Hi, my neighbor wants to use my DSL. Because he has his own router, I pulled a cable to him and connected the WAN from his router to my green network. It works wonderfully. His router assigns the IPs in his network and gets the internet connection from my green network.
My green network: 192.168.1.0/24
His network from the router: 192.168.0.0/24
The problem: His computers on his network (different subnetwork that the router assigns) have access to my devices in the green network.
Now I thought I would set up a rule:
Source address: 192.168.0.0/24
Destination (firewall: GREEN)
DROP
Unfortunately, it doesn’t work as expected. Does somebody has any idea?
I want to lock his subnet out of my greenery and ONLY allow him to use red.
I also tried source = WAN MAC address from his router.
Hey, does IPFire the DSL-Login or is there something in front of IPFire? If so option 1: plug your neighbor direct to that device or use a switch to bring RED of IPFire, that device and the net of your neibor together. That would be a kind of DMZ.
Option 2: bring up another NIC in IPFire and configure it to eg. ORANGE (other zone than GREEN) and plug him to that interface.
Maybe there are more options and others will have different ideas.
– simulacron
Unfortunately it is not possible. Based on hardware. There is only one cable from the IPFire to the switch where my neighbor is connected to. This is technically not possible because the cable is laid over many meters as an underground cable. In addition, Orange is already set up and there are several devices in the network.
So the solution would only involve major construction work.
Yeah, you could also start to operate with VLANs. But that also requires additional hardware.
I don’t think that it’s a good approach to rely only on IP-based firewall rules since you can’t control the IP setup of your neighbor. So you need something port-based in terms of a network interface, either in hardware or as virtual device (eg. VLAN).
How will you ensure, that the suspected traffic passes the router/firewall? IP, MAC, whatever. If you plug something to GREEN then you simply can not control this with the firewall respective the traffic among each other. The router of your neighbor and any device behind that can connect direct to any device in your GREEN subnet. No rule in the firewall would ever see this traffic. It is probably the common mistake with you, that a firewall can filter within a network segment simply by making it a part of this network segment - but that’s totally wrong. Devices within the same network segment are communicating direct.
What’s left? Maybe you could work around this by defining a divergent netmask other then 255.255.255.0 and force the traffic to be routed through IPFire this way although both are on the GREEN Zone. E.g. netmask 255.255.255.128 which would separate your GREEN subnet into two parts, 192.168.1.1 to .126 (yours) and 192.168.1.129 to .254 (neighbors). At this point I wouldn’t know if this scenario is possible with IPFire and how rules, routing, dns, dhcp aso. are setup in this case.
But again, who garantees that the IP-Configuration of the neighbor-device stays as needed?
