Make server reachable in IPFire DMZ

perlian · 3 January 2021 12:48

Hello,
I have a big problem

Until now my Nextcloud server was connected directly to the Fritzbox and was reached via port forwarding which worked very well.

Now I have given the IPFire computer an extra network card to be able to realize a DMZ.
So I have an IPFire firewall behind the Fritzbox with an orange (DMZ) and green (private LAN) network.

In the orange DMZ network is so far only the Nextcloud server

IP networks/addresses:

Fritzbox
192.168.1.0/24

IPFire red interface
192.168.1.244

IPFire green interface
192.168.150.0/24

IPFire orange interface
192.168.180.0/24

How can I make the Nextcloud server reachable from the Internet?

The DMZ is reachable from the green network, but not from the red network (Internet).

What do I have to set on the Fritzbox ?
Port Forwarding and or Route ?

What do I have to set on the IPFire ?

In the net I found nothing except for me incomprehensible stuff.

Can’t be that difficult because a DMZ is there to be reachable from the internet.

Would be very grateful for help

Translated with www.DeepL.com/Translator (free version)

bonnietwin · 3 January 2021 14:29

Hi @perlian, welcome to the IPFire Community

I am presuming that you cannot put the Fritzbox into Bridge mode (Some Fritzboxes do not have that option).

In that case then you have the Fritzbox as a router followed by IPFire also as a router so you are double NAT’d. Therefore you need a Port Forward rule on both the Fritzbox and on IPFire.

On the Fritzbox you need a Port Forward rule similar to what you already had working but its destination needs to be 192.168.1.244 - the Red interface on IPFire.

On IPFire you need a Port Forward rule going from the Red interface to 192.168.180.x where this is the IP address of your Nextcloud server on Orange.

Take care with the Port numbers if you use different ones for source and destination on the Fritzbox. The destination Port number on the Fritzbox then needs to be the source Port number on the IPFire Port Forward rule.

The standard default is for Green to be able to reach Orange. Red cannot reach Orange by default, without the Port Forward rule to allow it.

perlian · 3 January 2021 17:21

Hello
I also had this idea but did not try it out

But I will do now

The problem is that a webserver is directly connected to the Fritzbox and the Nextcloud is in the orange zone of the IPFire.

So I will route port 443 for Nextcloud to the red network of the IPFire and use port 80 for the webserver at the Fritzbox
Thanks for your answer

jon · 3 January 2021 18:17

Hi Norbert! Welcome to the IPFire Community!

This might help:
https://wiki.ipfire.org/configuration/firewall/rules/dmz-setup

datamorgana · 4 January 2021 09:22

Keep in mind that you probably need both port 80 and 443 redirected to your Nextcloud server in “orange” for Letsencrypt to work and update your certificates properly! If you split the redirection to port 80 and 443 between two different servers behind the Fritzbox, you might experience some strange effects…