Networking suggestion

Hi everyone, I’m new so I apologize in advance if any concept of how IPFire works is not clear to me

I have a complex home network, with a router (192.168.x.1) and a managed switch (192.168.x.4) that serves a dozen VLANs, in cascade I have a PoE switch (192.168.x.6) that powers the my 5 access points which provide connectivity to various home devices (smartphones, surveillance cameras, switches, computers, alexa, refrigerator, printer, guests, etc.)

The dns then is managed in a “particular” way: there is a microsoft dns (with relative active directory) used for the pc and the printer, and a PI-Hole to which all the DNS queries for the other devices are addressed ( also the microsoft dns forwards the dns requests to PI-Hole). Inside the aforementioned domain controller there is also a dhcp that supplies the ip addresses to the 10 VLANs described above.

what kind of configuration should i set on IPFire? I expect a RED network which is the one that goes from IPFire to the router, and a GREEN network to which all the VLANs are connected, correct?
So I suppose that on the router I have to indicate the IPFire address as next-hop and
on the managed switch I have to put gw IPFire-GREEN. Right?

But, since IPFire is a virtual machine on the Management VLAN, how can I set up the routing? I tried to add a static route on IPFire
192.168.xx.0 / 24 via 192.168.X.4 dev green0 proto static
but trying to ping a machine on that network I get no response

Pictures / drawings say more than thousand words! :wink:

Removed for security reason

What services shall IPFire provide in this net?
IPFire is basically a gateway/router. To use the firewall, traffic must go through the device ( two distinct interfaces are mandatory ).

ipfire must act as a firewall, so it must:
a) prevent access from the outside to my network (excluding some devices / ports such as surveillance cameras)
b) prevent devices in my network from going out on the internet on unauthorized ports
c) act as a proxy (already successfully enabled)

p.s. I already have two interfaces: the green and the red

That’s not visible in your drawing.
IPFire is just a client in the network, which is the LAN of your cable modem/router.
So IPFire’s RED IP is, where is your GREEN network attached, how is the network definition?

correct, but I would like all the incoming and outgoing traffic to pass through him, so from the fritzbox I created routes that for each vlan refer to ipfire, and on the netgear ( the default route is the green interface of ipfire

no, ipfire GREEN is ipfire RED is

What about the basics described in - Step 5: Network Setup ?

it seems correct, but I repeat maybe I’m wrong, red for the external network (i.e. the one that arrives from the fritzbox to and green for the internal network (therefore which acts as a gateway, or as a default route for all vlan)

Your Fritzbox is the internet access and has a LAN IP of
IPFire gets its WAN access from the Fritzbox, right? So the RED ( WAN ) IP of it must be in
To act as internet access appliance, IPFire should be positioned between the WAN ( Fritzbox ) and the LAN ( GSM5212 ).
GSM5212 in your config manages the local networking. IPFire can establish a secure access to the internet. Fritzbox should be taylored to not ( much ) more than a DOCSIS modem.

sorry, but a speech is where ipfire should be placed logically, and a speech is where ipfire should be physically placed

logically ipfire must be between frizbox and gsm5212, but physically ipfire is attached to gsm5212.
Now, the management network is and logically I can pass all the traffic coming from the fritzbox to ipfire simply by adding a static route to the ipfire ip (; that then physically this information passes through gsm5212 is irrelevant. Once the packets have arrived on ipfire it takes routes to route them to the correct vlan; these routes are present on gsm5212 but surely they must also be added on ipfire.

Conversely, if an internet access is requested from one of the devices in my network, this packet goes through gsm5212 (where there is the default route that refers to ipfire) and on ipfire there must be a route or a rule that routes the package (if authorized) to the fritzbox.

My question is simply this: is this an applicable configuration? ipfire side how do i route the packet to fritzbox, via a rule or via a route?

Do I understand right?
You want to do an installation with only 1 physical NIC in IPFire.
This is not recommended. IPFire separates WAN and LAN. Each network has its own ( physical ) interface.
To my opinion, you should not mix WAN and LAN(s). Separating networks by logical network concepts, like VLAN, doesn’t inhibit unwanted traffic. What about, if some client in a VLAN segment communicates directly with the Fritzbox for internet access?

no, you did not understand or surely I explained myself badly
there are two NICs, one for the RED and one for the GREEN the RED is the one that connects fritzbox <-> ipfire ( <-> the green is the gateway for all other networks (vlan) VLANx <->

What I want to do, with the configuration above, is to create the routes that go from ipfire to vlan (the ones that go from vlan to ipfire I can configure them on my gsm5212 with a default route)

Is the gsm5212 also connected to the Fritzbox?
Then you have two ways to the internet.

Right, gsm5212 is connected to fritzbox, but all my devices (smartphones, cameras, etc.) are managed by me, so none of these could have fritzbox as default gateway.
Please let me know which rules or routes i need on ipfire side

otherwise 'ur telling me that ipfire must be only a physical device between fritzbox and gsm5212 (and then that is not the right solution for me)?

pls just tell me how to create these rules/routes… i want to try it with the networking described above

Why this complicated setup? ( If I remember right, picture is removed :wink: )
The logical way for network traffic is:

WAN <—> access device <—> firewall <–> local net(s)

access device is your Fritzbox ( DOCSIS modem with possibly router ).
firewall may/should be IPFire ( connects/routes WAN to lacal installation ).
local net(s) is your existing installation ( connects the various network segments defined by you already, your VLANs ).

Hi Bernhard
in the paradise of networks your explanation of the “logical way to traffic” it is surely the best; but i’m on a home network and i cannot buy a device with two NICs to mount ipfire on.
I’m therefore forced to virtualize this layer and play with routing (i had already done this with a checkpoint firewall and a couple of cisco switch in an enterprise environment).
What I don’t understand, I repeat, is how on ipfire you have to set the routes because in the logical design that I have in mind the networking is the following:
fritzbox → ipfire → gsm5212
but the physical drawing says that fritzbox is connected to gsm5212 and that ipfire is a virtual machine of one of the devices connected (via ethernet cable) to the GSM5212 on a device on which I have mounted a virtualized environment

Now what I need to know, and I don’t think ipfire can’t do that, is how to handle the ipfire side routing because only with a correct routing (or rules) setup i’ll succeed in my goal.
True, the connection between gsm5212 and fritzbox is physical and then direct, but if (with the appropriate ACL and/or rules on the gsm5212) I can “hide” the fritzbox router from my local network and let the rest of the devices see only ipfire I can get what I want.
I therefore ask you, kindly, to teach me how to insert a route (I saw that from the command line I can use “ip route add”) or a rule that allows me to manage incoming traffic (towards the VLANs) and outgoing (towards the FrizBox)

I’m sure of your kind reply and I want to thank you again for the time you are wasting trying to help me

To speak of paradise. I cannot afford a managed switch and a router nor the various devices for my ‘home network’, but a small HW appliance running IPFire at the border of WAN and LAN. Operating in the logical way. :wink:

I do not think a virtual implementation of IPFire just ‘on one of the devices connected to the gsm5212’ ( thus somewhere in the local network ) is a good idea. It is one possible way more to bypass the firewall.
I know you manage and use your local net your own, but can you manage each piece of SW running in this net? Do you know the internals of your TV, for example?

BTW, why did you remove your network drawing ‘for security reasons’, if your concept is secure?

1 Like