Setting up Blue internet access

I’m missing something in setting up my BLUE internet access.

Devices on GREEN (my LAN) can access the internet and are achieving download speeds of over 630Mbps. However, my WI-FI devices on BLUE cannot surf to websites in a browser.

I have wlan0 and wlan1 Native to BLUE in the Zone Configuration. I have WLAN AP setup and running. I have my WI-FI MAC addresses setup in Blue Access. The Current DHCP leases on BLUE is showing WI-FI devices.

NICs are assigned in the network configuration area as follows:
RED (IP: eth0
GREEN (IP: eth1
BLUE ( wlan0 & wlan1

Using my laptop as an example, everything appears correct:

  1. BLUE DHCP assigns the laptop:
    a. IP address of
    b. Default router and
    c. DNS of
  2. I can log into IPFire in a browser at
  3. I can ping,,
  4. I cannot ping computers in GREEN i.e.

So the only issue that I have is that the laptop (and other WI-FI devices on BLUE) cannot access any websites via the browser.

The Default firewall behaviour is Forward: Allowed and Outgoing: Allowed. I have not added any firewall rules and the Firewall Rules are showing that Internet is allowed in BLUE:

Firewall Rules

No rules defined

GREEN Internet (Allowed) BLUE (Allowed)

BLUE Internet (Allowed) GREEN (Blocked)

Policy: Allowed

However, in the Firewall Log I’m seeing a number of drops ( is my Laptop’s IP):

13:04:30 DROP_Wirelessforward blue0 UDP 48789 53(DOMAIN)

13:04:31 DROP_Wirelessforward blue0 UDP 47063 53(DOMAIN)

13:04:31 DROP_Wirelessforward blue0 UDP 47063 53(DOMAIN)

13:04:49 DROP_INPUT red0 UDP 57621 57621

13:05:16 DROP_INPUT red0 2

I’m not sure if this has something to do with this, but I see on the DHCP configuration page that my WIFI devices are being assigned an IP from the GREEN and BLUE DHCP servers. I.e. it is showing that my iPad has two current dynamic leases: expiring 29/11/2019 14:31:28 expiring 29/11/2019 15:12:53

Any suggestions as to what I’m missing in the setup and how to resolve this issue?

On the Web Proxy page (menu Network > Web Proxy) scroll down to Network based access control. Maybe the blue network needs to be added…


This is one of the things that stumped me! :exploding_head:

the other item that stumped me was adding IP address(es) to the Wireless Configuration page (menu Firewall > Blue Access).

Thanks @jon for the suggestions:

Blue is currently included in the allowed subnets:

I have added my WI-FI MAC addresses. In fact, under Devices on BLUE, the system added hostname beside each device after they have connected.

I also tried using an entry to open all MAC addresses (like in your example above), but that did resolve the issue.

I appear to have found the issue on my Linux laptop. The nameserver address in /etc/resolv.conf did update to when my laptop connected to IPFire. If I add to resolv.conf, then I can connect to the web.

However, this is not a solution, I need to figure out why the Network Manager didn’t update resolv.conf when I connected to IPFire. Any ideas would be greatly appreciated.

And I have no idea how to resolve this on the iPad.

Hello Richard,

do you still get entries of the type DROP_Wirelessforward for your blue net in your Firewall-Logs?

Did you read the following Wikipage?

What is the issue on your iPad? I don’t see the correlation between your issue on the laptop and the issue on the iPad yet. Are you sure your DHCP-Server on the blue net distributes the DNS-Option correctly?



My iPad had not been able to connect to the internet thru IPFire. However, this morning my iPad can now connect to the internet thru IPFire. I have no idea what changed. Although I still need to find an optimized hostapd file for my WLE900vx card as the speeds on the iPad average only 100 Mbps where they should be over 600.

It appears that the DHCP-Server is correctly passing the DNS address to the laptop (running LMDE 3) and the DNS is showing up in the connection file:

nmcli -f IP4.DNS connection show IPF

But for some unknown reason /etc/resolv.conf is not being updated with the above nameserver IP address.

If I manually change the nameserver in /etc/resolv.conf to, then I can connect to the internet thru IPFire (which tells me that IPFire is setup correctly). However, this is not a solution as the IP address is erased upon reboot and doesn’t allow for me changing DHCP servers.

I just cannot figure out why the nameserver stops at the connection file and is not being passed to /etc/resolv.conf.

I’ve check the symlink for resolvconf and it appears correct, and my head in /etc/resolv.conf is showing that it’s running:

#Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)

After spending hours on this, my current best guess is that my VPN provider / OpenVPN is locking the DNS IP Address even when I don’t have a VPN connection. They have originally said that it was not them. But I have now sent them new information showing that the DNS IP address does not change both on my LMDE 3 and Windows 10 Pro computer. It also only happens on the WIFI connection (the DNS IP address correctly updates when connecting over my LAN).


you didn’t mention the VPN before … could it be an issue with “Split-DNS” or routing? I ran into this problem some time ago.

There is an option called something like “Use this connection only for resources on this network” a little bit hidden in the Networkmanager of LMDE3:

  1. Open the Network Connections Window
  2. Click “Edit” for OpenVPN-Interface
  3. Open the IPv4-Tab
  4. Click on “Routes” button
  5. Enable “Use this connection only for ressources on this network” (or similar)

Additionally make sure the Searchdomains for DNS are set properly for every interface on the IPv4/IPv6-Tabs.

Hi Yoda,

I have exactly the same issue then you (with a similar config and the same WLE900VX), except that i tried with two computers , one with Ubuntu, one with W10, and two Android Smartphones. None of them can reach internet trough Wlan and BLUE.

Did you found something else ? Did you solved your issue ?

Thanks in advance for your help,


Hi @fifi, Unfortunately, I ran into additional issues with IPFire which nobody was able to help me resolve. For example: IPFire vs. OpenWRT re: Wireless and Interfaces & Hostapd file for WLE900VX

As a result, I replaced IPFire with OpenWRT and no longer have any of the issues that I had with IPFire.