Hello, I have recently started using IpFire, and I’m having trouble understanding how firewall rules work. I’ve set up a WireGuard service (Purple), and I can connect remotely and access the internet. However, I’m having issues accessing local network services (Green). Despite having configured explicit rules in the firewall, the traffic is still being discarded. Any help is most tham welcome.
1 TCP Cualquiera
RED: SMTP
Block port 25 (TCP) for outgoing connections to the internet
2 Todos 10.0.100.0/24
192.168.100.0/24
WG->LAN
3 Todos 192.168.100.0/24
10.0.100.0/24
LAN->WG
If you want to post screenshots of your configuration or other things, I suggest changing the interface language to English.
This may make it easier to understand your configuration, among other things.
The following link leads to the firewall documentation.
Below is a link to the Wireguard documentation.
Have you changed the ‘Default firewall behaviour’?
Thank you for responding and providing me with links. According to the manual, the default value for the ‘Forward Firewall’ is ‘Allowed.’ I haven’t changed it, and I have created two rules; they are indeed in Spanish, but I have actually created one rule that accepts LAN traffic towards WireGuard and another doing the opposite. It should accept the traffic. I have read the documentation and still don’t understand why, despite explicitly accepting the traffic, it continues to block it. Best regards!
Does the Wireguard documentation for IPFire state that additional firewall rules are required?
By default, no additional firewall rules are required to establish a Wireguard connection.
However, it is important to bear in mind the following important points
Wireguard Client Pool must be different from the OpenVPN subnet address range , OpenVPN Static IP address pools , IPsec Host-to-Net Virtual Private Network (RoadWarrior).
Hello — your replies are more than welcome. I have no issues with WireGuard: I can connect to WireGuard on IPFire and ping 8.8.8.8, but I had no DNS resolution. The IPFire interface with the DNS service was assigned to the GREEN zone. While investigating, I found that I cannot reach any PC in the GREEN zone. Looking at the logs, I saw that the INPUTFW table was dropping DNS traffic and the FORWARDFW table was dropping ICMP traffic. For that reason, and despite not finding references in the manuals, I decided to create two rules to allow traffic in both directions. Even after creating those rules, traffic continues to be dropped in the mentioned tables, which I find even more strange. Not being very familiar with IPFire, I’m asking whether this is the right way to route traffic between the WireGuard (10.0.100.1) interface and the GREEN (192.168.100.250) zone — or if that routing should happen by default, in which case it might be a bug
I found the problem and the solution. It was a routing issue. On the mobile device connected to WireGuard the routes were not being applied correctly — a look at its routing table (HE.NETTOOLS) confirmed that. After fixing that, I focused on the devices in the GREEN network: they need a route to know where to send traffic coming from the VPN. The solution was to add a route to the WireGuard network using IPFire’s GREEN interface as the gateway; in my case:
ip route add 10.0.100.0/24 via 192.168.100.250 dev eth0
Now I wonder if this situation can be handled so GREEN clients know how to reach the purple (WireGuard) network, since IPFire is the gateway between them. Maybe by creating a route on the GREEN side?
Hello Phil, thanks for pointing out the typos; I’ve corrected them to reflect the proper networks. If that isn’t the proper way to resolve the situation, do you have any other proposal?
Yesterday, I created a Wireguard connection with 0.0.0.0/0.
Without any additional settings, I was able to connect to a resource on the Green network. The Wireguard client computer responded to pings from the computer on the Green network.
Thanks Phil and Iptom, I will ingestigate this situation in deep. I’m using Virtualization software under Debian, maybe something is under hod I cano’t see. I will try to virtualizate in Vbox in my desktop and comapre results. Regards
In VirtualBox, I have created three virtual machines: one for Ipfire and two for Kali Linux. The red zone is set up in the range 192.168.200.0/24, the green zone in the range 10.0.0.0/24, and the purple zone (WG) in 172.16.0.0/24. One Kali is in the red zone and has the files to configure WG; one of these files contains a filter for 0.0.0.0/0 and the other for 172.16.0.0/24. The other Kali is in the green zone. The connection has successfully completed with the 0.0.0.0/0 file, and I connected from the red zone using WG, but I cannot ping the green zone. I can ping the WG interface of Ipfire. Testing with the second file using the 10.0.0.0/24 filter, I find myself in the same situation. I cannot understand how your configuration works and mine does not; I can’t figure out where I am making a mistake. I will post a copy of the console results at https://paste.debian.net/: The Kali machine in the red zone at https://paste.debian.net/plainh/62055cf0y and the one in the green zone at https://paste.debian.net/plainh/4d4184bd. A backup file of the firewall along with the tunnel configuration can be found at https://limewire.com/d/2W2tA#JFVpsk78qi. Thank you very much for your time and dedication.
PD: since Paste.debian and file.io has time limited storage if anyone needs a copy reuploaded just let me know. Cheers
I have IPFire wireguard set up on a VirtualBox vm on my Arch Linux systems and I can access all the virtual machines running on the vm IPFire green network. I can edit and read files.
I am able to connect with both a physical linux laptop and a physical Android phone that are connected wirelessly to the network that my red interface of my vm IPFire is connected to.
I have not had to create any Firewall rules and have 0.0.0.0/0 as the networks to be allowed to connect to, so that should allow connection to all subnets within IPfire.
From your description you correctly have different subnets defined for red, green and wireguard tunnel.
Are you trying to access the machine in your green network via an IP address or via a FQDN.
If using an FQDN have you added this to the Hosts page in the IPFire WUI?
Hello Adolf — thank you very much for joining the conversation.
I have tested with different virtualization platforms, VirtualBox and Proxmox, both on separate machines, and obtained the same result. The virtual machines have always been Debian; I can try another distribution to see what happens. In my last message I posted the terminal output — you can see how the interfaces come up, but I cannot connect to the green network using the internal network IP addresses. However, I can reach IPFire and even log in to IPFire’s web interface from the machine in the red zone that is connected via WireGuard.
The virtual machines are two default Kali OVA images, and IPFire is default except for WireGuard. I must be making some mistake, but I don’t see where. Without adding additional routes I cannot reach the purple/WireGuard zone. It’s as if the machines in the green zone have no route to the purple (WireGuard) zone.
Kind regards.
PD: I updated the pastebin links. The old ones where broken.
What did you enter in the 
