IPFire plugged into Fritz!Box 6590/6591 as cable modem

If i understand your setup this NAS is direct on your Fritzbox. I guess yes because the IP is the same range then your Fritz and your red IPFire. So i see no problem you can reach your NAS From Fritzbox --> NAS, your NAS is not reachable from outside as you want and you can reach your NAS from green.
I cant see any problem, for me looks all ok.

But i do not really understand why you not think about using orange?

Because I do not want the NAS to be reachable from Internet. There are many sensitive and private files on it that could be accessed if any security breaches exist now or in future.

I thought about adding a static route to my fritzbox. Let me give some details of the current and working setup with ipfire as exposed host:

Fritzbox: IP-address 172.17.0.1, netmask 255.255.255.0
IPFire red interface: static IP-address 172.17.0.2, netmask 255.255.255.0
IPFire gateway red interface: 172.17.0.1

This setup works almot perfectly now. E.g. I can access the fritzbox from green/red and all clients in green can access the internet.

Would adding a static rout on the fritzbox solve my issue?
The CardDAV server has got the IP-address 192.168.6.96.

I already tried to add this route: network 192.168.6.96, mask 255.255.255.255, gateway 172.17.0.2 - to no avail so far!

Michael

the Card DAV- server needs an ip in range of 172.17.0.x.

OK, that’s bad because I cannot change the IP-address of the NAS where the server is running.

This NAS still must be reachable from green with network setup 192.168.0.1/16.

Michael

Its a little bit hard to follow you. You change the whole subnetting without telling :wink: You dont answer my question where this NAS exactly is. In your new posting my new guess its in green? is this correct?

Sorry for confusion, my bad. I had to change the IP-addresses both from Fritzbox and the exposed host setup in Fritzbox, too, since I was using a range that is not private.

Let me restart and hopefully it’s a bit more clearer :grinning:

This overview still applies:
Vodafone -> FritzBox 6590 -> Firewall (exposed Host) -> LAN -> Synology NAS

IPFire red setup: 172.17.0.2, mask 255.255.255.0, gateway 172.17.0.1
IPFire green setup: 192.168.0.1, mask 255.255.0.0 (no typo, the mask is correct)
IPFire orange setup: 172.19.0.1, mask 255.255.0 (not applicable here)

Fritzbox setup: 172.17.0.1, mask 255.255.255.0
IPFire set up as an exposed host in Fritzbox: 172.17.0.2

Synology NAS in green network: 192.168.6.96 (= where CardDAV server is running)

As mentioned, the Fritzbox is basically capable of accessing a CardDAV sever, in my case this should be 192.168.6.96, this fails however for obvious reasons.

I thought about adding a static route in the Fritzbox to the NAS, but I’ve no clue if this will work at all and if so, how this route should look like.

Michael

So the Fritzbox can not know where to find the subnet 192.168.x
You have to tell your Plastikschachtel where they can find them :wink:

This is obvious :thinking: So how would one do this? I supposed adding a route is enough…but how to set this one up?

Iam sure the today top answer of the situation in the Forum are RTFM iam sure we find a better solution :wink: SCNR :wink:

1 Like

Iam not really sure about

https://de.avm.de/service/fritzbox/fritzbox-6590-cable/wissensdatenbank/publication/show/581_Statische-IP-Route-in-FRITZ-Box-einrichten/

So as Gateway you take your IPFire Red and Tragen Sie als “IPv4-Netzwerk…” you enter the 192.168.6.0

I now did it a follows, to no avail :neutral_face:

static route

Try 255.255.0.0

Btw. is your forwarding correct from Fritz to Syno green?

1 Like

Good catch: I did not add any forwarding so far until now.

I’m not the expert for port forwarding and unfortunately each FW rule I tried so far, did not succeed.

IMO the FritzBox is equal to an external host that tries to get access to a server behind the firewall. So I tried as source: any/red and for destination the IP-address of the CardDAV server with or without DNAT to no avail.

Additionally I focused on setting up a rule similar to this one for the orange network:


and configured the FritzBox phonebook to use one of my DynDNS address to access the Synology behind the firewall. No luck either.

So for today it’s enough :grinning:

Source any is the badest choice what you can do. Dont forget you have now exposed host. The only thing what safes your “popo” :wink: is IPFire. Thats why i ask for a forwarding from Fritzbox source but not any. Not a good idea.

You need a “normal” Forwarding Rule like the one described in the wiki for port 80.

https://wiki.ipfire.org/configuration/firewall/rules/port-forwarding/red_to_server_on_green

Again, dont forget to change the source thing :wink:

Port iam not sure at the moment whats needed for CardDAV. Iam sure we get the rest :wink:

I’ve added a forwarding rule as described in the wiki and changed the source to RED or network 172.17.0.0/24 or source address 172.17.0.2

None of them worked. BTW, I still use the static route with 192.168.6.0/24 and gateway 172.17.0.2.

The URL to CardDAV server is still https://192.168.6.96/baikal
The CardDAV server listens on port 80 but the Fritzbox mandatory needs a https URL. In a browser (from green) I can access the CarDDAV server with http as well with https.

Before putting the Fritzbox in front of IPfire, running it in green for some basic setup, the https URL was no problem at all for accessing the CardDAV server. Hence, basically it should work.

Michael

There are a few things what confuse me at the moment. You say it runs on port 80 but you must configure https. I dont understand this at the moment.

Can it be that the nomal Web Gui run at Port80 or Port 443 to configure things but the CardDAV thing runs on another Port we both not know at the moment? That sounds for me more logical.

I agree thats a very blind guess… :wink:

I use the very same CardDAV URL in Mozilla Thunderbird as well on my Android smartphone, in both cases: http://192.168.6.96/baikal

Without any given port, hence I bet it’s a “normal” web server that runs the CardDAV service.
OTH, I too can access this server using https without any problems. Of course Firefox complains about the missing certificate.
As previously told, at the time the Fritzbox ran in green, https was altough not a problem.

The WebIF in the Fritzbox only allows a https URL for accessing a CardDAV server which works OK from green.

Michael

But you can not know what port they internal use. They can use anything total diffrent.

If all was in green it was maybe no problem because all ports and each services can reach each other. As i said its very blind guess makes not really sense at moment because i dont know it at moment. So do not really care what i tell at moment :wink:

Maybe, but when accessing the server from Firefox from my PC from green, it does not matter if using https or http.

So it should not matter when accessing the very same URL from another lient like the Fritzbox, if the server from green can be addressed from the Fritzbox by forwarding any port, e.g. 80 or 443 and/or using a static route.

At least that’s my basic understanding…