Mob Ph on Blue to Orange Access blocked?

I am trying to log in from a client phone in the Blue zone running Google Chrome to a Web server running in the Orange DMZ zone. The server in the Orange zone has a wired connection directly to the Orange port on the ipFire machine.

The phone is connected to a Wifi AP. The AP has a wired connection to the blue port on an ipFire 4x port fanless PC.
I am running core 168.
I have created a rule to allow the phone with the specified MAC to connect to the server on the orange zone.

when I look on the ipFire Log summary > DHCP Server leases, I can see the phone, identifiable with the MAC.

I am running a Ping utility on the phone.
When I look at the ipFire Log (ip) I see the 3x pings being forwarded to the correct server address.

I can ping the server address from my PC on Green ( the server is definitely working).

When I try connecting from the Chrome browser to the web server in the orange zone, I can see the request being forwarded to the server in the log. I am not seeing a response from the server.

What am I doing wrong? Do I need to create a rule that allows the web server to connect to the phone?

This is not possible. If the servers network is configured to be member of the orange zone it has to be connected to the orange zone.


Typo error. The web server is wired to the orange port.
Note the web server is intentionally not visible from the internet.
I have corrected my first post.

Try the IP instead the MAC first. I remeber that the firewall rules can’t be MAC-based because they are loaded before the network is ready. I had the same issue, I guess about 2 years ago. You should see iptable error messages during the boot up. That will disappear if you set up the rules with IPs.


I have a device in the DMZ (orange) network. From the GREEN zone I cannot ping the device. BUT, I can access the device via port 80. All works A-OK without a special firewall rule.

You should be able to go from GREEN (or BLUE with access) to ORANGE without issues. See:

The only guess I have is that something isn’t open in BLUE Access.

EDIT: I just tried with my iPhone in BLUE and all works A-OK. I can access the DMZ (orange) device.

1 Like

The web server on orange is not accessed with port 80. I am using a port above 1024, not 80, so there is a potential issue I need to check for.

OK so if the IP rules can’t be MAC-based, the WUI shouldn’t offer that option.

I did a port scan from BLUE to ORANGE and I can see other ports as well. So I am guessing other ports should be OK also.

Can you do a port scan from the blue device?

A MAC based Source is OK. There is something else causing the issue.

What other firewall rules do you have? Anything in firewall.local?

I have done a port scan from the phone to the Orange server. No ports show open, but I know at least one is.
A ping from the phone gets nil response.
I don’t have a firewall.local file or directory.

I don’t have any other rules.
I have setup the OpenVPN to access Orange only. That works.

I already have Blue setup to ignore MAC for wifi connections. I can see that my phone is connected on Blue.

In the first post the picture shows Rule #3. what is Rule #1 and Rule #2?

If you deactivate this rule “3” does it work?

I have made changes so I only have the one firewall rule.
The rule now should allow any device on Blue to access the server on Orange.
No MAC filtering.
I still can’t ping from the phone to the server on Orange.
A port scan from the phone to the server port 8999 gets no response.
I can ping and log-in to the server from the Green network, so I know the server is working.

I can see the port scan and pings in the log, so I know the phone is sending them out.

OK I have tried using a windows tablet in place of the phone.
I get the same result. No ping. I can’t log-on to the server.
I can see the traffic going to the server in the ipFire logs.

No problems getting out to the internet. I just can’t reach the server in the Orange zone.

I have tried opening the Blue >> Orange without any restrictions.

No change. Same results.
I cannot get a connection from Blue to Orange.
I don’t know what else I can try.

The default rules should allow communication from Blue to Orange.

Check Blue Access settings.

You should not need a firewall rule.

If you can see the traffic leaving IPFire and going to the server then I believe that the problem is unlikely to be IPFire but some issue with the server.

What messages do you see in the server logs for when the traffic gets to the server.

The graphic shown on the ipFire Rules page (see post above) indicates Blue to Orange is blocked by default.

Per default rule. Use “blue access”
So I would guess blocked by mac filter.
Should need no rules.
Correct me if I’m wrong.

The graphic on the firewall rules page says Blue to Orange access is blocked both ways.

This is reasonable and expected behaviour.

As I understand things, Internet to Orange access requires explicit IP address of the server.
Does this requirement extend to Blue to Orange access??

Yes it does. At the end of the Blue Access wiki page it covers about creating a Blue to Green pinhole.

The same applies to connecting from Blue to Orange, you also need to create a pinhole following the same approach as for the Blue to Green pinhole but changing everything related to Blue to Orange.
Creating a Blue to Green Pinhole

I followed those instructions at the first attempt with a MAC as source.
I then then tried the phone IP as the source.
I then tried opening all of Blue to all of Orange.
I tried to make a connection from a tablet on Blue.
I am now back to specifying the IP of the phone and server in the rule.

I can see pings and port scans in the ipFire log

I can ping the server from my PC on green, so the server is working.
ping from green

I have tried making a connection from a tablet on wifi to eliminate the phone as the problem.

I am running out of options.