router can - ipFire can't?

there is something i don’t understand: i want to replace a router with ipFire (to use a VPN later).
i started from scratch, clean ipFire, firewall settings forward allowed, outgoing allowed, no rules.
green 10.1.148.0/255.255.255.0, red via DHCP
internet works perfectly for all clients.

then i need a static route to access another network with a router and card readers (healthcare).
so static route: 10.207.0.0/16 to 10.1.148.254

i can ping the router and the card readers but no further communication possible (the router has an internal web page, no access).

same settings with a router (i tried a fritzbox): no problems.

something must be missing in ipFire settings.
any ideas?
:slight_smile:

greetings,
LeMa

Hi @lema

Can you put one network scheme to be able to position ourselves better ?.

That way, we will understand it better and we can help you. You know “a picture is worth a thousand words”

To make a network scheme, you can use draw.io

Greetings.

I hope this helps.
(No VPN or anything activated in ipFire)

The DNS is blocked by default in the lan and it needs a rule to allow the green zone to reach the DNS. Maybe also the web service is blocked by default for the internal netwoks? Try to create a rule in the firewall with Source = green network, Destination = firewall (green), Service = HTTPS -> accept and see if it works. Do not forget to apply the new rule.

2 Likes

@lema The question is on how healtcare router connects with ipfire green0 (Green network)

If there is a Layer 2 between healtcare router (the network card that has ip 10.207.47.114 assigned) then it should work. This seems to be the case of the fritzbox which I presume also has a switch in it (L2 switching)
If not (there is any Layer 3 routing) you need to create routes from each end to the other end: each end must know how to reach the other end -> like a N2N vpn setup where you need each side of the tunnel to know what relies on the other end.

1 Like

Can’t find IPFire in your scheme at all :thinking:

And what does the firewall log say? There must be a drop for the target 10.207.47.114.
I think ICMP packages are always forwarded.

thanks for all replys so far - it will be a weekend night job to test. i will let you know :slight_smile:

i added the rules (DNS, http, https and a few others)
green -> firewall(green)
but it’s still the same: a router works, ipFire still blocks communication.

Then H&M is probably right. Try to create static routes on both ends (IPFire and Healthcare). Also, you should connect to the console, and check the kernel log with “tail -f”, then try to reach the web interface of healthcare and see what happens to the logs. Control-c to get out from tail.

1 Like

Sadly the healthcare router (part of the national healthcare system) cannot be accessed except the https frontend which only allows to see if the card readers are up and working.

For testing i configured a rule allowing all ports from 10.207.0.0/16 to Firewall(green) and later in desperation also to Firewall(all).
It’s staying the same: a simple router can, ipFire can’t. I know that when this problem is solved it will turn out as an advantage that ipFire is that picky :stuck_out_tongue:
sigh

If it is a layer 2 problem, it’s not IPFire as an operating system and software stack that cannot reach healthcare (or the other way around), it’s the hardware. What if you put a simple switch between IPFire and healthcare?

IpFire is on a APU 2C4 board and the first connection from GREEN is a switch, the healthcare router is connected to GREEN on the same switch.

Can you tail tail -f /var/log/messages while attempting to https the healthcare internal web server?

Are you sure the subnetmask /16 is correct?

@cfusco: i’ll try this next time noone is using the network.
@fpausp: it should be correct, if i use a router instead of ipFire, it works. but you never know, i’ll try that too. and let both of you know.

@cfusco yes there are events:

IPv4: host 10.1.148.15/if4 ignores redirects 10.207.45.114 to 10.1.148.254
Jan 29 13:36:05 tjGate kernel: IPv4: host 10.1.148.11/if4 ignores redirects for 10.207.45.114 to 10.1.148.254
Jan 29 13:36:10 tjGate kernel: DROP_NEWNOTSYN IN=green0 OUT=green0 MAC=00:0d:b9:36:6e:de:00:0f:d5:02:d3:b3:08:00 SRC=10.1.148.146 DST=10.207.45.114 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=29465 DF PROTO=TCP SPT=9225 DPT=35980 WINDOW=37648 RES=0x00 ACK URGP=0

ipFire is ignoring redirects… means the static route? there are many DROP_NEWNOTSYNs following

@fpausp couldn’t try changing the subnet mask yet.

How did you write the static route in IPFire wui?

@cfusco nothing much to choose:
In network - static routes:
host IP address / network: 10.207.0.0/16
gateway: 10.1.148.254
active: yes

I do not understand this. The gateway should not be Healhcare Network Router (10.207.47.114)?