Networking suggestion

it seems correct, but I repeat maybe I’m wrong, red for the external network (i.e. the one that arrives from the fritzbox to 10.7.16.67) and green for the internal network (therefore 192.168.1.2 which acts as a gateway, or as a default route for all vlan)

Your Fritzbox is the internet access and has a LAN IP of 192.168.1.1.
IPFire gets its WAN access from the Fritzbox, right? So the RED ( WAN ) IP of it must be in 192.168.1.0/24.
To act as internet access appliance, IPFire should be positioned between the WAN ( Fritzbox ) and the LAN ( GSM5212 ).
GSM5212 in your config manages the local networking. IPFire can establish a secure access to the internet. Fritzbox should be taylored to not ( much ) more than a DOCSIS modem.

sorry, but a speech is where ipfire should be placed logically, and a speech is where ipfire should be physically placed

logically ipfire must be between frizbox and gsm5212, but physically ipfire is attached to gsm5212.
Now, the management network is 192.168.1.0/24 and logically I can pass all the traffic coming from the fritzbox to ipfire simply by adding a static route to the ipfire ip (192.168.1.2); that then physically this information passes through gsm5212 is irrelevant. Once the packets have arrived on ipfire it takes routes to route them to the correct vlan; these routes are present on gsm5212 but surely they must also be added on ipfire.

Conversely, if an internet access is requested from one of the devices in my network, this packet goes through gsm5212 (where there is the default route that refers to ipfire) and on ipfire there must be a route or a rule that routes the package (if authorized) to the fritzbox.

My question is simply this: is this an applicable configuration? ipfire side how do i route the packet to fritzbox, via a rule or via a route?

Do I understand right?
You want to do an installation with only 1 physical NIC in IPFire.
This is not recommended. IPFire separates WAN and LAN. Each network has its own ( physical ) interface.
To my opinion, you should not mix WAN and LAN(s). Separating networks by logical network concepts, like VLAN, doesn’t inhibit unwanted traffic. What about, if some client in a VLAN segment communicates directly with the Fritzbox for internet access?

no, you did not understand or surely I explained myself badly
there are two NICs, one for the RED and one for the GREEN the RED is the one that connects fritzbox <-> ipfire (192.168.1.1 <-> 192.168.1.2) the green is the gateway for all other networks (vlan) VLANx <-> 10.7.16.67

What I want to do, with the configuration above, is to create the routes that go from ipfire to vlan (the ones that go from vlan to ipfire I can configure them on my gsm5212 with a default route)

Is the gsm5212 also connected to the Fritzbox?
Then you have two ways to the internet.

Right, gsm5212 is connected to fritzbox, but all my devices (smartphones, cameras, etc.) are managed by me, so none of these could have fritzbox as default gateway.
Please let me know which rules or routes i need on ipfire side

otherwise 'ur telling me that ipfire must be only a physical device between fritzbox and gsm5212 (and then that is not the right solution for me)?

pls just tell me how to create these rules/routes… i want to try it with the networking described above

Why this complicated setup? ( If I remember right, picture is removed :wink: )
The logical way for network traffic is:

WAN <—> access device <—> firewall <–> local net(s)

access device is your Fritzbox ( DOCSIS modem with possibly router ).
firewall may/should be IPFire ( connects/routes WAN to lacal installation ).
local net(s) is your existing installation ( connects the various network segments defined by you already, your VLANs ).

Hi Bernhard
in the paradise of networks your explanation of the “logical way to traffic” it is surely the best; but i’m on a home network and i cannot buy a device with two NICs to mount ipfire on.
I’m therefore forced to virtualize this layer and play with routing (i had already done this with a checkpoint firewall and a couple of cisco switch in an enterprise environment).
What I don’t understand, I repeat, is how on ipfire you have to set the routes because in the logical design that I have in mind the networking is the following:
fritzbox → ipfire → gsm5212
but the physical drawing says that fritzbox is connected to gsm5212 and that ipfire is a virtual machine of one of the devices connected (via ethernet cable) to the GSM5212 on a device on which I have mounted a virtualized environment

Now what I need to know, and I don’t think ipfire can’t do that, is how to handle the ipfire side routing because only with a correct routing (or rules) setup i’ll succeed in my goal.
True, the connection between gsm5212 and fritzbox is physical and then direct, but if (with the appropriate ACL and/or rules on the gsm5212) I can “hide” the fritzbox router from my local network and let the rest of the devices see only ipfire I can get what I want.
I therefore ask you, kindly, to teach me how to insert a route (I saw that from the command line I can use “ip route add”) or a rule that allows me to manage incoming traffic (towards the VLANs) and outgoing (towards the FrizBox)

I’m sure of your kind reply and I want to thank you again for the time you are wasting trying to help me

To speak of paradise. I cannot afford a managed switch and a router nor the various devices for my ‘home network’, but a small HW appliance running IPFire at the border of WAN and LAN. Operating in the logical way. :wink:

I do not think a virtual implementation of IPFire just ‘on one of the devices connected to the gsm5212’ ( thus somewhere in the local network ) is a good idea. It is one possible way more to bypass the firewall.
I know you manage and use your local net your own, but can you manage each piece of SW running in this net? Do you know the internals of your TV, for example?

BTW, why did you remove your network drawing ‘for security reasons’, if your concept is secure?

1 Like

I don’t understand, do you want to help me solve my problem or do an assessment? i understand your concern, but (for example) the TV is connected by cable to gsm5212 and there is a mac-address based authentication on the switch port, the cameras and switches, which instead connect to the wifi network, are on isolated vlans that can only see devices of the same kind (cameras or switches, single-brand) and even if they went directly to the frizbox it wouldn’t change anything

If you are certain about security in your network, why not just put IPFire with its firewall functionality between your switch and the fritzbox?
This is just a standard red-green configuration. Network segment separation with VLANs is done in your network the same. Only difference is that the (logical) WAN access moves from the Fritzbox to IPFire ( with well-known internal behaviour and support through the community ).

okay, forget it
I uninstall ipfire and put on pfsense, maybe there is someone there who explains me what to do

anyway thank you for the good job you did:, you encouraged me to find the right solution for my network

pfsense uses the same topology as IPFire.

may be, but may be also that someone could accept my solution without making me an assessment

I don’t make assessments.
But a network where all devices are physically directly connected isn’t the topology which allows a secure internet access.
This is especially true, if there are devices not obeying the rules. Example: in my home net there are smartphones and smartTVs trying to do DNS requests directly at 8.8.8.8 albeit the DHCP information tells them to use IPFire.

2 Likes

@attilay2k… if we close off to other people’s suggestions or comments or questions about how or why we do something we close ourselves off to learning.

Cybersecurity is a process of continuous improvement.

Good luck with pfsense!

2 Likes

2 posts were split to a new topic: How IPfire connected?

2 posts were split to a new topic: Why is IPv6 disabled by default in IPFire?