My construction at the moment is:
I have a “Fritzbox” Router configured as PPPOE Modem, then after the “modem” the IPFire is connected at “Red”. And at “Blue” there is another Fritzbox connected as Wireless Router and DECT Station.
This works perfect so far…
But: Before I set up the Fritzbox to “Connection to an external Modem or Router” I was able to set up in my Fritzbox that devices in my Guest Wifi Network can’t talk to each other…
Since the DHCP and Firewalling now is managed by the Ipfire it is not possible anymore to set this feature in the Fritzbox.
So: at the moment I can set up a Guest Wireless-Network in the Fritzbox but it has no advantage… the mobile phones and so on are also normal devices in my WLAN and can talk to each device of “blue”.
They also have the same IP - they are in the same network as all other devices…
As already said: the option “Devices are not able to talk to each other” is not available anymore since I changed my settings at the Fritzbox.
The only thing I am able to configure in the Fritzbox would be: "use the settings from the Fritzbox that is used as “Internet Router”…
Is there a way to set up the Ipfire so that it tells the Fritzbox that devices in the guest Network can’t talk to each other anymore?
I really don’t want to set up a third Wireless Router
Also read this at the internet…
Would be if very cool I could if I could set up a Guest Network directly at the first Fritzbox that is configured as PPPOE modem…
But thats not possible how it looks like - the Fritzbox can’t pass the Internet that is set up by the IPFIRE to the WLAN…
And I really don’t like to set the first Fritzbox up as standard Accesspoint… because then I have to deal with the Firewall of the Fritzbox also…
I guess this would make the things (like portforwarding) a lot more complicated…
I’ll have a look if there is an option with an alternative Software called “Freetz-ng” to use the Internet of the PPPOE connection… thats my only approach I have at the moment…
From IPFire Web User Interface, create a new rule. Source: blue; Destination: blue; Protocol: all and drop or reject. Click on Add and then Apply.
You won’t be able to connect to anything but the red interface.
In alternative, if you set up a functional proxy, you can select Firewall/Firewall options/Firewall options for BLUE interface/Drop all packets not addressed to proxy. But then you need to set a similar rule in Squid ACL to prevent connections to other blue machines.
If you want to have a privileged blue user, you can always use the VPN. For example, if you set up OpenVPN, you can have your privileged machine connecting to Blue, establishing a tunnel and then it will have all privileges you assign to the VPN service.
To the rule: Block all from Blue to blue:
If I for example set up that a specified blue host, that is able to talk to another blue host and then afterwards do a rule to drop all other packages - like you wrote in your last comment - I guess this might be the answer to my problem?!?
Then the “only thing” I would have to set up are the “privileged” devices that are able to talk to each other…
Thank you - I’ll try that one and hope that they are not able to connect to each other just by sending their packages over the WLAN directly…
Tried it: not possible: Source and destination are identical.
Theres a way: when you define a group that “blue” is in and say: Group is not allowed to send to “blue” - but this doesn’t work… the Fritzbox sends the WLAN requests directly…
so only option 2 would be a possibility…
Thank you!
EDIT2: You need first to have an allow rule for the gateway as well. Edited the example.
You could try to use IPTables directly. For example, In IPFire, the /etc/sysconfig/firewall.local file can be customized to define your own rules. To block all traffic within the BLUE network, you could add the following IPTables rules, the first in the start) sections and the next rule in the stop) section:
Start:
iptables -A CUSTOMFORWARD -s [BLUE_SUBNET] -d [BLUE_GATEWAY] -j ACCEPT
iptables -A CUSTOMFORWARD -s [BLUE_SUBNET] -d [BLUE_SUBNET] -j DROP
-A: Appends the rule to the end, so it gets evaluated last.
-I: Inserts the rule at the beginning, so it gets evaluated first.
Replace [BLUE_SUBNET] with the CIDR notation for your BLUE network, e.g., 192.168.2.0/24 and [BLUE_GATEWAY] with the address of IPFire in teh blue network (e.g. 192.168.2.1).
