nstall openwrt as host - system: \ http://demogitjava.ddns.net:8000/openwrt/openwrt_installwithgparted simple docker compose.yml run file with \ docker-compose up -d --build \ compose setup on red0 with pppoe with tap drivers\ then start the second docker container with classic setup over static ip the it runs as dmz ``` services: ipfire: stdin_open: true tty: true platform: linux/amd64 container_name: ipfire restart: unless-stopped network_mode: host cap_add: - NET_ADMIN - SYS_ADMIN privileged: true tmpfs: /opt/docker image: jgsoftwares/ipfire:cloud command: /bin/bash ``` ``` docker run -it -p 0.0.0.0:444:444 --security-opt seccomp=unconfined --security-opt apparmor=docker-default --platform=linux/amd64 --name ipfire --restart unless-stopped --kernel-memory=6M --detach --net=host --net=none --cap-add=NET_ADMIN --cap-add SYS_ADMIN --privileged --security-opt seccomp=unconfined --tmpfs /opt/docker jgsoftwares/ipfire:cloud /bin/bash ``` ``` start the dhcp server on the green interface /network/dhcp server http://demogitjava.ddns.net:8000/ipfire/Screenshot%202025-11-25%20at%2012-01-16%20ipfire.localdomain%20-%20DHCP-Konfiguration.png ``` ``` connect to cloud dhcp start web login /etc/init.d/apache start web access over http wiht: https://192.168.10.56:444 iptables list rules iptables -L --line-numbers # delete rules by iptables -D INPUT 3 http://demogitjava.ddns.net:8000/backup-demogitjava.ddns.net-2025-11-06.tar.gz edit iptables config if u using openwrt backup restart docker container every hour /System/Scheduled Tasks 0 * * * * docker container restart ipfire login with default password jj78mvpr52k1 the docker deamon is started with # start docker daemon dockerd --debug -H=unix:///var/run/docker.sock -H=0.0.0.0:2375 --iptables=true --bridge=none --default-cgroupns-mode=host --ip-masq=false --ipv6=false --default-runtime io.containerd.runc.v2 --data-root=/opt/docker --dns=95.85.95.85 --dns=2.56.220.2 --selinux-enabled=true --mtu=1500 --tls=false --seccomp-profile=unconfined /etc/hosts --> delete 127.0.0.1 localhost start the red interface manually /etc/rc.d/init.d/networking/red start vi /var/ipfire/main/routing on,0.0.0.0/0,10.255.255.1,orange0 on,192.168.10.0/24,192.168.10.56,wireguard alternative minimal config [root@demogitjava /]# route -n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 0.0.0.0 10.255.255.1 0.0.0.0 UG 0 0 0 red0 192.168.10.0 0.0.0.0 255.255.255.0 U 10 0 0 wireguard [root@demogitjava /]# wan 217.160.255.254 -- wan ip docker exec -it ipfire /bin/bash brctl addbr ipfirehub #brctl addbr green0 ifconfig ipfirehub up #ifconfig green0 up exit ---------------------------- setup interface red --> 217.160.255.254 255.255.255.0 10.255.255.1 orange --> 10.255.255.1 255.255.255.255 green --> 192.168.10.56 255.255.255.0 ---------------------------- docker exec -it ipfire /bin/bash #run ipfire config reboot iptables -F iptables -N raw /etc/rc.d/init.d/networking/red start ip route del 10.255.255.1/32 /etc/init.d/localnet start /etc/init.d/dhcrelay start /etc/init.d/leds start /etc/init.d/sysctl start /etc/init.d/wlanclient stop iptables -t nat -I PREROUTING -p tcp -i orange0 --dport 22 -j DNAT --to 192.168.10.56:22 iptables -A FORWARD -i orange0 -o green0 -p tcp --dport 22 -j ACCEPT iptables -t nat -I PREROUTING -p tcp -i orange0 --dport 6010 -j DNAT --to 127.0.0.1:6010 iptables -A FORWARD -i orange0 -o green0 -p tcp --dport 6010 -j ACCEPT iptables -A INPUT -p tcp --dport 80 -s 217.160.255.254 -j