Unusual network config

Hello,
I need help configuring my network. I have an unusual setup:


ALL the ips in this diagram are not the real ones, bu similar.
I have 2 networks:

  1. VPN from our Manufacturer - he has behind multiple networks .
  2. Internet line from my ISP - with 3 axternal IP.
    I have the IPFire after the Cisco 2900 - that switch is managed by my ISP.
    My clients (pc-s) need to access the networks behind the manufacturer VPN and reverse - the servers from manufacturer need to access printers , shares and app servers that are on my lan.
    I added static routes for manufacturer networks with gateway 10.100.200.1.
    I can get from my green zone clients to those networks and some apps and printers works. Some printers i needed to change the gateway to 10.100.200.1.
    The problem is that i have a share on a server 10.100.200.3 where another server from manufacturer network need to place some files, every day around 4AM. I contacted the manufacturer IT, they can get to 10.100.200.1 and to 10.100.200.2, but they don’t get ping from 10.100.200.3 (local server). A traceroute from my server to manufacturer server is ok - ends in 10 hops, but from manufacturer to me it’s reaching over 30 hops and stops.
    Because 10.100.200.1 is in the green network ipfire treat’s it like a green client.
    I don’t have rights on the 2900 router from my isp, but from what i see it acts like a simple dual wan router.
    Before i installed IPFire, i had a ubuntu as gateway, i did not see any specific rules that allowed that network traversal.
    What i’we done:
  • added aliases for red external ip’s;
  • added static routes for manufacture networks with gateway 10.100.200.1;
  • dns forwarding to my windows dc server for localdomain;
  • forwarded an external ip to my email server (also in the green zone);
    I’m stuck at this incoming packets from manufacturer networks, i need my computers, printers, servers to be exposed to those networks.
    Any help will be appreciated.

Verify routing table and traceroute from
10.100.200.1
10.100.200.2
than verify if they are consistent with
10.100.200.3

Hello,
traceroute from 10.100.200.3 to 10.40.63.23
image

from 10.100.200.2 (IPFire)

I do not have access to 10.100.200.1 to test - it’s the manufacturer device.
The IT guy from them tells me that he sees 10.100.200.1 (his device) and 10.100.200.2 (my IPFire), but not getting to 10.100.200.3.
IPFire block the incoming communication from 10.40.63.23.
I have this rule:
Source : 10.40.63.0/24
Nat: unchecked
Destination: Standard Networks Green
Protocol: All
ALLOW

From IPTABLES - FORWARDFW
Chain FORWARDFW (1 references)
pkts bytes target prot opt in out source destination

0 0 LOG all * green0 10.40.0.0/16 10.100.200.0/24 limit: avg 10/sec burst 20 LOG flags 0 level 4 prefix "FORWARDFW "
0 0 ACCEPT all * green0 10.40.0.0/16 10.100.200.0/24

Which is the gateway for:

  • 10.100.200.2
  • 10.100.200.3
    I am expecting that IPfire should not have a GW for the green interface, therefore for 10.100.200.3 should be or ipfire or 10.100.200.1

Do your counterpart knows that your subnet should be 10.100.200.x/24?
Could you provide the route table for 10.100.200.3?

Hello,
10.100.200.3 has IPFire as gateway
10.100.200.2 is the IPFire and has an external IP as gateway.

Yesterday i added
“iptables -A CUSTOMFORWARD -d 10.40.0.0/16 -j ACCEPT”
This solved my issue, the manufacturer can now send me packets.
I also teste with an app that was sending print jobs to printers in my green zone.
i added my rules to /etc/sysconfig/firewall.local and now is all good.
Thank you for your support.

1 Like

Are you sure you want to open everything like this? What is the point using a firewall then?

Thank You for your concerns, they are welcome.
The class 10.40.0.0 is private, unless the manufacturer will try something …
I will update the rules, do a fine tuning, change to 10.40.63.23/32 and add port and destination.
I don’t have the hole map yet configured, i’m new to this network - i didn’t figure yet all the services that runs truth manufacturer networks to my lan.
The main reason for the firewall was for the other, the main internet connection.
If You think I have other options, please let me know.
Thanks.

Exactly.

I think you should split the network into more smaller parts and potentially consider ORANGE as the right network to connect to your other location. That is based on the little information I have.