Problems with firewall and gateway configuration

Hey community,
i’m still a NS rookie and i Need your help :smirk:

one green one blue and one red NIC

red is WWW
blue are WiFi devices
green are my regulars
every NIC has its own VLAN configured with my switch
my rules look like this:

my idea was not to give everyone in blue and green access to red so i created my host Group inet-members.
my problem is with my “blue” members… sometimes it works sometimes not… in a case of 1 of 10 my browser want to load a Website but stuck after a few seconds… when i wait 30 seconds it loads the page correctly…
i think it’s a config problem from my side.
anyone an idea for my problem or a smarter way for my realization
I am happy about every help
greetings chris

Hi @chrish
don’t worry everyone here was a NethServer rookie once!

Let me mention here @islipfd19 @jitkian @dnutan @Hunv @firsttiger @ssabbath

still a rookie btw.

Maybe it is not correlated, but what is the chipset on the blue nic? I had a similar problem with clearos and RTL8168 and e1000e maybe i can help.

1 Like

Something else: Do you have DHCP in blue? If yes: how you are sure, that every Client will stay at the same IP and your hosts in the host group will apply?

1 Like

hey guys thanks a lot for replying,
@ssabbath cause the chip i must take a look tomorrow
@hunv i make a IP reservation manualy and put them after that in the host group.

so by the way… is it even possible to do it with firewall rules and the host group? i’m not sure :confused:

Internally, NS has rules like green > blues > orange > red
Your second and thrid rules are in contradiction with the default rules.

I think it’s better to suppress all the fist three rules and make a user group that not allow to go to the net and make an single rule to reject this group on red

Edit: By experience, it can be a pain to restrict access by zone or machine.
to restrict the web access, let the proxy doing the job.

AT the firewall level, just restrict by type of service ( dns, http, …)

@ssabbath i hav 3 different Chips because the Hardware was still available: e1000, r8169, sky2

I’m very confused at the moment… i think i need another hobby :smiley:
I have deleted ALL fw rules and the internal rule blue -> red should allow my blue members automaticly inet access but it dosn’t work permanently only sporadically
green ->red no problem.

my trusted Networks Looks like:

my static routes:

So, please see if that the NIC for blue is the R8169.

First of all, see what is the name of your blue connection, eth0, eno1, ens2, etc etc…

ifconfig will id your connections.


ethtool -i nameofyourconnection (eth0 eno1, etc etc)

In my case, the issue was, my NIC was a RTL8168 and it was using 8169 drivers.

Another issue was: RX TX where set to 256.
run ethtool -g nameofyourconnection

and see current hardware settings, i´ve changed mine to 4096 (max) and it increasead performance.

My little question: why use 192.0. subnets?
That’s not private network addressing…

1 Like

Did you have the proxy installed?
check the option in the proxy settings, for the blue zone.

And I recommand to use private adressing too. Good observation from @pike

1 Like

@ssabbath yes R8169 is my blue NIC name is enp3s9 <-NS 7 standard config?!

ethtool -i enp3s9:
driver: r8169
version: 2.3LK-NAPI
bus-info: 0000:03:09.0
supports-statistics: yes
supports-test: no
supports-eeprom-access: no
supports-register-dump: yes
supports-priv-flags: no

ethtool -g enp3s9 give’s me this:
Cannot get device ring settings: Operation not supported

@pike so i need to use something like 192.168. ? is it so important which IPrange i have in a LAN?

Proxy is not enabled…

Thanks for your help guys so by the way :slight_smile:

not so important , but you can avoid a lot of routing problems with a correct RFC1918 private addresses. 172.16-31.0.0/16
Obviously you can use a narrower subnet mask for reduce hosts…
I used to assign address space (mask 24) for connections between firewall/lan gateway and ISP device, but now biggest ISP of italy is using that space for internet connections…

Yup, i use 172.16/24 too :slight_smile:

Dude, wierd stuff happenning.No firmware version. And -h not workign…

First thing i would to is to change this NIC.

Before changing the nic,
Let try to switch between the green one and the blue one.

And observe what happen… :grimacing:

You should, if possible. Why?
As a popular example: Take a look at the Domain IP:
If you have a PC in that range or with that IP, you will not be able reach that IP. If your router is configured not to forward this range to the red adapter, you will also not reach the whole range of IPs.
And there will be also Websites in the and what will have that problem. If you will use them somewhen is another question, but the chance of that scenario is present.

As @pike said:
Use one of this:
peronally I like the 10.*-Range(s) because they are shorter :slight_smile:

hello together,

i’ve changed the NIC now enp2s0 is blue and enp3s9 is green… Problem is still there… now i don’t have inet from green neither from blue.
My FW-logs Looks like this

Looks great for me
can the Problem be my static routes?

I’ve run into a similar issue before on someone elses setup. This can be caused because the system knows that those IP addresses ARE external IP address’s and sometimes it bypasses the inter routing and tries to send that packet directly to the external address. Like an internet providers router forwarding the packet to the next hop. The firewall rules are no doubt playing a part but I have seen this before with valid rules and wrong addressing. I use rules similar to what your trying and my system works fine.

I have 3 vlans. Internal servers, internal clients(my families desktops/laptops), and my guest WiFi vlan. My WiFi vlan and my internal vlan are both going through my ubiquiti access point.

I use a class a private IP address (10.168../24) and I use the third octet to determined the different networks.

Internal vlan has one dhcp, Guest has another, and servers has a third. Neither the green nic nor the blue nic have an IP address directly addressed. All have a sub interface.

You can also try setting a static external to the internet. But that shouldn’t be required as long as the system knows which way is external. Though as I was saying above it might be confused and think its part of the “system”.


WHat @MyDarkFire says makes sense

That NIC tho, looks wierd :stuck_out_tongue:

:speaking_head: shame, shame, shame
my vlan configuration was not right… not sure why but now it works.
i was pretty sure that THIS little thing was right… who am i that was looking at nethserver for the fault :pray:
so by the way… i will change the ip ranges like you wish and i change the NIC.
thanks to all who spend time with me ^^