Restart the firewall service for changes to take effect.
/etc/init.d/firewall restart
Do you mean that the routed packets will not pass through IPFire but will be routed directly by the Access Point? If your fritzbox is bridged to IPFire and IPFire is the DHCP server, all the packets should be routed by IPFire as well.
But if 2 devices are logged into the Wireless Lan and have the same IP-address-range and one of them wants to send a package to the other one it doesn’t need to be routed and is sent directly…
That also tells me traceroute → only one hop… → Mobile phone directly was pinged without Ipfire in between…
I gave my phone the IP 192.168.174.128, configured it so that MacAdress Filter is allowed and it is allowed to the internet…
Now I set in the WLAN-Accesspoint an IP-Route that everything that goes to 192.168.174.128 (Subnetmask 255.255.255.255) should be sent to 192.168.174.1 (the IP of the IPfire)…
Now Internet on the phone is working… but connection to another device in the WLAN is not possible anymore because IPFire blocks it…
Despite of IPfire itself… there the connection can be established…
But: how do I set up a wide IP-Route? I guess through the Subnetmask… but hell… I guess I’m to dumb to calculate it after about 20 years not needing it anymore…
Yep… but with Mac Address Filter on Blue that is always the case…
But fortunately most mobile phones use the same MAC address again when connecting the same WLAN Network…
Managed it by using 255.255.255.128 and the first IP I use is .129
Hello! I try to replicate this, but for devices in the green network. The situation is a little bit different, but if Ipfire really is solely responsible for the routing, this should not present a problem. Would be nice, if an experienced user could give me feedback here.
In general I want to achieve client isolation in the same subnet. I think a better way to realize is this with vlans or with two different physical APs. But at the moment I just have the fritzbox ap at hand (also 1 Ap is more energy efficient).
My wifi fritzbox AP is on green NIC and I have devices here, that are supposed to connect to the internet but not to other green hosts. I assigned the client that is in green and shall be restricted the ip 192.168.4.20, ipfire is on 192.168.4.1, the ap on 192.168.4.2
I applied these rules for etc/sysconfig/firewall.local
iptables -A CUSTOMFORWARD -s 192.168.4.20 -d 192.168.4.1 -j ACCEPT
iptables -A CUSTOMFORWARD -s 192.168.4.20 -d 192.168.4.0/24 -j DROP
iptables -A CUSTOMINPUT -s 192.168.4.20 -d 192.168.4.1 -j ACCEPT
iptables -A CUSTOMINPUT -s 192.168.4.20 -d 192.168.4.0/24 -j DROP
iptables -A CUSTOMOUTPUT -s 192.168.4.20 -d 192.168.4.1 -j ACCEPT
But still, no success, the phone can still ping all devices in the green subnet, traceroute is completed with only one hop.
I was expecting, that the packages will be routed from 192.168.4.20 to 192.168.4.1 and everything that is not directed to 192.168.4.1 will de droped… Where is the flaw here?
Hi Adolf, I assumed so, but why was the “trick” of tobias with the static IP route working than? In general he was describing the same situation, didn’t he?
No he mentions about using a subnet mask of 255.255.255.255 instead of 255.255.255.0 which means his subnet consisted of a single machine, although I am not sure I would expect that to work as the subnet caclulateor I used said that means 0 usable hosts.
Later on he mentions a subnet of 255.255.255.128 but I can’t easily tell from the post which IP’s he is trying to prevent talking to which other IP’s and his situation is also on the Blue network which may or may not make a difference.
Certainly on green with a subnet of 255.255.255.0 your network address of 192.168.4.0/24 gives you a single subnet of IP’s ranging from 192.168.4.1 to 192.168.4/254 which means all of those IP’s can communicate with each other without going through IPFire.
So does this mean there is no possible stativ IP route that I can put into the AP that will prevent direct communication between the clients? The Phone I wish to isolate has IP 192.168.4.20 and I pinged a PC on 192.168.4.10.
