Is there a reason we cannot assign interface IP addresses in the web interface?

I’m just starting and I don’t come with any expectations of ipfire, but it has a web interface and it appears to make everything quite simple and usable for me, yet this most basic setting that I am used to looking for in a firewall is missing.

Is the normal course of action really to re-enter the setup process? Or advanced users would edit a config file directly and the setup process is the hand held version provided for beginner users?

Yes.

I’m not sure that this is something that needs change often or ever.
But it is easy enough to do.

5 Likes

To assign a new IP to an interface the nic must disable it and if you disable it the webserver is not working anymore and the browser lose the connection.

There are possible ways to work around this but this is complicated and it is easy to lockout from config at all.

6 Likes

All modifications which can influence the network connection to IPFire should be done from console!
There may be ways to work around, but because these depend on both sides of the connection there is no easy implementation.
This ‘roaming’ doesn’t occur permanently. So the development (and testing!) effort is to high.
Just my opinion.

1 Like

It’s just a very regular feature in most other firewalls, you change the IP the port goes down and comes back up and obviously you lose your connection and must go find it again on it’s new IP.

If there are technical reasons why this is a pain to implement in ipfire I understand it. But you all must be aware how quirky this is for newcomers.

I would expect the opposite: many newcomers coming here to ask why they cannot access anymore the WUI.

4 Likes

If you have setup IPFire on a hardware that allows for “console” connection like ILO or IPMI then that is no longer an issue since you can always access the computer via that interface

Out of band management
If you have a computer that lacks that feature, you will have to access it physically for some changes.

2 Likes

having a remote, out of band access to my firewall would terrify me. I would never, ever, under eany circumstances have my firewall reachable in such a way from the wan side. However, I understand that as an hobbyist, my needs are very different from professional settings. Still, I think it is a bad idea (for a firewall).

EDIT: if I could not afford to have the firewall down when I am not physically capable of accessing the machine, I would rather use a solution like keepalived.

1 Like

Well, you would only allow access to layer2 devices, as in devices on your own lan.

Any other access should of course be hardened by means of VPN and or MAC filtering via Radius and similar measures. I am not saying you should just leave it open.

Even on your local lan you can, depending of version of the targeted out of band device, set several limitations.

1 Like

The terminal with the setup running, will too loose its connection :wink:

Yes, because the terminal, or SSH, goes to the same IP as the Firewall.

So it will obviously loose connection if you change the setup.

We are not talking about the SSH console, but the main console of the IPFire system. This is a serial port with ‘embedded systems’ ( PC Engines APU boards or the Mini Appliance ) or the standard KVM interface of PCs.

4 Likes

No, please re-read the subject again. The OP clearly asked for changing, or better assigning, IP addresses in the web interface and someone explained, if this would be possible, this would result in loosing the connection to IPFire.
Followed by a possible restart of the internal web server.

I just added, that when using a SSH terminal and running IPfire’s setup to change some interface’s IP address, this would result in an interrupted connection, too. :wink:

1 Like

The reasons for a lack of setting IP addresses ( configuration of networking ) in the WUI are true for SSH also.
Therefore it was evident ( for me ) that we talk about access to configuration on the network or the system console.

IMHO, someone who can manage a problem in cutting the access, is able to access the system console and do the config there. In general, the system console approach is less error-prone ( Cut not the bough that you are standing upon ).

So, The internet chages IPs at boot. or the IPS has DHCP on. not a static IP?

If so you can just set the RED interface to DHCP and it should change the IP as the IPS hands them out.

Making it a set and forget.

Then if your are running a server. You could use Dynamic DNS pick one from the pull down and setup an account to share your server.

It just sounds like that is what is happening. being the IP changes on the RED.

The main topic of this thread is configuration of the network through the WUI ( which is reached by the network itself ).

I just repeat: Cut not the bough that you are standing upon. :wink: