My network is not on IPFire, I only use it for give VPN access to some users, and my network have a lots of subnets, they are managed by a Cisco Switch Core, including the same network where the green are:
10.20.40.0/24
10.20.50.0/24
10.20.60.0/24
…
The VPN users can see any host/IP from any subnet, except the subnet where the green are: 10.20.90.0/24, only the green’s IP (10.20.90.190) is reachable.
I try to make a firewall rule to explicit allow a group of IP from that subnet, but doesn’t work (in the logs shows “FORWARDFW” for every IP on that subnet), and that host/IP appears in green on the list of host.
There’s a reason for this behaviour? I am doing something wrong?
IPfire apparently are using itself has the gateway for the green, and that can’t be change, but I manage to solve it by going to static routes and configure that IP (10.20.90.147) to go trough the real network gateway (10.20.90.254), now works!
Hi, I come back because for some reason the static route solution stop working
Which VPN are you writing about? OpenVPN or IPsec?
I’m using OpenVPN.
Are you sure that this subnet is correct?
Yep, I use static IP address pools on OpenVPN to keep groups of clients separated, to be easy to create firewall rules:
9.9.9.0/24 (can access to everything)
10.10.10.0/24 (can access to only few host/IP)
11.11.11.0/24 (same)
12.12.12.0/24 (same)
I already make a test with 9.9.9.0/24 and 12.12.12.0/24, can access to whatever host on any other subnet, but can’t access to 10.20.90.0/24, everything is on the local network.
There’s something wrong about that? this type of subnet its blocked by default for some reason? In your link says that is a subnet from Switzerland, so, location block can affect VPN IPs? If that is true, what subnets are not in use by any country?
Have you read IPFire’s documentation on VPNs?
Yep, I actually have more than 10 clients and the server have one year working very well, the problems begins when just the last client that I added need access to a server in the same subnet where green are, where we have very few servers. If this don’t have a solution, probable I gonna have to change the IPFire or the client’s server subnet
These are all public IP address subnets. Your OpenVPN static IP address pools should be chosen from one of the private IP address ranges
10.0.0.0 to 10.255.255.255
172.16.0.0 to 172.31.255.255
192.168.0.0 to 192.168.255.255
and any subnets you choose for the static IP addresses must not overlap with any of the subnets used elsewhere in your network at both ends of the vpn tunnel.
Since we already have subnets starting with 10 and 192, I use 172
That not solve my problem, but I manage to get working using (again) the routing table, now I use the same gateway of the RED (not the red has gateway, just the same gateway that subnet uses). For example, if I have a petition from 10.20.90.0/24, instead of using 10.20.90.254, its gonna use 192.168.2.254… the problem? I can’t access to IPFire using 10.20.90.190, even when my computer is on the 10.20.90.0/24 network, but I can if I use the VPN
But, at least, the client can start working with his server, that’s enough for now
