IPFIRE with DMZ

Networking
1

Hi All

As per the screenshot, this is my actual architecture:

immagine
immagine976×636 11 KB

Fritz is connected to internet and to PCs/printer…
Fritz is connected via eth0 to IPfire installed in Barebone 4 NICS and configured to have RED/GREEN/ORANGE interface

Barebone in eth1 is connected to a switch and then to RPIs via GREEN
Barebone in eth3 is connected to RPI3 via DMZ (ORANGE)

In RPI3 I have an apache listening on http 86 and https 4555

  1. How to access to RPI3 via SSH on port 555?

    immagine
    immagine1372×66 7.32 KB

  2. How to access to RPI3 webserver?

    immagine
    immagine1378×69 6.74 KB

  3. Is it correct that to access to RPI3 I have to bounce from RPI1 or RPI2?

  4. Is it correct that from RPI3 I can ping and access RPI1 and RPI2? How can I avoid this?

Thanks a lot for you support
Vincenzo

2

You don’t need a firewall rule. Green can contact orange by default. Just run your ssh command on one of your green PC’s RPI1RPI2.

It depends where from. If from green lan then just access it. If from internet then you will need a Port Forward on your IPFire and another port forward on your fritzbox as you have a double nat situation.

I am not sure what you mean by “bounce”.

You can access the RPI3 from your IPFire green or red. green is by default and red requires port forwards to be in place but that is the answer from the previous question.

No. To access machines on green from your orange zone you will need firewall rules to create pinholes from orange to green.

3

Congratulations for the way you summarized you questions. It’s one of the best I have seen.

  • LAN: No special setup needed, GREEN can access ORANGE.
  • WAN: Possible through VPN, if you want to avoid opening port 555 by SNAT. Edit: DNAT.
  • LAN: Just use local IP or split DNS returning the private IP of RPi3. In alternative, RPI3 being in a different subnet than RPI1 and 2, you could access RPI3 from the green zone using a normal DNS returning the public IP, but then you need a Destination NAT (see next point).
  • WAN: Port forward rule (which requires a double NAT) or VPN.

Not necessary. If your laptop is connected to the green switch, data path to RPI3 is through IPFire.

Should not happen by default.

4

Hi
thanks for your superfast answer… appreciated!
Point 1:
How to access to RPI3 via SSH on port 555?.. you are right… I can contact RPI3 via RPI1 or RPI2 (so this is for me a bouncing). But what about PC1 and PC2 which should be on RED? I’ve update the rule, but still not working

immagine
immagine1416×67 7.69 KB

Point2: I’m on PC1 so in this case RED and I have a double port forwarding.
On fritz:

immagine
immagine825×533 14.1 KB

on IPFire:
immagine
immagine1376×66 6.92 KB

thanks
v.

5

You need a port forward rule. From the point of view of the firewall, the traffic from PC1 or PC2 is coming from the WAN.

1 Like
6

In both cases, you need port forward. I would try to port forward the two NATs using different ports. For example, in the case of the web server, port 87 in Fritz and port 86 in IPFire. You need to modify the Fritz rule to port forward 87 and the IPFire rule by putting in External port (NAT): port 87 and in destination port, 86.

7

Hi
thanks… I always try to summarized as possibile… :slight_smile:
I tried to put source nat with RED or Orange… but still not working.

immagine
immagine1456×723 47.2 KB

v,

8

I would think dNAT
For ssh rule.
Then source any to RPI3
Would probably make host group for PC1&2
Then use that as source in firewall rule.

1 Like
9

It’s DNAT. My brain went for a short circuit when I wrote my message. I corrected it.

10

hI all
Yesssss It works! SSH with DNAT… & of course double NAT.
Therefore I had to port fw twice: one in Fritz and one in Ipfire.

Now… let’s proceed with webserver issue…
Vincenzo

2 Likes
11

it works also webserver.
Solution: double NAT, double port fwd

thanks guys
Vincenzo

2 Likes