I set up IPFire with red, green and orange network.
RED → internet fix IP 192.168.1.2/24 (Router has 192.168.1.1)
ORANGE → DMZ fix IP 192.168.2.1/24 (few servers running)
GREEN → fix IP 192.168.0.10/24 (only access for administrate the IPFire in case of no VPN)
I tried many hours to realise that I have to open ports from orange to red. Otherwise all ports was blocked.
That document is correct. Traffic from Orange to red has open access by default.
That is working fine on my IPFire system. I have my TV, BluRay player etc on my Orange and they are able to access the red interface to check for firmware updates without any additional Firewall Rules needing to be in place.
If you disable your port forward rules for Orange to Red and on a machine on your Orange network run the command ping -c4 ipfire.org
what response do you get?
On my system I get
ping -c4 ipfire.org
PING ipfire.org (81.3.27.38) 56(84) bytes of data.
64 bytes from fw01.ipfire.org (81.3.27.38): icmp_seq=1 ttl=57 time=27.1 ms
64 bytes from fw01.ipfire.org (81.3.27.38): icmp_seq=2 ttl=57 time=26.9 ms
64 bytes from fw01.ipfire.org (81.3.27.38): icmp_seq=3 ttl=57 time=26.6 ms
64 bytes from fw01.ipfire.org (81.3.27.38): icmp_seq=4 ttl=57 time=26.9 ms
— ipfire.org ping statistics —
4 packets transmitted, 4 received, 0% packet loss, time 3003ms
rtt min/avg/max/mdev = 26.623/26.898/27.133/0.182 ms
showing that there is an open connection from Orange to Red.
If you get a response showing no connection can be made then a review of your firewall rules would be the next step.
Have you changed the setting for the Forward connection from Allowed to Blocked. That would stop all outgoing connections for orange and green networks (also blue if you had that network)
In the Firewall Options WUI (Web User Interface) menu do you have
If the second then all outgoing traffic is blocked unless you define firewall rules.
If you still have the first screenshot with both entries showing Allowed, then maybe you have created a firewall rule that is blocking all traffic going out from Orange to Red in which case can you provide a screenshot of the Firewall Rules page on the WUI.
I can’t see anything there that would explain why you need to have rule number 4 to get access from Orange to Red.
Just under the Firewall Rules number 1 to 5 there is a colour coded section showing the allowed and blocked accesses and shows that Orange can access Red but is blocked from accessing Green.
I take it that you haven’t added any firewall rules manually into
/etc/sysconfig/firewall.local
If you need rules to allow Orange to access Red then it must mean that somewhere there are some rules that are blocking that access.
However I am running out of ideas as to what is not set correctly that would cause your system to block that access.
Hopefully someone else has some other ideas of things to check.
looks like you where remote into IPfire?
can you ping from PC in Green to ipfire.org ?
or Ping from PC in Orange to ipfire.org ?
As A side note Orange PC must use external DNS
like 8.8.8.8
I’m remote now and connected with openvpn to the green network.
yes I can, remote at home and physical attached at green interface in the server room.
yes I can, but only with extra firewall rule no 4.
The host machine (proxmox) has as DNS Server the IP from the orange interface, 192…168.2.1
And there are also LXC’s and VM’s with 129.168.2.1
The nextcloud VM has 127.0.0.53, this is the machine where the reverse proxy runs
With the old firewall (nethserver) it was runing about 5 years with this configuration.