Page 1 of 1

Blue to Green NOT blocked!

Posted: May 26th, 2019, 9:32 pm
by renatohtpc
I just noticed a peculiar behavior.

Running IPFire 2.23 (x86_64) - Core Update 131 with 3 ethernet cards, Red, Green and Blue.

Blue is connected to a Ubiquity AP with security disabled. I am controlling access to the Wi-Fi by creating entries in the "blue access" for each device I want to grant access to. I have also added the AP to this list as well (not sure if this step is required...)

DHCP Details

Green Interface
Start address: 192.168.111.200
End address: 192.168.111.254
Primary DNS: 192.168.111.1
Primary NTP server: 192.168.111.1

Blue Interface
Start address: 192.168.112.100
End address: 192.168.112.130
Primary DNS: 192.168.112.1 (Should this be 111.1 or 112.1 ?)
Primary NTP server: 192.168.111.1

Scenario
1) I connect my ipad to the blue network. The mac address on the ipad is defined in the "blue access" list.
2) The dhcp gives me the 192.168.112.119 address
3) I try to access the apache server running on 192.168.111.8

To my surprise, I am able to access the server.

The firewall rules page displays the following:

GREEN Internet (Allowed) BLUE (Allowed)
BLUE Internet (Allowed) GREEN (Blocked)

I have NOT created any firewall rules to allow blue to connect to green.

Why am I able to access devices on green?

Thanks
Renato

Re: Blue to Green NOT blocked!

Posted: May 26th, 2019, 10:22 pm
by Arne.F
If you use the webproxy you dont have a connection from blue to green.

Re: Blue to Green NOT blocked!

Posted: May 28th, 2019, 3:09 pm
by renatohtpc
Arne

that did indeed fix the problem.

One more question.

As I mentioned before, I have a
green network: 192.168.111.0/24
blue network: 192.168.112.0/24
OpenVPN Netowrk: 192.168.20.0/24

Which one should I list in the "Network based access control" box?

right now I have both the green and the blue listed,

Also, right now I have both "Disable internal proxy access to Green from other subnets" and "Disable internal proxy access from Blue to other subnets" both checked.

Given that I only want to isolate the blue network (from the green), which one of these two option should I have checked?

Thanks
Renato