I think it’s what @steven was suggesting in post 12. Those command should create the network and bridge it to the green interface. After that, it should be visible in web user interface.
Sorry, but i can’t understand, how your 172.21.105.0/24 network can work without a gateway?! What is the network configuration on a client in this network (IP, DNS, GW)?!
And the most important: How can 192.168.5.0/24 communicate with 172.21.105.0/24 in your setup?
How ever: IPfire must be a part of the 172.21.105.0/24 network. If that subnet really doesn’t have a gateway, which I don’t think so, then ipfire will become the gateway for that subnet with my config of the screen on site a without the second route-line. Setup the IPfire-IP of 172.21.105.0/24 as gateway on the 172.21.105.0/24 clients. Then you can tunnel with the respective remote subnets 10.2.44.0/24 and 172.21.105.0/24 and it will work. If you also wan’t a connection from 10.2.44.0/24 to 192.168.5.0/24, you must setup a second tunnel with this remote-subnet and it will work.
No, unfortunately it is not visible in the web interface, but it is there and can be used as a remote-subnet in the ip-sec-setup and Ipfire routes it accordingly.
Hi,
i cannot chnage the settings on site B.
I have set up IPSec tunnels before with the settings you mentioned and they were all working.
Hi Steven,
the thing is that site B is expecting that traffic over the Tunnel is coming from 172.21.105.0/24 and I sadly cannot change this.
Our Setup has only green 192.168.5.0/24 and red.
That’s exactly the thing, how can it work without having a gateway.
It won’t I guess. That’s the Problem. Is this Setup even possible with IPFire?
There actually won’t be any client with the address 172.21.105.x.
This subnet 172.21.105.0/24 is only needed for the traffic through the IPSec tunnel.
I now was thinking of making a vlan with Blue over the green NIC.
The new Blue VLAN would have 172.21.105.0/24.
is it possible to make a IPSec tunnel with blue on site A and route the traffic from green over blue to site B?
What a bullsh*t.
If 172.21.105.0 has no clients, with what should the Site B communicate?!
You must change the remote-subnet to 192.168.5.0 on Site B or change your green network on Site A from 192.168.5.0 to 172.21.105.0. How else would Site B know where 192.168.5.0 is?!
@steven Can I ask you a question, since my understanding of routing is really poor? OP has made the point that SIte B is administered by others and they have chosen (and I presume imposed to OP) to establish tunnel with site A excluding its green network because it is mapped to 192.168.5.0/24 which is a network range also present on site B. This implies some sort of problem that requires a clear separation between the local network on SIte A and the local network on site B.
My question is: does it? Is there really a conflict or a problem? To me it looks like this is perfectly compatible! And with “this”, I mean having similar network ranges at both ends of a tunnel.
Indeed it is a bullsh*t but unfortunately this is the way it has to be. I have no control over site B and they are unwilling to change anything on their site.
So Site A 192.168.5.10 sents a request to 10.2.44.10.
192.158.5.10 has to become e.g. 172.21.105.10 on site A through NATing
10.2.44.10 sents the response back to 172.21.105.10 so site B knows where to sent the response.
Is this somehow possible to do with IPFire or not?
I’m running out of ideas how I can implement this with only one green network.
Could it be possible to do this with 172.21.105/24 being VLAN Blue or are there to many restrictions between green and blue?
Is blue even allowed traffic through IPSec?
I read for OpenVPN you have to configure specific routes in the openvpn config files in order to let blue through.
Sadly true.
Try Site A-Setup:
/etc/sysconfig/firewall.local
add the line in start & reload:
ifconfig green0:0 172.21.105.1 netmask 255.255.255.0 broadcast 172.21.105.0
restart
setup and start your IP-Sec with 172.21.105.0/24
add firewall-rules
Source: 172.21.105.0/24 → Target: Green-Network
and
Source: 172.21.105.0/24 → Target: IP-Sec-Connection to Site B
(Try without NAT or with NAT in the firewall-rules)
I’m not sure if it’s still necessary to set a route for the subnet 10.2.44.0/24.
Try it…
thank you, i did try it but no success
Can you ping a IP from 10.2.44.0/24 via IPfire-console after the tunnel is up?
I think you best chance is to keep working with the command line using @steven strategy. The goal is to create an alias on the top of green0 (green0:0) linked to 172.21.105.0/24. Then you create an SNAT, by command line if necessary, in the firewall from green0 address range to green0:0 address range.
Alternatively, you could try to create blue0 dummy interface (see the same tutorial above, plus this one), link it to 172.21.105.0/24 and bridge it with green0.
Are you sure about the broadcast?
Regards
Good find. I didn’t even look at that closely enough.
Maybe, I just presume the basics of network addressing.
To be exact: the network is 172.21.105.0/24 with IPFire 172.21.105.1, netmask 255.255.255.0, broadcast 172.121.105.255.
haha… Maybe it’s a “fast fingers” error …
This. Of course you are right. But that’s not the reason whether it works or not.
Yes i did, without success
I did use 172.21.105.255 as broadcast