Hello dear Ipfire Community. I haven’t really gotten into firewalls yet but I want to start.
I installed Ipfire on a Raspberry p4 and I can access the WebGUi.
I set the green Ethernet card to 192.168.0.180 and the red to 192.168.0.181, gateway 0.0.0.0.
There is a PC with the address 192.168.0.50 on the green Ethernet card and a small server on the red Ethernet card. The PC does not have access to the server and I cannot ping it.
In the firewall options I have Forward and Outgoing set to Allow. Do not create firewall rules.
In Zone Configuration, the red card is on default as is the green one. The corresponding MAC address of the cards is on native for the relevant color.
Nothing else is configured.
Can you give me tips on how the PC can access the server with a little explanation
I am not sure I understand the question. It might help us to draw a network diagram. It can be hand drawn or created with something like https://www.drawio.com.
If you are asking about the connection to the ISP then that is difficult to answer without knowing how your ISP setup its connections.
Those Workstations must be on an Ethernet switch. Would you add that to the diagram please, so that we understand the resulting connectivity. In the current diagram, each workstation would itself have to be a router, having two Ethernet interfaces.
Also, unless we understand what access is required to the server, we can’t be confident that it is in a suitable network topology.
2 routers are sometimes used for zone isolation.
Yes. Yes Double NAT.
Some peaple refer to the internet facing router as a “Edge router”
So you could have Game consoles, guest wifi, Game servers, and IOT here.
Then 2nd router for PC, backup server, NAS.
It depends how you want to brake up your traffic.
I have a basic knowledge of IP addresses etc., and I don’t have much knowledge of firewalls yet. That’s why I wanted to start with a little experiment. The “server” is a small Raspberry P4 Nextcloud server, so small and nothing important. Only cell phone pictures are saved on it.
And yes, it is actually normal for a firewall to protect the internal network from the external network (Internet). I just want to build a small config to understand it. Hence the post here. I roughly drew a picture again of what it looks like to me.
If you could roughly describe to me how I should set the IP addresses on the Ipfire as well as the address of the server and the workstations.
Thank you in advance,
Any useful topology would require another Ethernet switch, on the green0 side of the IPFire. Do you have such or are you prepared to acquire one ? If not, then you could test the arrangement with one workstation on the green0 Ethernet. A workstation on green0 is required to finalise network setup with IPFire. Work through IPFire configuration
You have the Red & Green interfaces reversed. RED0 should be facing the router.
Server could be either on the GREEN, separate switch or be in a third ORANGE network, for a DMZ. Is the latter what you intended depicting with the Orange colour ?
It is fairly common for most sockets on the Router/Switch to be unused, when IPFire is deployed. Don’t worry about it.
After you deploy a GREEN Ethernet switch, the workstations could be moved to that, where they would be better protected.
Which IP addresses should the server and the red interface have according to the example image?
What do I have to enable in the firewall so that the workstation can access the server?
You could give the red0 interface address 192.168.1.1, which would be a conventional address for it.
Server could be 192.168.0.10.
Workstations should then be able to access the server, without any firewall rules. However, if either workstations or server have any IP ports (eg 22) blocked then those might need to be opened, depending on what traffic moves between workstations and server.
So I now have the green interface on 192.168.0.180 - 255.255.255.0 and the red one on 192.168.1.1 - 255.255.255.0 and gateway 0.0.0.0. No firewall rule. The server is 192.168.0.170 - 255.255.255.0.
The workstation has the 192.168.0.80 - 255.255.255.0.
However, I can’t access the server’s shares or other server services.
an orange network (DMZ) with your(s) server(s) : no DHCP service and static IP addresses for all computer
a green network with your(s) workstation(s) : DHCP service to attribute fixed IP addresses or not fixed
a red network connected to your modem (FRITZBOX)
With a RPI hardware for your IPFire, you must add 2 USB network interfaces for orange and red or green, but take care with this kind of interface : the speed… by experience, I have tried and it’s not the same than a hardware x86…
Read : wiki.ipfire.org - Setting up a DMZ
Regards
Sébastien
