VPN (GL.inet - Brume 2) in DMZ?

Hey!
I want to user wireguard to connect to my home network while being outside. So I bought the Brume 2 for I think it’s a good solution. Now I have two questions.

  1. What is the best (secure) network setting for that case? Should I put the Brume 2 to the DMZ
  2. I use PiHole within my network as DNS (it’s connected within green Network). Should I then give access to the PiHole-IP within green network?

Or is there a better solution for that?

Cheers
fstarter

#Edit:
So I set this VPN-Server to DMZ with 10.1.1.2 and made a rule for my laptop to connect to the 10.1.1.2 from wifi (to manage the Blume 2 within the network). But I get no connection. The logs show me, that the connection was forwarded, but I still can not connect. If I connect directly with the LAN cable and laptop via dhcp it works and shows me the correct IP of the Blume 2 (10.1.1.2).

Somebody an idea?

#Edit2:
I can see 10.1.1.2 in “who is online”. If I ping, I get no answer, but in the ipfire logs I see the forwarding for ICMP from the laptop IP.

By design, you cannot directly access the green network from the DMZ. If this is a requirement for you, it is possible to establish a connection by opening the firewall to a specific machine in the orange network. This practice, known as a ‘pinhole,’ allows communication between the specified machine in the orange network and the blue/green network. You can find more information on configuring pinholes in the DMZ pinholes wiki page.

In my opinion, it would be advisable to place the VPN gateway in the Green zone rather than opening a pinhole on the orange network. Opening a pinhole on the orange network can undermine the fundamental purpose of having a DMZ. However, if you choose to proceed with this approach, it is crucial to ensure that the VPN gateway is dedicated solely to VPN functionality, accepting only intended connections protected by cryptographic keys. This minimizes potential vulnerabilities.

You also need to create all the rules in the firewall to allow the Tunnel to be established, including the correct port forward rules.

From your message it is not clear to me to which Access Point you are trying to connect. An IPFire access point in the blue zone, or directly the VPN gateway?

@cfusco
Seems he try to connect from blue to orange there to the Brum2.

@fstarter
The DMZ is closed eth side, you need to add an firewall rule, for every thing you need from DMZ and to DMZ.
I add example rule screenshot, I use for the NAS at DMZ for my private blocklists there to be downloaded from there:

BR
Trash

thanks for the answers!

The thing is, I’ve done it all.

  1. changed the IP of the VPN-Server (Brume2 hardware gateway from GliNet) to 10.1.1.2
  2. made a host with 10.1.1.2 and named it DMZ
  3. connected Brume2 to the orange network on ipfire
  4. made a rule for 1 host in blue network (my laptop) to access the DMZ (10.1.1.2) - Pinhole.
    This rule is just there to configure the VPN-Server (Brume2). It make sense to deactivate this rule, when I’m ready with the settings.

Now if I want to access the GUI via browser on 10.1.1.2 and dedicated laptop, I get no connection. The ping (to 10.1.1.2) doesn’t work (I get nothing back).

The logfiles of ipfire show me, that the ping AND the connection via 80 or 443 is forwarded from the laptop to the 10.1.1.2.

So, as it seems, there is a problem despite the settings.

#Edit:
so, if I deactivate the access to the VPN-Server in Orange from blue after I make all settings within the server, is it a good Idea to let the VPN-Server to be in the DMZ? And what about, if I grant access from this DMZ (10.1.1.2) to the piHole in green?

I just have no good feeling to put the VPN server in green and make it accessible from outside. So there is then the direct connection to the internal network.

did you authorize the MAC address of your laptop by disabling the MAC address filtering?

I made it some time ago. But I clone the MAC and random it in the laptop. I have no problems to connect (I’m also now with this laptop online here). But maby it makes problems within ipfire rules?

#Edit: as it seems, I deactivated the MAC filter for wifi.

#Edit2: maby it has to do with some DNS settings within the Brume2? But in that case, It should be possible to ping it.

#Edit3:
DMZ has 10.1.1.1/24

The ICMP protocol functions at the Network layer (Layer 2 or 3 depending on how you count) of the OSI model, while the rule you’ve implemented affects the Transport layer (Layer above, 3 or 4 depending on how you count), where TCP/UDP protocols operate. By opening port 80 from the laptop to the VPN machine, you’ve allowed only TCP protocol traffic on port 80, not affecting other types of traffic such as ICMP. You should be able to ping from the green network, is this the case?

ok and if I allow all protocols, then the ping should work, isn’t it?

Yes, I believe so. You could also allow just the ICMP protocol.

that’s it, but I get just no answer for ping. But the ipfire log shows that the ICMP is forwarded from blue (laptop) to the DMZ (10.1.1.2). Just as the http and https requests. So the logs show that everything works. But I get no connection.

Probably you need to do the same on the other direction.

Edit: to clarify, the return traffic is allowed automatically, however there could be some network issue with the orange zone. Can you ping and access the VPN machine from green?

the same issue from green to the VPN server in the DMZ. I made a rule from the green Laptop client to the DMZ server IP. Also no answer for ping.

You seem to have an additional issue concerning connectivity from the green network to the VPN server in the DMZ. You’ve set up a rule from the green network’s laptop client to the DMZ server IP, but still, you’re not receiving a ping response. That rule is completely unnecessary as green has no such restrictions.

This could potentially be due to a configuration issue in the orange network or an internal issue with the VPN gateway. However, I suspect the VPN gateway might be the primary concern here.

To investigate further, try connecting the VPN gateway to the green network using a network cable, and do the same for the laptop. If you’re unable to access the VPN gateway under these conditions, then the issue likely lies with the gateway machine itself.

thanks for the idea!
So I gave the VPN server the green IP, connected it to the green and I can access the GUI in browser. So everything works. As it seems, there are some problems within the orange zone, isn’t it?

Maybe a set at firewall, or at proxy, or browser?
Firewall options for BLUE interface; Drop all packets not addressed to proxy?
Proxy URL-Filter; Block sites accessed by it’s IP address?
Browser as ex. Firefox, there maybe force the use of proxy, or an IP range for none Proxy use?

You should have the possibility to ping device at DMZ with the rule, if you set to “All”.
But you wouldn’t be able ping by IPFire itself to device at DMZ, that is normal and needs a additional rule.

BR
Trash

nope, nothing of these settings.

very strange

The rule from green and blue to DMZ is there. I even allowed the whole GREEN to access the whole ORANGE. No effect. It seems nothing to do with the firewall. But what could it be then?

#Edit:
I allowed forward and outgoing for the whole firewall. The issue stays. So it has nothing to do with the firewall rules.

#Edit2: I checked the netmask of the ORANGE and the VPN-Server. They are both 255.255.255.0
I set the DNS of the VPN-Server to external VPN (OpenDNS).
There is a rule for the VPN-Server to the RED with protocoll “all”.

But the issue stays.

#Edit3:
I set the gateway in the VPN server to 10.1.1.1. But no effect.
If i look at logfiles for 10.1.1.1, I can see drops for TCM and ICMP to 10.1.1.2. Is it maybe the problem?

Ok, just as I thought. At the end it will be a really stupid thing.
There is no gateway setting directly in the Brum 2 from GliNet. And I just forgot to think about it. So you must go to the advanced settings (LUCY) and set there gateway (in my case 10.1.1.1) to the LAN port you use. Then you should save and apply to the LAN port. As it seems, it’s not enough just save and apply and the end of the page.

After that, I get connection.

1 Like

F Starter: I stopped using GL Made in China when the back.door picture became too loud to ignore: is it true or propaganda?

do you have some more infos about it?