Hi, installed IPFire yesterday - all is working great so far.
Setup is
Red - Orange (DMZ 172.16..) - Green (LAN 192.168..)
I can access my website from various laptops, phones, PC’s on the Green network having set up a Rule as follows:-
SOURCE - Standard Network (Any)
NAT - Use Network Address Translation (NAT)
Destination NAT (Port forwarding) Firewall Interface: RED
DESTINATION - Destination address (IP address or network): 172.16..
PROTOCOL - TCP
Destination Port: 80
but I cannot seem to be able to get the correct rule for allowing those same machines to access the server so that I can access localhost/phpmyadmin to administer my databases.
Could someone please point me in the right direction.
There is information missing from your post.
Where is the server?
If its on 172.16 or on the internet attached forward of 172.16 you should not need any rules assuming the router or whatever in front of the red is Natting, ie you will be double natting.
Green has access through red by default out of the box.
Red does not have any access back in.
You only use NAT port forwarding if you want to punch a hole in your firewall to allow access to a service running on the green or other networks, in your case green if it was there.
Now if you are saying you are on the 172 network and trying to access a server sitting on the green network you will the destination to be a 192.168. address not 172. Beware this will open the ip address up to all addresses. ie blow a hole in your firewall for port 80.
Also be aware that a site might redirect to port 443 or https for security on first connection to port 80.
Thank you for your response and sorry for the missing info.
Yes my Linux based server is on the 172.16.. network (which is located in the corner of my home office)
My setup is as follows
Phone line goes to a modem/router which is in bridging mode > standalone PC with IPFire on it > NETGEAR - ProSafe GS108 Network Switch - 8 Port from which it goes to > standalone PC with server on it, another PC, printer, laptops etc
Server is on Orange
Everything else in on Green
Admit I am not the brightest of intellects when it comes to IT - not 100% sure what NATting and double NATting are.
Do I need to set up addition things such as Samba etc?
Thanks again for your assistance, IPFire is a lot easier to use than my last Firewall (Smoothwall) but am still finding my way around.
your rule allows green to access orange on port 80.
Do you need to create a similar rule for port 3306 (phpmyadmin)?
if I understood your setup, ipfire has 3 nics
red: public ip phone/router
orange: 172.16.0.1 dbserver, httpserver
green: 192.168.0.1 – switch – laptops, printers
Sorry I missed the (Orange) bit after Red on original post.
Yes, if you are using a DMZ, Pavlos is right, you will need a rule also to allow GREEN to access ORANGE also. Everything to ORANGE as the DMZ is not allowed by default.
So two rules.
Access from internet: ( if you really need it )-
SOURCE - Standard Network (RED)
NAT - Use Network Address Translation (NAT)
Destination NAT (Port forwarding) Firewall Interface: RED
DESTINATION - (ORANGE) Destination address (IP address or network): 172.16. (whatever server ip is)
PROTOCOL - TCP
Destination Port: 80
Access from green:
SOURCE - Standard Networks (GREEN)
DESTINATION - (ORANGE) Destination address (IP address or network): 172.16. (whatever server ip is)
PROTOCOL - TCP
Destination Port: 80
If you are opening up a web server to the internet, you should really be using TLS 1.3 and port 443.
Your login and web traffic could be sniffed or captured over internet.
The inbound traffic reaches an IP address that is public and it’s given to you by your provider. At the border between your network (LAN) and the rest of internet (WAN) the router sorts the traffic to the various machines of your lan, which do not have IP addresses mapped in a public space, but private ones (as you clearly are aware). In fact 172.16.X.X is reserved for private networks. The router when sorting the traffic creates a table of local address where it keeps the accounting of the traffic. That is a DNAT (Destination Network Address Translation). The same can be done in the other direction in SNAT (Source Network Address Translation). Together they are called simply NAT.
If your provider gives you a router, it will do a NAT. But then, behind it you have placed IPFire as a router/firewall, which will also do a NAT (of teh already NATted traffic), hence the infamous double NAT. This situation adds a layer of complexity that could create strange and some time unpredictable situations. If instead the router from the provider is forwarding the traffic directly to IPFire acting in a pure Bridge Mode, then you do not have a double NAT but a single one.
If the set up is not changed, the default of IPFire is that green can access the orange DMZ, but not the other way around. Maybe the OP problem is not the routing but the configuration of the web server that does not take in account traffic coming from the LAN?