Ipfire DMZ network and VPN IPSEC

Hi everybody,

I have a problem to set up a rule on my firewall.

I have a reverse-proxy server (@IP in my DMZ of my local Ipfire Firewall. I have a machine at Amazon AWS (@ which is connected by an IPSEC VPN to my local Ipfire firewall.
I try to make the machine at AWS communicate with the reverse-proxy server in my DMZ (at first, only through the ping command (ICMP protocol)).

Can I set up a rule from the IPfire dashboard in “Firewall rules” or do I have to set up an iptable CUSTOM rule on the command line in “/etc/sysconfig/firewall.local” ?
I can’t build this rule to for example already allow ICMP protocol :frowning:

Can you help me please ?
It seems that the problem I am experiencing is similar to the one posted by another user:

From my Green interface…I have no problem reaching the AWS network. The problem is just to my DMZ or my Wifi network (Blue).

Should I add a static route ?
I don’t see what route I should put since the firewall knows how to route the traffic to the concerned networks (DMZ, BLUE, GREEN and AWS ipsec).

I would like to know if according to you I forgot something except the only rule of the firewall which says to allow:

SOURCE: IPsec at AWS selected
NAT: Source NAT checked to the ORANGE network interface (DMZ of my firewall.
DESTINATION: (my machine in the DMZ)

Any idea ?


I tried to implement the following iptables rules:

iptables -A IPSECFORWARD --in-interface orange0 --source --out-interface ppp0 --destination --jump ACCEPT
iptables -A IPSECFORWARD --in-interface ppp0 --source --out-interface orange0 --destination --jump ACCEPT
iptables -A IPSECFORWARD --match policy --dir out --pol ipsec --mode tunnel --tunnel-dst --tunnel-src --in-interface orange0 --source --out-interface ppp0 --destination --jump ACCEPT
iptables -A IPSECFORWARD --match policy --dir in --pol ipsec --mode tunnel --tunnel-dst --tunnel-src --in-interface ppp0 --source --out-interface orange0 --destination --jump ACCEPT

…but without success…the traffic does not pass :frowning:
Here is a small diagram of what I want to achieve if it can help you to see more clearly


As a reminder, the machine at AWS ( can currently reach the machines in the LAN (in green).
I also want that to be able to reach (located in the DMZ in orange).


Hi everybody,
Please help…no one has any idea how to do this ?

You try to make a private ip ( reachable from the outside (AWS). That is not possible.Given that the reverse proxy (rp) on orange is only reachable via port forwarding (see here: Default rule set) you can’t route icmp messages through since the only routeable address you can ping from outside is the external ip of your ipfire appliance. So just scrap the whole icmp endeavour and concentrate on the ipsec <-> orange problem. You will need a route from the ipsec subnet into your dmz. Unfortunately I can’t help you there as I don’t use ipsec. :frowning:

Hi @dal8moc
Thank you for your answer :wink:

The machine in the DMZ ( - network in ORANGE on my diagram) is used as Reverse Proxy. It is accessible from the LAN (GREEN network on my diagram) and even from outside (RED interface on ipfire) thanks to rules in the Ipfire Firewall.
So on this side…I don’t have any problem of accessibility with the DMZ from the outside to the internal services (either on the LAN or in the DMZ).
Actually, the only traffic that works through the ipsec VPN connection is the one between the LAN (in green on my diagram above) and the VPC at AWS.

My problem is that I am setting up a new service on my VPC at AWS and I don’t want to expose this service in frontend on the net.
I want the traffic to access this service to go through my reverse proxy ( in my DMZ which will forward this traffic to my VPC at AWS.

Many thanks

Thanks for clarification. After looking through your posts I think the second fw rule from the ipsec net TO the orange net should be the right place. Though the interface seems wrong. the ipsec net isn‘t recieving its packets from ppp0 but from tun0 or the like. I don‘t know the exact name - you should look it up and adjust that rule accordingly. Any luck?

Hi everybody,

I thought I had found the solution with a PREROUTING rule but obviously not :frowning:
My DMZ still doesn’t communicate through my IPSEC tunel to Amazon AWS !

I can get my LAN to communicate to the IPSEC tunnel but not my DMZ…does anyone have a solution with an iptables rule ?

Many thanks

if you have a custom rule in firewall.local, maybe it should be CUSTOMPREROUTING


Thank you @jon Jon for this reminder.
Until now I didn’t have PREROUTING rules in custom because I use more “CUSTOM” for INPUT or FORWARD (CUSTOMINPUT or CUSTOMFORWARD). When I will find the right syntax I will put the rule in “CUSTOM” :wink:
What I need for now is to know how to allow my DMZ to talk through IPSEC with my machine at Amazon AWS :wink:
Many thanks

Hi Everybody,
I finally decided to install Bird on my Ipfire FW and do the BGP configuration for the VPN tunnel between AWS and us.
It’s the easiest way to set up the routing and it’s working well so far :wink:
I asked @ms for help and I thank him for his work :wink: