Mob Ph on Blue to Orange Access blocked?

Is that server connected to orange only? I wonder that you can access the server from green, even the ipfire allows that. For example my Windows Server 2022 does not allow any incoming from networks it does not know → drops it (also ICMP). So I need to configure its firewall to allow incoming connections from specified networks. The same is with Windows 7/8/10/11. As long as the network isn’t defined to be a home network, you have to allow any incomings from newtorks it does not know in the firewall as well.

1 Like

Hi
I have no problem connecting to the server from Green to Orange. I have a PuTTY session running right now.

I have just installed tcpdump on the server (Raspi). I can see that the pings from the phone on Blue are reaching the server on Orange. What is not happening is that the ping responses from the server are not making it back to the phone.
At present, all the evidence points to the Blue to Orange rule being one-way.

So it’s the same. This is not related to ipfire and a problem of your servers firewall configuration.

My server is sitting behind the firewall in the Orange zone. The server is not a firewall.
I can reach the server from the Green zone, open by default.
I can’t reach the server from the Blue zone, regardless of what I do.

The Orange zone does have VPN connections. These VPN connections only have access to the Orange zone. They work. They also access the server. The server doesn’t know it is in the Orange zone.

In summary:
Green > Server on Orange works
VPN > Server on Orange works
Blue > Orange = one way traffic.

It is not the phone because I get the same results with a tablet.
It is not the AP because if the AP does not know about zones. If it was blocking return traffic, devices on Blue would not be able to use the Internet.

So the problem is that ipFire is blocking return traffic from Orange > Blue

Starting with the phone. If this is an Android it will use randomized MAC on connection which will change each time it connects. To avoid this, you have to set it up to use the devices real MAC when connected to the desired wireless network.

Enable Blue Access by device, bound by MAC, or to the entire subnet for any device that connects to it.

Blue is an isolated network by default. One the device is allowed to connect on Blue and connected, set a static IP for the device.

A firewall rule must then be made to allow access to other networks. Also note the bottom of the screen that shows exactly where traffic is allowed and blocked between networks.

When accessing inside the network as you are, you will also need a rule allowing the server on Orange to communicate back to Blue.

Hi
I already have my Android phone setup with a fixed MAC.
The rule I have should allow access from any device on Blue to any device on Orange.
I started with the phone MAC and the server static IP. I have only progressively widen the pin hole as part of diagnostics.

I understand the Orange is isolated. That is why I want to use it.

The server will never initiate comms to Green or Blue. My understanding is that no rule is required to open Orange to Blue.

The server is setup as an isolated wifi AP with no interaction with ipFire or any other network.
With my laptop, I can log-in to the Raspi server AP, ping and run the application. It all works.

With that same laptop, I log into the Blue network Wifi AP on ipFire. I can’t ping the server on the Orange DMZ. I can’t run the app.
From my wired desktop PC on Green, I can ping the server, and run the app.
These tests tell me the laptop, the PC and server are working OK.

So every test I have done points to ipFire blocking return traffic from Orange to Blue.
I am wondering if this is because I have setup the VPN to access Orange only. Could there be some unwanted interaction?

Is there a way to trace the path of packets through ipFire?
Specifically, I want to find out what is blocking return packets in ipFire (Orange to Blue)?