Separating Work from Pleasure - Basic Network Questions

Hi Everyone, this is my first shot at configuring my own router / firewall. Even after reading about networks, masks, routing, I still feel ensure about my understanding.


  • Working with WUI right now, but not afraid of the console.
  • Managing IP-Addresses manually is no problem.
  • Conservative setup, i.e. deny all, then allow step-by-step.

Setup: IPFire core 152 on APU 2D4. Four ports. Configured green, blue and red. Unmanaged switches connected to green and blue ports. Red connects to Internet via DHCP and router provided by ISP. Green and red works fine for now.

Next step: Separate my hardware into two groups, which are: private and pleasure, for which I thought using green and blue zones.

Is this a reasonable and achievable setup for ipfire configuration?

Basic traffic rules:
Green may access anything on Blue.
Blue shall only respond in kind to Green.

Some hardware in Blue needs Internet (red). I have a laptop connected right now and it cannot access red. What type of connection is missing?

Some hardware in Blue need to be blocked from Internet. How do I explicitly write that?

Right now most of IPFire’s settings are still defaults.

I could not find an appropriate cook book recipe for this. Hence this post.

After gaining a better understanding of network management, firewalls and ipfire, I plan to add a third zone: “Internet for guests”.

Thanks, and always

Hello! Welcome to the IPFire Community! I’m not able to help with all of your questions but this will help get you started.

The should help with BLUE:

Hi @playsafewithfire, welcome to the IPFire Community.

Absolutely, yes.

As well as setting up Blue on the dhcp page you also need to set up Blue Access menu under Firewall menu. Following link gives more information. Blue is often used for the Wireless Network on IPFire but it doesn’t have to be. You can also use it as another LAN connection

The default is that access from Red to Blue is blocked. Following link shows the default settings for the various zones.

1 Like

Hi @bonnietwin and @jon, and thanks for the warm welcome and quick reply. I reviewed both of those pages, and can report a minor success. The laptop connected to Blue accesses the Internet.

On BLUE: There are no additional rules configured right now, but it works. This implies that BLUE has access to RED, though the default policy states:
Blue -> Red Closed, use Blue Access

My interpretation (pls correct me if I am wrong): Nothing in BLUE gets Internet access unless explicitly allowed, but I do not see on the wiki page how to allow or disallow traffic BLUE => RED.

Practice: I thought that the easiest way would be to enable DHCP, connect the devices I want in BLUE and then capture MAC addresses to manually assign IP addresses. Does this make sense? What settings do the devices need, to get their IP address if DHCP is not enabled?

RE: Default policy: The page first explains drop and reject, the default zone ruleset then shows directions and uses the terms Open and Closed. So here is my interpretation:

Blue => Green, Closed, use DMZ pinholes:
I can get access data in BLUE from GREEN by allowing traffic by IP address (optionall grouped, which is a nice feature) with a firewall rule?


Got the first concept RE BLUE: Anything on “Blue Access” has access to RED. Now I just need to add deny rules for those devices, that should not have Internet access.

Hi @playsafewithfire,

Glad you were able to make progress.

If you turned on Blue Access then that opens Blue up to Red. The default policy means that Blue to Red is closed but if you want it opened then use Blue Access.
If you specified the mac address for your laptop then only that laptop can get access on Blue.

If you want to deny some types of traffic from Blue to Red then you need to look at changing the default policy for Blue from Accept to Drop or Reject and then write Firewall Rules that will allow that laptop to access the traffic that you want to permit.

Yes, that makes sense. You are then using dhcp to provide fixed IP addresses. That is worth doing if you want to create Firewall rules based on IP address. You can also create rules based on mac address but only as the source address not as the destination address.

The term DMZ pinhole is focussed on opening access from Orange to Green but the same principle applies for connecting from Blue to Green. Yes you would need to create a Firewall Rule for that and yes you can specify groups of IP Addresses so that you don’t have to create a separate rule for each IP address

Good luck, it looks like you are making good progress. The wiki provides a lot of info on the Firewall Rules but if anything is not clear just come back with more questions.

1 Like

Thank you, @bonnietwin. I am starting to grasp the concepts and terminology. The dialog helps a lot. I will continue moving devices to BLUE. For them to get an IP address, I need to put them onto BLUE access, which then by default gives them access to RED. Then the next step is to set up firewall rules to deny access to RED for selected devices.

Regards and have a good evening.

I did this separation business and pleasure with a simple strategy:
Blue (private): Basic ports (443, 80, Secure simap/ssmpt) open, all other ports blocked. No acess to printer and NAS and green
Green (business): proxy, ips, NAS, printer, simap/ssmtp open, others blocked
DNS over TLS for both networks.
For me it works fine :slight_smile:

HI @ip-mfg, this looks similar to what intend, do you use machines on either side of green and blue? May ask you for example rules, if I can’t get the below to work. ;o)

Hi everyone, struggling with next step testing and still learning basics. Objectives: Connect devices to BLUE and check access from GREEN:

Win10 host and test access via SMB. This already works when all connected to GREEN. Created firewall rule for MAC-Address of PC in BLUE, ACCEPT TCP port 445 to GREEN,

But I am stuck even before that - guessing routing issues. Ping’s are not possible between BLUE and GREEN. I added rule to allow ICMP from BLUE to GREEN, but no luck. (NB: Will replace later with very specific rules, still in the mode of trying to get this to work.)

What am I missing? What is needed to route IP addresses correctly between Blue and Green? Ping works inside green and blue respectively and up to the IP-address of the firewall on either network / firewall, i.e. address 1 on either network responds to the ping on either network.

I think setting up the network printer in BLUE will work, when this is resolved. I already found the list of ports ipfire needs open, but I don’t understand this yet. Thanks for the help.

Well I keep blue and green totally seperate. As I sad before, blue is for windows, mobiles, etc. Green is for business with Linux machines, Server, printer etc. A little bit rigid, but safe.
Persolally I started with IPFIRE with simple forward rules and service groups for Web and Mail applications.
Then closed DNS Trafic and introduced DOT for both networks (a good Artikel is the one from pmueller) with 6 different DSN server, which I trust.
Then I closed NTP for red an used IPFIRE as a Timeserver.
Then I introduced IPS for then green network.
Then I started the proxy with URL filtering and closed all incoming and outgoing traffic but of the service groups I mentioned above.
I would recommend you to read the very informative contributions from pmueller - ecellent an very informative.

1 Like