Unusual network config

I need help configuring my network. I have an unusual setup:

ALL the ips in this diagram are not the real ones, bu similar.
I have 2 networks:

  1. VPN from our Manufacturer - he has behind multiple networks .
  2. Internet line from my ISP - with 3 axternal IP.
    I have the IPFire after the Cisco 2900 - that switch is managed by my ISP.
    My clients (pc-s) need to access the networks behind the manufacturer VPN and reverse - the servers from manufacturer need to access printers , shares and app servers that are on my lan.
    I added static routes for manufacturer networks with gateway
    I can get from my green zone clients to those networks and some apps and printers works. Some printers i needed to change the gateway to
    The problem is that i have a share on a server where another server from manufacturer network need to place some files, every day around 4AM. I contacted the manufacturer IT, they can get to and to, but they don’t get ping from (local server). A traceroute from my server to manufacturer server is ok - ends in 10 hops, but from manufacturer to me it’s reaching over 30 hops and stops.
    Because is in the green network ipfire treat’s it like a green client.
    I don’t have rights on the 2900 router from my isp, but from what i see it acts like a simple dual wan router.
    Before i installed IPFire, i had a ubuntu as gateway, i did not see any specific rules that allowed that network traversal.
    What i’we done:
  • added aliases for red external ip’s;
  • added static routes for manufacture networks with gateway;
  • dns forwarding to my windows dc server for localdomain;
  • forwarded an external ip to my email server (also in the green zone);
    I’m stuck at this incoming packets from manufacturer networks, i need my computers, printers, servers to be exposed to those networks.
    Any help will be appreciated.

Verify routing table and traceroute from
than verify if they are consistent with

traceroute from to

from (IPFire)

I do not have access to to test - it’s the manufacturer device.
The IT guy from them tells me that he sees (his device) and (my IPFire), but not getting to
IPFire block the incoming communication from
I have this rule:
Source :
Nat: unchecked
Destination: Standard Networks Green
Protocol: All

Chain FORWARDFW (1 references)
pkts bytes target prot opt in out source destination

0 0 LOG all * green0 limit: avg 10/sec burst 20 LOG flags 0 level 4 prefix "FORWARDFW "
0 0 ACCEPT all * green0

Which is the gateway for:

    I am expecting that IPfire should not have a GW for the green interface, therefore for should be or ipfire or

Do your counterpart knows that your subnet should be 10.100.200.x/24?
Could you provide the route table for

Hello, has IPFire as gateway is the IPFire and has an external IP as gateway.

Yesterday i added
“iptables -A CUSTOMFORWARD -d -j ACCEPT”
This solved my issue, the manufacturer can now send me packets.
I also teste with an app that was sending print jobs to printers in my green zone.
i added my rules to /etc/sysconfig/firewall.local and now is all good.
Thank you for your support.

1 Like

Are you sure you want to open everything like this? What is the point using a firewall then?

Thank You for your concerns, they are welcome.
The class is private, unless the manufacturer will try something …
I will update the rules, do a fine tuning, change to and add port and destination.
I don’t have the hole map yet configured, i’m new to this network - i didn’t figure yet all the services that runs truth manufacturer networks to my lan.
The main reason for the firewall was for the other, the main internet connection.
If You think I have other options, please let me know.


I think you should split the network into more smaller parts and potentially consider ORANGE as the right network to connect to your other location. That is based on the little information I have.