Good morning everyone!
I am making some changes at home and need your help.
This in the picture is the final project.
I just have a problem configuring the VLANs inside the IPFIRE (a mini pc with 2 ethernet ports RED and GREEN).
I need to create these vlan:
VLAN10 → WIFI STANDARD
VLAN50 → WIFI GUEST
VLAN100 → BACKUP
VLAN150 → SERVER SUBNET
configuring the switch (CISCO CBS250-16P-2G) and wifi networks with dedicated vlan is no problem.
Can you tell me where to make the correct changes?
if i didn’t read wrong i have to set them from here /var/ipfire/ethernet/vlans.
If I have to make the configurations in that file, I would like to understand if there will be problems between the various ‘zones’, since we are talking about blue zone (guest) and orange zone (dmz)? Or can I set up iptables without any problems?
In vlan150 there will be: domai controller, file server, dhcp/dns server, backup server.
vlan100 is the storage / backup with 4 GB bound ports.
Even though we don’t use VLans that way, because its really easy to hack. You can do that, but don’t use the zone page in the gui because its going to overwrite it.
VLANs in IPFire work like they should: being an extension patch for another network on the same media and not carelessly used for VLAN grouping for firewall rules.
That would be the valid way of doing that. Even though its not as good compared to use the color zones and use firewall group rules.
The differences between the two is the firewall rule is applied to the VLAN instead of the mac address of the connected client. So its a lot easier to hack vlan and gain access.
but if I only use authentication with MAC ADDRESS (whitelist) of the clients / servers in my network: I can have more control through iptables.
In this case I can use the Zones at my convenience.
Consider that I must also configure url filter,ids / ips, web-proxy etc.
if in comparison you tell me that it would be better to configure the vlans through the Zones I proceed in that way, otherwise in the other method explained above.
If you are going to try and manually create the vlans via the command line then you can physically do that but then you will also have to modify the code for the Intrusion Prevention System, DHCP server (unless using a separate DHCP server), Web Proxy, if using it, IPSec and/or OpenVPN access etc etc as the code for all of those will have no knowledge of the vlans you will have created.
So you would also have to then manually create all firewall rules for your vlans as again the existing firewall rules code will not know anything about those vlan interfaces.
You would also need to look at the code for the startup of the networking stack to ensure that all your additional vlans were properly started up and the firewall rules you will have written all installed when doing a boot.
This will also mean that any changes of any of the Web User Interface pages could likely replace some of your code changes and any Core Update could result in overwriting some or all of your changes.
then I can ‘play’ with the zones by assigning dedicated vlans for the NIC GREEN
working on the configurations in vlans and settings. /var/ipfire/ethernet/vlans /var/ipfire/ethernet/settings
(I have not checked whether I can add the other zones from the gui).
and with iptables set up the routing rules etc that I will need.
after everything is up and running (I hope) I make a full backup of the configurations.
in theory by doing this i should not lose the configurations at the next system upgrade.
It would be ironic if after the OS upgrade I find my iptables reset.
if you have any other ideas let me know.
I certainly don’t want to replace my IPFIRE with another OS (e.g. PFSENSE) just for the problem of creating and managing VLANs.
I really don’t understand why you want to run it like PFSense that uses vlans improperly to establish firewall groups.
What is the real purpose for the vlans in the first place?
Lets look at your vlan set:
VLAN10 → WIFI STANDARD
VLAN50 → WIFI GUEST
VLAN100 → BACKUP
VLAN150 → SERVER SUBNET
Ok, so you need a blue/green/ orange net
assuming wifi standard is networking with green,
Then blue network (wifi) Guest is blue but standard wifi is green 10)
Assuming server subnet is for green clients and backup is a dmz that may or may not be port forwarded. → Backup is orange and server subnet is green 10.
That would be one of the logical ways to patch it, but it should be:
Blue → WIFI STANDARD firewall group with networking with others rules
Blue → WIFI GUEST firewall group with isolated networking rules
Orange → SERVER SUBNET firewall group that networks with others
orange → BACKUP firewall group that is assigned clients
