router can - ipFire can't?

there is something i don’t understand: i want to replace a router with ipFire (to use a VPN later).
i started from scratch, clean ipFire, firewall settings forward allowed, outgoing allowed, no rules.
green, red via DHCP
internet works perfectly for all clients.

then i need a static route to access another network with a router and card readers (healthcare).
so static route: to

i can ping the router and the card readers but no further communication possible (the router has an internal web page, no access).

same settings with a router (i tried a fritzbox): no problems.

something must be missing in ipFire settings.
any ideas?


Hi @lema

Can you put one network scheme to be able to position ourselves better ?.

That way, we will understand it better and we can help you. You know “a picture is worth a thousand words”

To make a network scheme, you can use


1 Like

I hope this helps.
(No VPN or anything activated in ipFire)

The DNS is blocked by default in the lan and it needs a rule to allow the green zone to reach the DNS. Maybe also the web service is blocked by default for the internal netwoks? Try to create a rule in the firewall with Source = green network, Destination = firewall (green), Service = HTTPS -> accept and see if it works. Do not forget to apply the new rule.


@lema The question is on how healtcare router connects with ipfire green0 (Green network)

If there is a Layer 2 between healtcare router (the network card that has ip assigned) then it should work. This seems to be the case of the fritzbox which I presume also has a switch in it (L2 switching)
If not (there is any Layer 3 routing) you need to create routes from each end to the other end: each end must know how to reach the other end -> like a N2N vpn setup where you need each side of the tunnel to know what relies on the other end.

1 Like

Can’t find IPFire in your scheme at all :thinking:

1 Like

And what does the firewall log say? There must be a drop for the target
I think ICMP packages are always forwarded.

thanks for all replys so far - it will be a weekend night job to test. i will let you know :slight_smile:

i added the rules (DNS, http, https and a few others)
green -> firewall(green)
but it’s still the same: a router works, ipFire still blocks communication.

Then H&M is probably right. Try to create static routes on both ends (IPFire and Healthcare). Also, you should connect to the console, and check the kernel log with “tail -f”, then try to reach the web interface of healthcare and see what happens to the logs. Control-c to get out from tail.


Sadly the healthcare router (part of the national healthcare system) cannot be accessed except the https frontend which only allows to see if the card readers are up and working.

For testing i configured a rule allowing all ports from to Firewall(green) and later in desperation also to Firewall(all).
It’s staying the same: a simple router can, ipFire can’t. I know that when this problem is solved it will turn out as an advantage that ipFire is that picky :stuck_out_tongue:

If it is a layer 2 problem, it’s not IPFire as an operating system and software stack that cannot reach healthcare (or the other way around), it’s the hardware. What if you put a simple switch between IPFire and healthcare?

IpFire is on a APU 2C4 board and the first connection from GREEN is a switch, the healthcare router is connected to GREEN on the same switch.

Can you tail tail -f /var/log/messages while attempting to https the healthcare internal web server?

Are you sure the subnetmask /16 is correct?

@cfusco: i’ll try this next time noone is using the network.
@fpausp: it should be correct, if i use a router instead of ipFire, it works. but you never know, i’ll try that too. and let both of you know.

@cfusco yes there are events:

IPv4: host ignores redirects to
Jan 29 13:36:05 tjGate kernel: IPv4: host ignores redirects for to
Jan 29 13:36:10 tjGate kernel: DROP_NEWNOTSYN IN=green0 OUT=green0 MAC=00:0d:b9:36:6e:de:00:0f:d5:02:d3:b3:08:00 SRC= DST= LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=29465 DF PROTO=TCP SPT=9225 DPT=35980 WINDOW=37648 RES=0x00 ACK URGP=0

ipFire is ignoring redirects… means the static route? there are many DROP_NEWNOTSYNs following

@fpausp couldn’t try changing the subnet mask yet.

How did you write the static route in IPFire wui?

@cfusco nothing much to choose:
In network - static routes:
host IP address / network:
active: yes

I do not understand this. The gateway should not be Healhcare Network Router (

1 Like