ACCEPT iptables -A OUTPUT -p tcp --dport 80 -s 217.160.255.254 -j ACCEPT iptables -A INPUT -p tcp --dport 8000 -s 217.160.255.254 -j ACCEPT iptables -A OUTPUT -p tcp --dport 8000 -s 217.160.255.254 -j ACCEPT iptables -A INPUT -p tcp --dport 1527 -s 217.160.255.254 -j ACCEPT iptables -A OUTPUT -p tcp --dport 1527 -s 217.160.255.254 -j ACCEPT iptables -A INPUT -p tcp --dport 8443 -s 192.168.10.56 -j ACCEPT iptables -A OUTPUT -p tcp --dport 8443 -s 192.168.10.56 -j ACCEPT iptables -A FORWARD -i orange0 -o green0 -p tcp --dport 8443 -j ACCEPT iptables -A INPUT -p tcp --dport 51820 -s 217.160.255.254 -j ACCEPT iptables -A OUTPUT -p tcp --dport 51820 -s 217.160.255.254 -j ACCEPT iptables -A FORWARD -i orange0 -o green0 -p tcp --dport 51820 -j ACCEPT iptables -A INPUT -p udp --dport 53 -d 95.85.95.85,2.56.220.2 -j ACCEPT iptables -A INPUT -p udp --sport 53 -s 95.85.95.85,2.56.220.2 -j ACCEPT iptables -A INPUT -p udp --dport 53 -d 8.8.8.8,8.8.4.4 -j ACCEPT iptables -A INPUT -p udp --sport 53 -s 8.8.8.8,8.8.4.4 -j ACCEPT ip6tables -P INPUT DROP ip6tables -P FORWARD DROP iptables -D FORWARD 1 # docker-user iptables -D FORWARD 1 # DOCKER-ISOLATION-STAGE-1 iptables -D DOCKER-ISOLATION-STAGE-1 1 # DOCKER-ISOLATION-STAGE-1 iptables -D DOCKER-ISOLATION-STAGE-1 1 # return iptables -D DOCKER-ISOLATION-STAGE-2 1 # DOCKER-ISOLATION-STAGE-1 iptables -D DOCKER-ISOLATION-STAGE-2 1 # return iptables -D DOCKER-USER 1 # return iptables -t nat -A POSTROUTING -j MASQUERADE iptables -vt nat -A CUSTOMPREROUTING ! -o orange0 -p udp --destination-port 53 -j REDIRECT --to-ports 53 iptables -vt nat -A CUSTOMPREROUTING ! -o orange0 -p tcp --destination-port 53 -j REDIRECT --to-ports 53 /etc/sysconfig/firewall.local start /etc/init.d/wlanclient stop /etc/init.d/cloud-init start /etc/rc.d/init.d/static-routes reload ip addr del 127.0.0.1/8 dev lo ip addr del ::1/128 dev lo sysctl net.ipv4.ip_forward=1 sysctl net.ipv4.conf.all.src_valid_mark=1 sysctl net.ipv6.conf.all.disable_ipv6=1 sysctl net.ipv6.conf.default.disable_ipv6 = 1 sysctl net.ipv6.conf.lo.disable_ipv6 = 1 ip link set red0 up ip link set green0 up ip link set orange0 up ip route del 10.255.255.1/32 route del -net 192.168.10.0 gw 0.0.0.0 netmask 255.255.255.0 dev wireguard route add -net 192.168.10.0 gw 192.168.10.56 netmask 255.255.255.0 dev wireguard ip link add link red0 name redvlan type vlan id 0 ifconfig redvlan up ip link add link green0 name greenvlan type vlan id 10 ifconfig greenvlan up ip link add link orange0 name orangevlan type vlan id 20 ifconfig orangevlan up brctl addif ipfirehub redvlan ip route add 217.160.255.254 via 10.255.255.1 dev orange0 exit ---------------------------- [root@demogitjava /]# brctl show bridge name bridge id STP enabled interfaces ipfirehub 8000.0201184f5380 no redvlan vxlanwireguard [root@demogitjava /]# ---------------------------- restart firewall on openwrt service firewall restart ---------------------------- delte red0.info file rm -rf /var/ipfire/dhcpc/red0.lease edit dhcp config file /var/ipfire/dhcpc/dhcpcd-red0.info broadcast_address=217.160.255.254 dhcp_lease_time=600 dhcp_message_type=5 dhcp_server_identifier=169.254.254.1 domain_name_servers='95.85.95.85 2.56.220.2' <----- host_name=demogitjava.ddns.net ip_address=217.160.255.254 network_number=217.160.255.254 routers=10.255.255.1 subnet_cidr=32 subnet_mask=255.255.255.255 restart the network with /etc/init.d/network restart add ip addr to red0 ip addr 217.160.255.254/32 dev red0 