Zone Configuration in WebGUI is a bit difficult to understand

The wiki page does have a dedicated section for Zone Configuration where the options are explained, but I still feel discouraged to try and set my desired scenario (I fear to lock myself out, as warned in several threads on this forum).

I have installed IPFire as an internal firewall/router. Configuration with:

eth0= Red, 192.168.0.2
eth1= Green, 192.168.10.1/24
wlan0= Blue, 192.168.11.1/24

Blue is configured as AccessPoint, any client can login without restrictions.
Green and blue are served with their own DHCP configuration.

This is what I currently have in Zone Configuration:

I would like to bridge green and blue, basically any client on either of those networks should be in the same IP-pool. The bridged network should behave same as my current green network.

Should I configure my bridge as below?

If this is correct, should I then disable DHCP on blue? (Or should I do that first?)

Any advise will be greatly appreciated!

Than why not have your AP on Green? Assuming you have a AP.

1 Like

I want cable-LAN clients and wireless-WLAN clients bridged in the same network, all devices should be on 192.168.10.0/24 no matter how they connect.

Is this possible?

Hi igor_k,

As havacguy pointed out. You can connect the WLAN AccessPoint to the Switch which connects to GREEN. Then you have the same IP Adress Pool (which you said is ok). From the Firewall Point of View IP fire would not have to handel these packages (GREEN - “BLUE” (which is GREEN too)) and therefore has much more performance.

Using BLUE as BLUE is only advisable if you want to treat all wlan-clients as untrustable.

1 Like

Thanks all for the feedback here, much appreciated!

I may have been unclear or incomplete in my description: I don’t have an WLAN AccessPoint in my setup.

I have 1 pc (Zotac Zbox CI329) with 2x NIC (Realtek PCIe GBE-Family) and 1xWIFI card (Intel Wireless-AC 9462). On this pc, I have installed and configured IPFire. (As per the details in my initial post).

I hope this helps to clarify? I will see if I can prepare a graph to explain my network-setup later today…

Hi @igor_k ,

Your explanation has made it clear now. You have one nic connected to red, another to green and your internal wifi card is connected to the wlan0 nic and is currently set to blue.

You can’t bridge green and blue together because they are at zone level.
What you can do is bridge the eth1 and wlan0 nic’s together into Green.

So in your original picture of what you proposed to do the Green setting is correct with native selected for eth1 and wlan0.
The blue setting should None for all three nics. That means that the blue zone will not be used.
Both your eth1 connection and your wlan0 connection will be the Green Zone and IPFire acts as a switch between the two nics. Then your dhcp on Green will provide ip addresses to both your wireless and wired clients from the same subnet.

You will then have a Red and Green setup only but with two nics bridged on Green.

Hope this helps.

1 Like

@bonnietwin (and others!): Excellent! Thank you, with your explanation I feel confident to apply changes to my Zone Configuration!

Unfortunately, I need some more help… After assigning both eth1 and wlan0 to my green network (set as “bridge”) and removing wlan0 from the blue network, the Access Point configuration got tossed out.

To configure my Access Point I had intalled hostapd in my Pakfire Configuration. With this, I had the option to setup through menu “IPFire” → “WLanAP” which now displays message: “Selected interface is not a wirless lan card!”

Now, my wlan0 no longer appears as an AccessPoint to the wireless clients in the network…

This is a know problem. The WlanAP gui is not able to choose wlan0 at the moment.
You have to edit the Nic manually in /var/ipfire/wlanap/settings
If you change blue0 to wlan0 the gui should work again.

Thanks for the quick heads-up! I reverted my changes and will see if I can get firewall rules in place for my needs. Editing /var/ipfire/wlanap/settings sounds beyond my capabilities.

Not sure understand the issue. Zoning in security term here, is as VLAN is networking. This is just Vlans, like sub interfaces on a physical interface. Ipfire can only support a single red, green, orange, blue interface (without special configurations) Can include a combination on a single on physical interface using VLAN tagging. so lets say have a single ethernet interface, can logically tag via VLANs Green and Blue interfaces on the same physical interface, but then upstream switch must support VLANs also. is just a way to set the specific zones/Interfaces to logical interfaces on same physical interface but is still treated as separate networks.