Question about initial configuration

Question about initial configuration,

Hello dear Ipfire Community. I haven’t really gotten into firewalls yet but I want to start.

I installed Ipfire on a Raspberry p4 and I can access the WebGUi.
I set the green Ethernet card to and the red to, gateway

There is a PC with the address on the green Ethernet card and a small server on the red Ethernet card. The PC does not have access to the server and I cannot ping it.
In the firewall options I have Forward and Outgoing set to Allow. Do not create firewall rules.
In Zone Configuration, the red card is on default as is the green one. The corresponding MAC address of the cards is on native for the relevant color.

Nothing else is configured.

Can you give me tips on how the PC can access the server with a little explanation :slight_smile:

red and green must be on two different subnets. Your red & green IP addresses are in the same 192.168.0.n subnet.

This setup wiki page might help.


Okay, I set the green to and the red to

Must the Server the Netadress same like the red Card ? Also 192.168.1.x ?


I am not sure I understand the question. It might help us to draw a network diagram. It can be hand drawn or created with something like

If you are asking about the connection to the ISP then that is difficult to answer without knowing how your ISP setup its connections.

Read through this:

and let us know.

EDIT: This might help you get started.


First of all, thank you very much for your help.

I want the clients to have a secure connection to the server and only certain packets/ports come through.

The clients have an independent connection to the Internet.

Can I realize this like that?

I connected the example picture with a Raspberry in the same way.


I think this can be done.

To me the big issues would be (based on the drawing above):

  • the Server has zero access to the internet
  • and the IPFire wall RPi4 has zero access to the internet.
  • and probably a few other issues that do not come to mind…

Which means no updates, no clock (NTP), and many of the IPFire may not function as intended.

Is that what is needed for your setup?

1 Like

Hello Jon,

yes that´s it is :slight_smile:

I know that I can’t do any updates or anything else. But that’s later

try this…

IPFire RPi4 side (red zone)

Server side (red zone)

IP address =
Network mask:
Gateway =

I am guessing on the gateway so you will need to experiment!

Those Workstations must be on an Ethernet switch. Would you add that to the diagram please, so that we understand the resulting connectivity. In the current diagram, each workstation would itself have to be a router, having two Ethernet interfaces.

Also, unless we understand what access is required to the server, we can’t be confident that it is in a suitable network topology.


Perhaps I misunderstand the desired topology.

A firewall, by definition, serves as a buffer between an ISP and a local network.

I fail to understand how any connections between any machines in a local network and the ISP should exist without protection via the firewall.

Any local machines should be on a local network, and have NO CONNECTION to the ISP except through the firewall.

Do I misunderstand your configuration?


2 routers are sometimes used for zone isolation.
Yes. Yes Double NAT.
Some peaple refer to the internet facing router as a “Edge router”
So you could have Game consoles, guest wifi, Game servers, and IOT here.
Then 2nd router for PC, backup server, NAS.
It depends how you want to brake up your traffic.

First of all, sorry for the late reply,

I have a basic knowledge of IP addresses etc., and I don’t have much knowledge of firewalls yet. That’s why I wanted to start with a little experiment. The “server” is a small Raspberry P4 Nextcloud server, so small and nothing important. Only cell phone pictures are saved on it.
And yes, it is actually normal for a firewall to protect the internal network from the external network (Internet). I just want to build a small config to understand it. Hence the post here. I roughly drew a picture again of what it looks like to me.
If you could roughly describe to me how I should set the IP addresses on the Ipfire as well as the address of the server and the workstations.
Thank you in advance,

Any useful topology would require another Ethernet switch, on the green0 side of the IPFire. Do you have such or are you prepared to acquire one ? If not, then you could test the arrangement with one workstation on the green0 Ethernet. A workstation on green0 is required to finalise network setup with IPFire. Work through IPFire configuration

1 Like

Like this ?

You have the Red & Green interfaces reversed. RED0 should be facing the router.

Server could be either on the GREEN, separate switch or be in a third ORANGE network, for a DMZ. Is the latter what you intended depicting with the Orange colour ?

It is fairly common for most sockets on the Router/Switch to be unused, when IPFire is deployed. Don’t worry about it.

After you deploy a GREEN Ethernet switch, the workstations could be moved to that, where they would be better protected.

1 Like


Which IP addresses should the server and the red interface have according to the example image?
What do I have to enable in the firewall so that the workstation can access the server?

You could give the red0 interface address, which would be a conventional address for it.

Server could be

Workstations should then be able to access the server, without any firewall rules. However, if either workstations or server have any IP ports (eg 22) blocked then those might need to be opened, depending on what traffic moves between workstations and server.

1 Like

Hey Rodney, thanks for the quick help.

So I now have the green interface on - and the red one on - and gateway No firewall rule. The server is -
The workstation has the -

However, I can’t access the server’s shares or other server services.

Do I have to set anything else?

I think you should configure on your IPFire :

  • an orange network (DMZ) with your(s) server(s) : no DHCP service and static IP addresses for all computer
  • a green network with your(s) workstation(s) : DHCP service to attribute fixed IP addresses or not fixed
  • a red network connected to your modem (FRITZBOX)
    With a RPI hardware for your IPFire, you must add 2 USB network interfaces for orange and red or green, but take care with this kind of interface : the speed… by experience, I have tried and it’s not the same than a hardware x86…
    Read : - Setting up a DMZ

Please redraw your topology after the address changes. It is difficult to assess your problem without that.

1 Like