Hello, since the last update, no device can be transferred from the blue network to the green network. I can’t find any error. It’s possible that this has been going on for a long time, it’s only now noticed because a new notebook has been purchased. Everything works via Lan and the user also gets his drives via script. But if he logs into the ipfire via wifi, he gets no access. Ping goes to the server (dns and ip) but apparently no access to fileservice.
I released the blue network for the green one in the firewall, but it doesn’t seem to be working. I’m not that fit in this area. Can someone help me?
Your Blue to Green firewall rule has logging enabled so what messages do you see in the logs when you try and connect from one of your blue machines to a green machine?
That looks like the communication passed through IPFire. There is no DROP status for the packets.
Maybe you need to look at the logs for your server on Green to see what happened with the communication when it got to the server.
I meant that you need to look at the logs on your server 192.168.180.1 to see why the blue communication is being ignored.
As far as I can tell the Firewall has passed the communication from your Blue notebook 192.168.181.54 successfully to the pc with IP of 192.168.180.1
You have the same message from a machine on Green (192.168.180.27) that also communicated to 192.168.180.1
ok the 192.168.180.1 is the ipfire
192.168.180.26 and 27 are the file server
the proxy runs on the ipfire
can it be that the prpxy is preventing something here?
Aaah.
Some new capabilities were brought in on one of the recent CU’. I can’t remember which at the moment.
In the Proxy WUI page under Network based access control there are two checkboxes which you might want to test unchecking if you have them checked as they stop proxy use across subnets.
If they are not checked then I don’t really know, except that you could try disabling the proxy and see if the laptop can then successfully make a connection. If yes then there is something about the proxy causing the problem.
Hopefully it is as simple as the checkboxes under the Network based access control.
they were activated and should also be activated that they should allow access?
I have already deactivated the proxy but without success
This is what is written in the wiki on these checkboxes.
Disable internal proxy access to Green from other subnets:
If the proxy is activated and used for both zones (blue and green), the blue zone is allowed to reach the green network via http or https, regardless of the settings of the firewall (see the default IPFires circuit → Network topologies and access methods). If the green zone must be isolated also inside the proxy, the checkbox shown in the figure needs to be set.
Disable internal proxy access from Blue to other subnets:
Similarly to the previous checkbox, if the proxy is activated and used for both zones (blue and green), and you want to deny the blue network any access outside the blue space, the corresponding checkbox needs to be set. However, a direct access to IPFire is still granted. If you want to deny it, you have to do a manual customization and modify /var/ipfire/proxy/advanced/acls/include.acl.
IThis says to me that if you want to communicate from blue to green and green to blue via the proxy then they need to be unchecked.
it doesn’t matter whether it’s enabled or disabled.
it is also the case that i have no internet from the wifi if i deactivate the proxy for blue.
shouldn’t it also be here that blue after green is allowed?
I read it again, does that mean that from the blue network only access to grenn via vpn is possible?
These lines are not dynamically altered. There are the default conditions if a firewall rule is not created to change them. As default Blue is blocked from accessing green but you have a firewall rule to allow that.
I am afraid I have run out of ideas of what further to look for. Hopefully other people have more ideas for things to investigate.
What seems to be a bit strange: You should be seeing logs with connections from 192.168.181.54 to 192.168.180.26/.27 - but it seems there are none. Maybe you can try to telnet port 445 from the notebook to the fileserver? Do you then have any lines in the log?
Also the “Blau → Internet (Zugelassen) → Grün(blockiert)” would mean to me, the connections from blue to green are blocked (but Internet allowed) - and the question is if the first firewall rule with blue to green via the subnet is working as expected.
the rule blue to green does not work if the proxy is active, it doesn’t matter if the tick "deactivate proxy after green or blue) is active or deactivated. I have now helped myself differently by removing blue from the proxy. With that Does the rain blue to green work. Now I don’t have a proxy for the device, but I can get over that because notebook owners actually only have the devices for the home office. Thank you