I am new to the ipfire community, have set up a miniPC with 4 interfaces (2 PCI Ethernet NICs and 2 USB NIC Adapters) and have started to play around with the thing.
Now for starters I do not want to do anything with green or orange interfaces other than allow my laptop on green to connect to the firewall by ssh and webGUI.
My first goal is to allow devices connected to my wifi access point to use the Internet. However, when I configured things like I thought they should work, nothing did.
When troubleshooting I found out that there were two weird entries in the iptables that did not make sense to me at all, one in the INPUT chain and one in the FORWARD chain - I will show them here with a leading line so you can see where they were added:
-A INPUT -j GUIINPUT
-A INPUT -m conntrack --ctstate NEW -j WIRELESSINPUT
-A FORWARD -j IPSECFORWARD
-A FORWARD -m conntrack --ctstate NEW -j WIRELESSFORWARD
As far as my knowledge of iptables goes, those entries were responsible for everything coming from the blue0 interface being dropped and also I thought those entries are not necessary, as connection tracking is done in the CONNTRACK chain already.
Well, I just went ahead and deleted the two entries from iptables, which resulted in less log entries but still no connectivity for my wifi devices.
I searched on and at the end of the iptables configuration found the following line:
-A NAT_SOURCE -s 10.10.10.0/24 -m policy --dir out --pol none -j SNAT --to-source 0.0.0.0
While the 10.10.10.0/24 is the network I set up for my wifi, the “to-source 0.0.0.0” baffled me. Because I would have expected to see the address of the firewall red0 interface there. Well, short story: I changed the address to the red0 one and hey, suddenly my wifi devices are on the internet.
Now of course I am curious if anyone can give me an explanation. I am willing to provide full configuration data of course but am not sure if just posting several 100 lines here would be sensible.
P.S.: And I would be thankful for a hint on how I can make my changes to the iptables permanent. I did the upgrade from Core 159 to Core 160 and voila - the weird entries returned …