No way out from orange to red

Hi there

I set up IPFire with red, green and orange network.

RED → internet fix IP 192.168.1.2/24 (Router has 192.168.1.1)
ORANGE → DMZ fix IP 192.168.2.1/24 (few servers running)
GREEN → fix IP 192.168.0.10/24 (only access for administrate the IPFire in case of no VPN)

I tried many hours to realise that I have to open ports from orange to red. Otherwise all ports was blocked.

So I thought that from inside orange everything is open to red?? Am I wrong or is this an old doc: www.ipfire.org - Network topologies and access methods

thx jack

Hallo @cracksilver78

Welcome to the IPFire community.

That document is correct. Traffic from Orange to red has open access by default.

That is working fine on my IPFire system. I have my TV, BluRay player etc on my Orange and they are able to access the red interface to check for firmware updates without any additional Firewall Rules needing to be in place.

If you disable your port forward rules for Orange to Red and on a machine on your Orange network run the command
ping -c4 ipfire.org
what response do you get?

On my system I get

ping -c4 ipfire.org
PING ipfire.org (81.3.27.38) 56(84) bytes of data.
64 bytes from fw01.ipfire.org (81.3.27.38): icmp_seq=1 ttl=57 time=27.1 ms
64 bytes from fw01.ipfire.org (81.3.27.38): icmp_seq=2 ttl=57 time=26.9 ms
64 bytes from fw01.ipfire.org (81.3.27.38): icmp_seq=3 ttl=57 time=26.6 ms
64 bytes from fw01.ipfire.org (81.3.27.38): icmp_seq=4 ttl=57 time=26.9 ms

ipfire.org ping statistics —
4 packets transmitted, 4 received, 0% packet loss, time 3003ms
rtt min/avg/max/mdev = 26.623/26.898/27.133/0.182 ms

showing that there is an open connection from Orange to Red.

If you get a response showing no connection can be made then a review of your firewall rules would be the next step.

Hi bonnietwin
Thank you for answering.

On a machine in the orange net I got after 20 seconds this one:

after I activate the rules for Port 53 orange → red I get normal response:

Have you changed the setting for the Forward connection from Allowed to Blocked. That would stop all outgoing connections for orange and green networks (also blue if you had that network)

In the Firewall Options WUI (Web User Interface) menu do you have

or

If the second then all outgoing traffic is blocked unless you define firewall rules.

If you still have the first screenshot with both entries showing Allowed, then maybe you have created a firewall rule that is blocking all traffic going out from Orange to Red in which case can you provide a screenshot of the Firewall Rules page on the WUI.

No this option is on “allowed”

here you have a screen from my rules:

I can’t see anything there that would explain why you need to have rule number 4 to get access from Orange to Red.

Just under the Firewall Rules number 1 to 5 there is a colour coded section showing the allowed and blocked accesses and shows that Orange can access Red but is blocked from accessing Green.

I take it that you haven’t added any firewall rules manually into

/etc/sysconfig/firewall.local

If you need rules to allow Orange to access Red then it must mean that somewhere there are some rules that are blocking that access.

However I am running out of ideas as to what is not set correctly that would cause your system to block that access.

Hopefully someone else has some other ideas of things to check.

I know, that’s what confusing me all the time…

and this file: /etc/sysconfig/firewall.local I’ve even didn’t know that’s existing.

That’s inside:

Failure in name resolution?
Is IPfire Domain name system setup and working?

hi shaun

is up and running:

Is this a VM?
Or
Bare metal?

bare metal on a Zotac ZBOX CI329 nano machine

looks like you where remote into IPfire?
can you ping from PC in Green to ipfire.org ?
or Ping from PC in Orange to ipfire.org ?
As A side note Orange PC must use external DNS
like 8.8.8.8

I’m remote now and connected with openvpn to the green network.

yes I can, remote at home and physical attached at green interface in the server room.

yes I can, but only with extra firewall rule no 4.

The host machine (proxmox) has as DNS Server the IP from the orange interface, 192…168.2.1
And there are also LXC’s and VM’s with 129.168.2.1
The nextcloud VM has 127.0.0.53, this is the machine where the reverse proxy runs

With the old firewall (nethserver) it was runing about 5 years with this configuration.

so I changed the DNS in the nextcloud VM to 8.8.8.8 and now it works without extra firewall rule nr. 4

I think that is the solution. Give every machine an external DNS Server like google 8.8.8.8 or something like that.

On the old firewall it was forwarded from the firewall. So I did not change that and thought IPFire works the same way.

thanks to everbody for helping me in this case. :+1:

cheers jack

Yes there is no DNS in the Orange zone
And no DHCP.

2 Likes

So then: Anyone who can read has a clear advantage :wink:

2 Likes