I use IPFire now since several years and my home network has grown significantly larger. I also have a bigger Proxmox Host running dozens of VMs and containers from Home Assistant, Homematic, Node-Red, Unify stuff etc…
Of course we also work from Home and have teenies with their own gadgets etc. So I wanted to have a separated network and also somewhat a ISP backup so I bought Starlink and tried to separate the Networks using VLANs on the Mikrotik switches.
As my Proxmox is running 24/7 anyways because of Webservers and automation stuff I wanted to create a IPFIRE VM and use this for the Starlink Network. So far this works fine and the phones and notebooks etc. are getting IPs and Internet from this VM IPFIRE. So far so good. Now of course things like Printer, NAS etc. should be usable from both Networks and there I struggle somehow.
The networks are on the same infra just separated by VLANs on the MK switches.
I created static routes from x.x.1.0 to x.x.111.0 net and on the other side vice versa but of course now communication. What firewall rules would make sense to allow inter-Green-Communication?
Below I tried to visualize it. Don’t know if it helps
Ok first option you might consider is use sub interfaces and build a VLAN trunk from your switch to your “servers”. then let your servers host the print and other services on both VLANs of your network.
If it is your desire to actually allow traffic to flow between the networks then you might consider setting up a third VLAN, allocating a /30 for each of your IPFIRE routers and then setting up static routes for each lan segment. so your Starlink router would get a static route for your cable modem router LAN segment and visa versa.
Using the routing method may have it’s drawbacks depending on what protocol you are using for services like print. Some of the services do not actually seek printers outside of the local IP network or require multicast which is I have not seen in use on IPFIRE.
With the above in mind, if the static routing described above is set up and working you could type in the IP address of your print server on devices that are not on the same local lan as the print server to see the available printers after the routing is set up.
Keep in mind that if you set up this third IP interface it will also need to be in the “Green zone” to avoid the need to create zone firewall policies.
Thanks a lot for your thoughts. I really do not want to setup print servers and such stuff. These are all IP printers and scanners so I really just want to be able to find them by adding the IPs manually on the machines they are used on. Besides this two green nets I have 6 OpenVPN Net2Net connections to other houses and even office spaces. So we are used to use IP addresses to connect to the NAS’s and printers on these remote sites.
I think it would be overkill to setup an additional openvpn net for an additional net in the same house so there is no need to have traffic flowing over the red interfaces, also this would then compromise even more my uplink speed on the cable modem where the webservers are running with sometimes up to 400hits a second to this server with lots of forums and other stuff.
So I need to free up the uplink and to be not congested with other traffic. That is the reason I invested into a starlink connection for all the rest. Our other ISPs here are useless as the speeds are so low and they are even more expensive than starlink for less performance.
I therefore would really like to only have a simple interconnection between these two green networks.
Also my ipfire will not be reachable from outside due to the network setup on starlink side with their own private NAT in between. I do not get a public IP, I get the internal IP from Starlink. Would IPSEC or Openvpn even work on this case?
Having looked at your diagram again I have noted that IPFire1 has a green1 subnet of 192.168.1.0/24 while IPFire2 has a green2 subnet of 192.168.111.0/24
They are totally separate subnets so the only way I would expect that you could communicate directly from green1 to green2 would be if you had another IPFire or other router (physical or virtual) connecting between green1 and green2 to do the routing between those two subnets.
I am very glad to hear that you are comfortable adding printers by IP address. That makes things so much easier.
My recommendation would be as follows:
create a new VLAN ID on your switch for the purpose or routing between your existing LAN networks.
configure your switch as a trunk to both of your IPFIRE routers and allows the new “Routing” vlan in addition to the VLAN’s that they use today. Don’t add the VLAN of the other IPFIRE’s LAN segment to the port.
Note about the switch configuration: I would leave the Native (untagged VLAN number of the switch port to be that of the LAN segment they route for today and the routing VLAN would be 802.1q tagged)
move your existing IP interfaces over to vlan sub interfaces and assign them to green zone. Be sure to configure the new LAN Sub interfaces as (NATIVE) untagged and the new routing interface as “tagged” with the VLAN # of the new VLAN you added on your switch for “routing”
Allocate the /30 I mentioned previously, assign and configure and IP from the /30 to each of the routers.
at this point the IPFIRE routers would be able to ping each other if everything is properly set. Test to confirm before proceeding from this step.
Now to configure routing. On the cable modem IPFIRE add a static route that points to the Satellite LAN network using the Satellite IPFIRE’s Routing IP from the /30 as the next hop.
On the Satellite IPFIRE add a static route that points to the Cable LAN network using the Cable IPFIRE’s Routing IP from the /30 as a next hop.
At this point you should be able to ping the LAN network of Satellite from the Cable IPFIRE and visa versa. You should also be able to ping between the two LAN networks. Verify this is true before proceeding.
Now all you have to do is add and IP printer like you have experience doing. You can use step 7 to ping between LAN’s to confirm before adding the printer as needed.
Please remember that all of the IP sub interfaces that have been created must be in the green zone for the above to work.
I did an in between thing of Adolfs and Stevens proposal.
Instead of tweaking the green networks on the respective IPFires I just added a third virtual NIC to the virtual IPFire and gave it the blue interface and an IP on the hardware IPFire like 192.168.1.253.
Tweaked the Firewall rules to allow the respective others ranges and also setup the “allow all devices” trick on the blue network on the virtual IPFire to basically allow all devices on virtual blue IPFires net.
I first experiemented with a routerOS from Mikrotik as a third “connecting” router and set the respective IPs to use the actual ones from both firewalls. The ping and routing of the packets worked straight away but I was not able to open up any WebUI on these remote neworks. Tried several hours with firewall rules on all devices and was able to get it half working with NAT and masquerading but never fully so I resorted back to this “hack”
I wish I could rename the interface in the virtual ipfire to be LAN2 instead of “Wireless” but hey, if this is the only issue I can work with that
You said you gave it the blue interface but it is a zone firewall and not an interface based firewall. Glad it is working but it should also be true that you could put the interfaces into the green zone and have it all work without the blue zone.
It is also true that with your current setup you could add future rules to restrict access on the firewall that had the blue and green zones setup so that could be nice. Grats!
