New to IPFire, ISP - DMZ Port Forwarding Error

i am at my wits end! before i installed IPFire my system was working, as a preface.
now that i installed the IPFire i am constantly getting DROP_FORWARD on my connection. i am trying to get an external connection on port 3400 from the internet all the way to a desired server on my green network.

So my ISP has to have a modem / router mixed. so no way around that.
I have included a picture of my Error Firewall Logs
then my Fire Wall Rules
then a pic of my current set up. any help will be appreciated!

Note this is running on a Raspberry Pi 4. if that matters at all :slight_smile:

Welcome aboard
Are you sure you want UDP?
Perhaps this sould be TCP
I have know Idea what service you are trying to reach.
So I have know idea what ports are required.

Hey Shaun,
my VPN is on this port on the Green Network.
So my understanding is that i need to open the UPD port 3400. and i already have the TCP 443 open.

I do not Know what VPN you are using.
Is this Service ? VPN running on “Right server”

im running OpenVPN on its own static IP on the Green Network on its own Raspberry pi.
i think the problem is that i went from a double NAT with the ISP pool and the WiFi pool. to a Triple NAT with the ISP pool, IPFire pool, and router pool.

so i know my ISP router can be a DMZ, but im thinking maybe i need to make my IPFire DMZ as well. i have no idea.

Neither of the two rules you have defined are completely correct for Port Forward definition.

Rule 1 from your diagram should have the Firewall selection in the NAT box changed from Green to Automatic. Then you will have the correct rule set.

I would also check the log box for the rule you use so that it will also log the correct execution of the rule. Otherwise you will only see in the logs the things that fail. Once everything is working correctly then you can go back and uncheck the log box for thge port forward rule.

Triple NAT makes things very complicated.
You have made sure that the IP subnet for each router does not overlap any of the other routers subnets?


Hey Adolf, thanks for the help.

i added logs for the rules but im not seeing them under firewall Logs. so maybe im not hitting the rules?

i have made sure that all of my subnets are different.
my ISP is 192.168.2.* with the IPFire given a static IP with DMZ and port forwarding on 3400.
my IPFIRE is 192.168.80.* with the home router given a static IP and im appointing to forward 3400 to the home router who also has a static IP on IPFIre.
the home router has a IP pool of 192.168.86.*

so they are all different and ive attempted to make it as consistent as possible

Did you also update the firewall rule.

From your screenshot rule 2 is enabled and that does not have NAT selected. Rule 1 is not enabled but that does have NAT selected but with Firewall Green rather than Firewall Automatic.

I am not totally sure if that last bit makes a difference but Firewall Automatic is what is specified in the wiki page on Port Forward and is what I have set on my Port Forward rules.

So i think im half way! i made this rule:

and i can now see these in the logs:

adding the logs statement has really helped!

so now i want to forward all traffic from port 3400 to
So i made this rule:

but it is not directing.

As @bonnietwin has already said, Rule 1 is not a DNAT rule. That rule will tell the firewall to allow the traffic but it won’t deliver it to the destination, as it is not instructing the firewall to add port 3400 to the NAT table with as the destination. As Adolf said, you need to use rule 1 of OP screenshot, but you need to change it to “Firewall Automatic”, and you should not use rule 1 of message #9 as it is not useful for what you want to do.


This might help:


@jon Unless I am overlooking something, I think that page is orphaned and not linked by any other page.

Hi @cfusco
It is linked to twice from the Firewall Documentation page.

There is a link labelled “Setting up a DMZ” under the section Quick Start Guides and also in the section Examples.


@bonnietwin my bad, thanks for the correction.

No problem. It can be difficult to find where things are linked from and historically there have been pages that were orphaned and could only be found by searching in the search bar.

There are probably still some pages hidden away somewhere waiting to be found by someone.

1 Like

Thanks everyone for the conversation!

so i made this rule:

and i can see DNAT in the Firewall Logs:

which i assume is the first right step? here is what i see on the export:20:05:53 IN=red0 OUT= SRC= DST= LEN=82 TOS=0x00 PREC=0x00 TTL=49 ID=19880 DF PROTO=UDP SPT=2678 DPT=3400 LEN=62

  • I’m concerned that the OUT is blanks.

Now i want to forward this traffic through to ive made rules like this (all with DNAT checked):

but im getting no routing. thoughts?

DNAT is confusing and I think it is not intended to be used this way (referring to the first screenshot you showed). You are basically saying: “all the incoming traffic with destination port 3400 should go at this IP address”. I do not think you can have as destination “any”. You need to set a specific IP address. It can be another router, but it has to be one IP address. That’s it. You need just one rule that forward all the traffic to port 3400 to another machine that then decides what to do with that traffic.

1 Like

As @cfusco says you need to specify the IP that you want to send it to. Trying to send it to “any” means that the iptables rule has no idea which IP in the whole of your network to send it to. If you literally want to send a message to all machines in a subnet that is what the broadcast address is for.

Once you have the Port Forward rule with a specific IP defined then you don’t need to do the forwarding as the Port Forward Rule will do the DNAT followed by a Port Forward.

See these log messages from a port forward that I have defined.

The time order is from bottom to top.So the DNAT is done first and the next message is the FORWARDFW which forwards it to the IP on your local lan.

A Port Forward rule always comes as this pair of messages in the log, so if one is missing then your rule has some error in it.