Trying to Replace an Existing Firewall with IPFire

I am trying to replace an existing Firewall with IPFire and am having some issues:

Our Current Connection is as follows:

  1. Static IP from COX business to an Arris Modem
  2. Firewall uses the Static IP from COX as the outside IP address (Not Certain why this works, but it does, Firewall’s Static Route out is an External IP address not the Modem)
  3. A Unifi Gateway is used to assign IP addresses.

I have tried to use the same configuration as above but when using the static ip in ipfire there is no internet on the ipfire, there is warnings that the ipfire is not connected to the internet. If I setup Red as DHCP then there is internet on the IPFire and I believe on the Unifi Gateway but no downstream devices have connection. Is there some setting required to allow devices connected to the Unifi system to access the internet on Ipfire’s red interface? I am confused and could use any help you could provide. Thank you

Hello Timothy,
welcome to the IPFire community.

It would help us, if you specify your configuration more precisely.
What I read from your post is the config as
<WAN(COX)> ---- <Arris Modem( DOCSIS, I suppose)> ---- <Unifi Gateway> ---- <LAN>
Is this right?

Do you want replace Unifi by IPFire?

1 Like

Actually the Current Configuration is:

WAN(COX) -Arris Modem(DOCSIS)-Fortigate Firewall-Unifi Gateway-LAN

I would like to to replace the Fortigate Firewall with the IpFire but as it is in the Middle there is something that is causing an issue with connectivity. It may be that this configuration is overly complex. Right now I am just trying to change the Firewall and not the rest of the devices.

Thank you

Here is some more information:

Current Firewall (Fortigate) (Physically Connected to the Modem)

  • WAN IP = COX Static IP
  • 0.0.0.0/0 Is statically routed to another COX IP Address (Not the Modem)
  • LAN IP = 10.1.1.11/255.255.255.0

Current Unifi Config

  • WAN IP = 10.1.1.12/255.255.255.0
  • WAN ROUTER = 10.1.1.11

I guess my biggest problem is that even though the Firewall is directly connected to the modem it is in some pass through mode. Our current Firewall is configured to almost ignore the modem. The modem’s ip address is nowhere in the Firewall config. The Firewall is thus acting as the primary Gateway to the ISP.

Is that allowed with IPFire?

Thank you

Hi @timothyadams. Good afternoon.

With a modem, the dialing is done by the Firewall. In your case, the Fortinet or the IPFire. The modem is only a physical link, that is, it does not adopt the Public IP.

The dialing from IPFire must be configured from “Dialup”

By SSH or IPFire Bash with “Setup”, it is established in the RED interface if you have Dynamic or Static IP.

If you have Dynamic, you will have to put DHCP and if you have Static, you will have to specify it.

I hope this helps.

Greetings.

Is the IP address & Network mask & Gateway all set to the values Cox provided to connect?

I’d suggest taking your Unifi Gateway out of the chain for a short test. Get everything working on IPFire. And then try setting up the Unifi device.


I am setup somewhat similar:
Internet ( my ISP) → Arris Modem ( DOCSIS ) → IPFire → Netgear switch → LAN

but I get DHCP from my ISP. No static address.

FYI - My Arris modem is setup in bride mode (this is good!). So if I plug a computer directly into the modem (no IPFire, no switch - just a direct connect) then I see my ISPs internet address.

I am guessing your Arris Modem is like mine and it is in bridge mode. So yes, it will pass thru the Internet IP address. (but this is a good thing). IPFire will go from Internet IP to LAN IP once configured.

3 Likes

I believe you are correct after looking at the Fortigate’s config again. I will find a good time to test this again I probably had something incorrectly set. I will check and get back to you.

Ok I verified with COX that the modem is in Bridge Mode and my IP, Subnet, and gateway are correct. Also according to COX, I do not have to sign in with username and password as in PPP. However, I do not have internet even on the IPFire when I configure it that way. Any suggestions would be appreciated.

I don’t know static config with CableInternet ( DOCSIS ).
With a DHCP config the modem/CMTS ‘learns’ the MAC of the CPE ( the client device ) after a reboot.
Did you reboot your modem?
Is your CPE MAC registered at COX?
Just some questions or directions I have as ideas.

Based on what you mentioned above you don’t need PPP. You need Static.


EDIT:
As Bernhard mentioned, the Arris DOCSIS modem does learn the MAC address of the device plugged into it. I usually reboot my modem when making a change (I also reboot my IPFire box just incase).

1 Like

Thank you both for your help,

I still have not figured this out, but have an idea to run by you, at one time in my tests I switch my Red Interface to DHCP, this caused my ipfire to have internet access, but I noticed in the firewall logs that it was blocking traffic that was directed towards our static IP. This seems to mean that if the firewall is on DHCP then the modem is still sending traffic to our static IP to the firewall.

All this to say would the following configuration work:

  1. Red (DHCP)
  2. Our Static IP as an alias

I am not sure of the consequences of such a configuration and do not want to lose inbound traffic if possible. I just don’t know why the static ip is not working

Thanks

Do have some info from COX about configuring a device acting as CPE with static IP?
Do get your fixed/static IP, if you setup IPFire’s red interface as DHCP?

No COX just said to configure it static with the same ip information, I already have. I noticed when DHCP the IPFire’s red interface had a different IP then our static IP, however traffic to our static IP still was logged on the IP fire as DROPNEWNOTSYN, which implied to me that the IPFire was still getting the static IP’s traffic.

Ok.
I’ve investigated a bit.
I suppose, the COX network has two working states.

  • DHCP: network info is (IP, subnet, gateway, DNS servers ) distributed with the DHCP response

  • static: network info is supplied by COX ( avaible from their web page ). This data have to set in the CPE ( a router like IPFire ) on the WAN interface.

The registration of the modem at COX generates a { modem MAC, IP } pair, which is also used as routing decision in their IP backbone. So you get in case of static IP package / DHCP WAN access traffic for both IPs. IPFire does accept inbound traffic for the ‘right’ IP only.

Yes, that makes sense to me. Possibly I am just going to have to figure out why I am unable to use the static IP. I thought maybe I could get the ipfire to accept both the DHCP and the static IP so that I was able to get the network working without the static issues. Maybe that is not possible or is unwise.

Thank you

I guess I have another question, could there be an issue where a nic will connect on DHCP but not if it is configured statically? Could it be just a bad card?

if it connects via DHCP, the card is working. Just a thought: can you connect a laptop directly to the COX modem and configure a static ip on the laptop given the details from COX (static ip, mask, gw) ? can the laptop access the Internet as usual?

2 Likes