ok, thanks. So there is no really useful possibility to restrict clients for the IP address from the ISP of the smartphone will change from time to time.
Now something went wrong and i get no connection via VPN anymore. In logs I can see a drop from the smartphone IP to the redIP of the ipfire. I have port forwarding from RED to DMZ server and I have port forwarding from ISP router to the redIP of the ipfire. So I thought, it would work that way.
As it seems, I have still problems with some forwarding.
- I forwarded the standard network RED with destination NAT and redIP of the ipfire to the IP of the server in DMZ and allowed TCP/UDP wireguard port.
- I get CTINVALID ICMP drops from DMZ server IP to the websites I want to open in the smartphone
- There is a rule for DMZ server with source NAT of the redIP of the ipfire to the standard network RED for all protocols
Maybe it has something to do with the piHole DNS server within green.
I set it in the DMZ VPN server as DNS and grant access via pinhole to the IP of the DNS server.
In logs I can see the forward from 10.1.1.2 (DMZ server) to the IP of the DNSserver in green, but the CTINVALID ICMP drops for the 10.1.1.2 to the websites I open in smartphone with wireguard.
As it seems, there no transfers of TCP but ICMP. All protocols from DMZ server to RED are allowed.