Port forwarding to the DMZ?


I set the VPN server in the DMZ and want to run dynDNS and wireguard there. But what about port forwarding? Is it enough to forward the wireguard port from the ISP router to the red network of the ipfire or must I set a rule for forwarding from the ipfireRED to the DMZ?


You have to have a rule to forward the port from red to orange otherwise IPFire will just block the connection coming in to red if there is no Port Forward Rule.

ok, so I made a rule with TCP/UDP port of the wireguard from ipfireRED to the VPN server in the DMZ with destination NAT and ipfireRED IP.
For dynDNS I don’t need any forwarding, isn’t it?

Correct. The dynamic dns is just to make a connection to your red network connection using a FQDN rather than the IP Address that your ISP has given you.

Just as a check, in your first post you said

What do you mean by wanting to run dynDNS in your Orange DMZ.

I run VPN server in DMZ of the ipfire and grant access just to the pihole DNS server within green.
So I can use wireguard with the pihole DNS blocking on the road.

If you are using the DDNS name in your wireguard configuration then if you have access to a DNS resolve that can tell wireguard what the IP is then nothing further should be needed for DDNS.

yes, I understood it that way. It works.

But is there any possibility to restrict the forwarding from the whole RED network just to the clients which are set on the wireguard server? The IP of (for example) my smartphone will change after some time.

Yes if you know what the IP’s of those clients are then you can group those clients together in a firewall host group and specify that as the only allowed sources.

However if the client smartphones get their IP’s from the internet hot spot being joined then that will not be possible as you will get different IP’s every time, even from the same location.

ok, thanks. So there is no really useful possibility to restrict clients for the IP address from the ISP of the smartphone will change from time to time.

Now something went wrong and i get no connection via VPN anymore. In logs I can see a drop from the smartphone IP to the redIP of the ipfire. I have port forwarding from RED to DMZ server and I have port forwarding from ISP router to the redIP of the ipfire. So I thought, it would work that way.

As it seems, I have still problems with some forwarding.

  1. I forwarded the standard network RED with destination NAT and redIP of the ipfire to the IP of the server in DMZ and allowed TCP/UDP wireguard port.
  2. I get CTINVALID ICMP drops from DMZ server IP to the websites I want to open in the smartphone
  3. There is a rule for DMZ server with source NAT of the redIP of the ipfire to the standard network RED for all protocols

Maybe it has something to do with the piHole DNS server within green.
I set it in the DMZ VPN server as DNS and grant access via pinhole to the IP of the DNS server.
In logs I can see the forward from (DMZ server) to the IP of the DNSserver in green, but the CTINVALID ICMP drops for the to the websites I open in smartphone with wireguard.

As it seems, there no transfers of TCP but ICMP. All protocols from DMZ server to RED are allowed.