Hi
I am trying to log in from a client phone in the Blue zone running Google Chrome to a Web server running in the Orange DMZ zone. The server in the Orange zone has a wired connection directly to the Orange port on the ipFire machine.
The phone is connected to a Wifi AP. The AP has a wired connection to the blue port on an ipFire 4x port fanless PC.
I am running core 168.
I have created a rule to allow the phone with the specified MAC to connect to the server on the orange zone.
I can ping the server address from my PC on Green ( the server is definitely working).
When I try connecting from the Chrome browser to the web server in the orange zone, I can see the request being forwarded to the server in the log. I am not seeing a response from the server.
What am I doing wrong? Do I need to create a rule that allows the web server to connect to the phone?
Typo error. The web server is wired to the orange port.
Note the web server is intentionally not visible from the internet.
I have corrected my first post.
Try the IP instead the MAC first. I remeber that the firewall rules can’t be MAC-based because they are loaded before the network is ready. I had the same issue, I guess about 2 years ago. You should see iptable error messages during the boot up. That will disappear if you set up the rules with IPs.
I have a device in the DMZ (orange) network. From the GREEN zone I cannot ping the device. BUT, I can access the device via port 80. All works A-OK without a special firewall rule.
You should be able to go from GREEN (or BLUE with access) to ORANGE without issues. See:
The only guess I have is that something isn’t open in BLUE Access.
EDIT: I just tried with my iPhone in BLUE and all works A-OK. I can access the DMZ (orange) device.
Hi
I have done a port scan from the phone to the Orange server. No ports show open, but I know at least one is.
A ping from the phone gets nil response.
I don’t have a firewall.local file or directory.
I don’t have any other rules.
I have setup the OpenVPN to access Orange only. That works.
I already have Blue setup to ignore MAC for wifi connections. I can see that my phone is connected on Blue.
Hi
I have made changes so I only have the one firewall rule.
The rule now should allow any device on Blue to access the server on Orange.
No MAC filtering.
I still can’t ping from the phone to the server on Orange.
A port scan from the phone to the server port 8999 gets no response.
I can ping and log-in to the server from the Green network, so I know the server is working.
Hi
OK I have tried using a windows tablet in place of the phone.
I get the same result. No ping. I can’t log-on to the server.
I can see the traffic going to the server in the ipFire logs.
No problems getting out to the internet. I just can’t reach the server in the Orange zone.
I have tried opening the Blue >> Orange without any restrictions.
If you can see the traffic leaving IPFire and going to the server then I believe that the problem is unlikely to be IPFire but some issue with the server.
What messages do you see in the server logs for when the traffic gets to the server.
Yes it does. At the end of the Blue Access wiki page it covers about creating a Blue to Green pinhole.
The same applies to connecting from Blue to Orange, you also need to create a pinhole following the same approach as for the Blue to Green pinhole but changing everything related to Blue to Orange. Creating a Blue to Green Pinhole
Hi
I followed those instructions at the first attempt with a MAC as source.
I then then tried the phone IP as the source.
I then tried opening all of Blue to all of Orange.
I tried to make a connection from a tablet on Blue.
I am now back to specifying the IP of the phone and server in the rule.