Sorry for the very late reaction. I wasn’t online the last three weeks ( yes this is possible ).
I think the main problem in this thread isn’t the association if IPs etc. It is the network topology ( including the right connections ). The wiki articles cited give a good introduction to this topic.
In short the philosophy of IPFire ( and many other firewall routers ) is
interface RED — WAN, the whole internet
interface GREEN — LAN on ethernet, the place for local devices
interface BLUE — LAN in wifi, place for wireless local devices
interface ORANGE – DMZ, area for local servers accessible from the WAN.
These are the physical networks connected through IPFire only.
IP addresses define logical networks. These networks must be separated according to the physical topology. The connection between is done by the routing function of IPFire.
In the two examples I drew above, a telephone system would have to be used in the business network.
Does it make sense to integrate it into the Ipfire or not allow it to run over the Ipfire at all? ?
But I would have to send a fax via the Fritzbox (in the business network), which is attached to the red interface. The Fritzbox has an integrated fax printer.
Is something like that possible?
So I only set it up briefly, but I was able to access the Internet via the red interface. The red interface goes to the Fritzbox, which also provides the fax printer.
I have now created the business network as follows:
All workstations are on the 192.168.2.2-50 network
Blue interface 192.168.2.1
Green Interface 192.168.1.1 not plugged in - only for konfg/admin
Red interface 192.168.0.200, gateway (Fritzbox) 192.168.0.2
Netmask everywhere 255.255.255.0
Then I have a computer (in this Network) from the network with which I configure the Ipfire. I added this computer to the blue devices with the MAC and IP address. Works well so far.
Problem/Question 1:
One device is an internet radio. If I allow this device to connect via the red interface via a firewall rule, it works. But if I deactivate this rule again, the connection remains.
Problem/Question 2:
Even if I set the connection to red on the main computer via a firewall rule, I can surf the Internet. If I deactivate this rule I can no longer surf, it works. But even here, if the connection is established and I ping a website, the ping remains even if I deactivate the rule again.
The workstations and the Internet radio device have 192.168.2.1 in the gateway. I also have 192.168.2.1 in the DNS for these devices.
That is correct.
If a connection is made. It will not disconnect.
Until it is done with that connection.
De activating the firewall rule will not break an established connection.
So now the most important and probably most difficult connection.
In the following picture (the business network is there, the private one comes later) both networks are connected to a Fritzbox. But I would actually have to synchronize the two HP servers with each other.
How do I have to create a connection? It probably has to be a VPN, right?
Structurally, I cannot move the servers. The two Ipfire devices are right next to each other.
Is that even possible or would it be better to have 2 Fritz boxes?
could I also connect the 2 green interfaces with each other?
Is not the fastest thing to achieve, but I’d go with IPsec VPN between IPfire, from 192.168.2.0/24 to 192.168.3.0/24.
Also, assuming that the same fritzbox is used for both connections, I’d ensure the fastest connection possible between the two IPfire installations, like 2.5gb Ethernet with a separate switch to avoid speed issues on the fritzbox router.
I really cannot answer that, I’m not deep enough in that part of IPSec VPN.
This topic could help you better
However… without traffic, the connection do not bother that much for traffic and/or CPU overhead. Tunnel could be built 24/7. And with firewall rules, only the two servers could be aware of each other.
Also…
In IPsec usually there are an initiatior and a responder. If you’re looking for have better security of work side, I’d configure the initiator on the home side.
IPSec-VPN can be switched off with the connection scheduler but the way it is indicated / shown is a bit misleading.
The VPN-Server itself needs to be activated all the time, so in the WUI under “Services → IPSec” it always has to be “activated” (otherwise there is no possibility to start it via the connection scheduler).
As soon as it’s running, you can turn it off (and on again) via the scheduler. Thing is, that this is only indicated in the “Status->Services”-menu (there “VPN” will switch from “RUNNING” to “STOPPED” and vice versa) but NOT in the “Services->IPSec”-menu (there it will always be shown as “Activated”).
Thanks for the message for the VPN. I now have two IPfire machines running and it works very well with all of them. Web proxy, URL filter, firewall rules etc etc.
Now I have to tackle the VPN issue. Are there any easy-to-understand instructions?