Port forwarding to the DMZ?

fstarter · 28 June 2023 10:15

Hey,

I set the VPN server in the DMZ and want to run dynDNS and wireguard there. But what about port forwarding? Is it enough to forward the wireguard port from the ISP router to the red network of the ipfire or must I set a rule for forwarding from the ipfireRED to the DMZ?

Cheers
ifstarter

bonnietwin · 28 June 2023 10:32

You have to have a rule to forward the port from red to orange otherwise IPFire will just block the connection coming in to red if there is no Port Forward Rule.

fstarter · 28 June 2023 10:36

ok, so I made a rule with TCP/UDP port of the wireguard from ipfireRED to the VPN server in the DMZ with destination NAT and ipfireRED IP.
For dynDNS I don’t need any forwarding, isn’t it?

bonnietwin · 28 June 2023 11:14

Correct. The dynamic dns is just to make a connection to your red network connection using a FQDN rather than the IP Address that your ISP has given you.

Just as a check, in your first post you said

What do you mean by wanting to run dynDNS in your Orange DMZ.

fstarter · 28 June 2023 11:29

I run VPN server in DMZ of the ipfire and grant access just to the pihole DNS server within green.
So I can use wireguard with the pihole DNS blocking on the road.

bonnietwin · 28 June 2023 11:31

If you are using the DDNS name in your wireguard configuration then if you have access to a DNS resolve that can tell wireguard what the IP is then nothing further should be needed for DDNS.

fstarter · 28 June 2023 11:37

yes, I understood it that way. It works.

But is there any possibility to restrict the forwarding from the whole RED network just to the clients which are set on the wireguard server? The IP of (for example) my smartphone will change after some time.

bonnietwin · 28 June 2023 11:44

Yes if you know what the IP’s of those clients are then you can group those clients together in a firewall host group and specify that as the only allowed sources.

However if the client smartphones get their IP’s from the internet hot spot being joined then that will not be possible as you will get different IP’s every time, even from the same location.

fstarter · 28 June 2023 11:49

ok, thanks. So there is no really useful possibility to restrict clients for the IP address from the ISP of the smartphone will change from time to time.

Now something went wrong and i get no connection via VPN anymore. In logs I can see a drop from the smartphone IP to the redIP of the ipfire. I have port forwarding from RED to DMZ server and I have port forwarding from ISP router to the redIP of the ipfire. So I thought, it would work that way.

As it seems, I have still problems with some forwarding.

I forwarded the standard network RED with destination NAT and redIP of the ipfire to the IP of the server in DMZ and allowed TCP/UDP wireguard port.
I get CTINVALID ICMP drops from DMZ server IP to the websites I want to open in the smartphone
There is a rule for DMZ server with source NAT of the redIP of the ipfire to the standard network RED for all protocols

Maybe it has something to do with the piHole DNS server within green.
I set it in the DMZ VPN server as DNS and grant access via pinhole to the IP of the DNS server.
In logs I can see the forward from 10.1.1.2 (DMZ server) to the IP of the DNSserver in green, but the CTINVALID ICMP drops for the 10.1.1.2 to the websites I open in smartphone with wireguard.

As it seems, there no transfers of TCP but ICMP. All protocols from DMZ server to RED are allowed.