use a two-firewall setup rather than having one firewall take care of all the routing between external/DMZ/internal networks, I have IPFire using just the red-green configuration option, when I guess in reality, it should be an “orange-green” configuration, since the “red” interface in this case is on the frontend firewall (pfsense).

To clarify: I have two networks at the moment,, for which the default gateway is my pfsense box, and, for which the gateway is IPFire. pfSense is running on a physical host, while IPFire is virtualized on an ESXi host.

My question is, can I simply create firewall rules on IPFire to only allow traffic to and from Would doing so re-create the rules IPFire would automatically use if I was using the red-green-orange configuration? And if that’s the correct way to do it in this case, do I need a server in the DMZ to route traffic between the internet and the protected network? Because at the moment, I do already have internet connectivity within the protected network, I guess because I set the pfsense box to be the default gateway for IPFire, and since IPFire is the default gateway for the protected network, those two firewalls are already performing the necessary routing?

Thanks for any advice!

Start here.

And here.