delete static ip with ip route del 10.255.255.1/32 ---------------------------------- ``` ``` openwrt as cloud system - over gparted http://demogitjava.ddns.net:8000/openwrt/openwrt_installwithgparted -> disable dns server over the wireguard interface if u use a ipfire dmz container for internet openwrt backup http://demogitjava.ddns.net:8000/backup-demogitjava.ddns.net-2025-10-11.tar.gz default password jj78mvpr52k1 change password with passwd IpFire config for Layer2 --> dmz setup -----> openwrt | container ipfire -> red interface only ----- vpn wireguard -----> | red -> wan ip 2: red0: mtu 1500 qdisc fq_codel state UP group default qlen 1000 link/ether 02:01:18:4f:53:80 brd ff:ff:ff:ff:ff:ff inet 217.160.255.254/32 scope global red0 valid_lft forever preferred_lft forever | INTERNET | openvpn started on port 1194 | add a routed peer over firewall | TCP OpenVPN 1194 ssh connect console login over port 444 https://192.168.10.56:444/cgi-bin/index.cgi Firewall rules -> vi /var/ipfire/firewall/config 5,REJECT,FORWARDFW,ON,std_net_src,ALL,std_net_tgt,RED,ON,UDP,,9092,ON,,,TGT_PORT,9092,dropbittorent,,,,,,,,,,00:00,00:00,,AUTO,,dnat,,,,,second 6,ACCEPT,FORWARDFW,ON,src_addr,217.160.255.254/32,std_net_tgt,RED,,TCP,,80,ON,,,cust_srv,HTTP,HTTP,,,,,,,,,,00:00,00:00,ON,RED,,snat,,,,,second 1,ACCEPT,FORWARDFW,ON,src_addr,217.160.255.254/32,std_net_tgt,RED,ON,TCP,,1527,ON,,,TGT_PORT,1527,DerbyDB,,,,,,,,,,00:00,00:00,ON,RED,,snat,,,,,second 4,ACCEPT,FORWARDFW,ON,std_net_src,ALL,std_net_tgt,ORANGE,,TCP,,51820,ON,,,cust_srv,SSH,ssh,,,,,,,,,,00:00,00:00,ON,ORANGE,,snat,,,,,second 3,ACCEPT,FORWARDFW,ON,std_net_src,ALL,std_net_tgt,ORANGE,,TCP,,51820,ON,,,cust_srv,SSH,ssh,,,,,,,,,,00:00,00:00,ON,ORANGE,,snat,,,,,second 2,ACCEPT,FORWARDFW,ON,std_net_src,ALL,std_net_tgt,ORANGE,,TCP,,51820,ON,,,cust_srv,SSH,ssh,,,,,,,,,,00:00,00:00,ON,ORANGE,,snat,,,,,second Firewall rules -> vi /var/ipfire/firewall/input 8,ACCEPT,INPUTFW,ON,std_net_src,ALL,ipfire,ORANGE,,TCP,,51820,ON,,,cust_srv,SSH,ssh,,,,,,,,,,00:00,00:00,ON,ORANGE,,snat,,,,,second, 4,ACCEPT,INPUTFW,ON,src_addr,217.160.255.254/32,ipfire,RED1,ON,TCP,,1527,ON,,,TGT_PORT,1527,DerbyDB,,,,,,,,,,00:00,00:00,ON,RED,,snat,,,,,second 5,ACCEPT,INPUTFW,ON,src_addr,217.160.255.254/32,ipfire,RED1,ON,TCP,,8443,ON,,,TGT_PORT,8443,Lanserver,,,,,,,,,,00:00,00:00,ON,RED,,snat,,,,,second 6,ACCEPT,INPUTFW,ON,src_addr,217.160.255.254/32,ipfire,RED1,ON,TCP,,8000,ON,,,TGT_PORT,8000,HttpFileserver,,,,,,,,,,00:00,00:00,ON,RED,,snat,,,,,second 3,ACCEPT,INPUTFW,ON,src_addr,217.160.255.254/32,ipfire,RED1,,TCP,,80,ON,,,cust_srv,HTTP,HTTP,,,,,,,,,,00:00,00:00,ON,RED,,snat,,,,,second 7,ACCEPT,INPUTFW,ON,src_addr,217.160.255.254/32,ipfire,GREEN,ON,UDP,,51820,ON,,,TGT_PORT,51820,Wireguard,,,,,,,,,,00:00,00:00,ON,RED,,snat,,,,,second 1,ACCEPT,INPUTFW,ON,src_addr,192.168.10.56/32,ipfire,ORANGE,ON,TCP,,22,ON,,,TGT_PORT,22,ssh,,,,,,,,,,00:00,00:00,ON,ORANGE,,snat,,,,,second 2,ACCEPT,INPUTFW,ON,src_addr,217.160.255.254/32,ipfire,RED1,,TCP,,80,ON,,,cust_srv,HTTP,HTTP,,,,,,,,,,00:00,00:00,ON,Default IP,80,dnat,,,,,second Firewall rules -> vi /var/ipfire/firewall/outgoing 1,REJECT,FORWARDFW,ON,std_net_src,ALL,std_net_tgt,RED,ON,UDP,,9092,ON,,,TGT_PORT,9092,dropbittorent,,,,,,,,,,00:00,00:00,,AUTO,,dnat,,,,,second 4,ACCEPT,FORWARDFW,ON,src_addr,217.160.255.254/32,std_net_tgt,RED,ON,TCP,,8443,ON,,,TGT_PORT,8443,Lanserver,,,,,,,,,,00:00,00:00,ON,RED,,snat,,,,,second 2,ACCEPT,FORWARDFW,ON,src_addr,217.160.255.254/32,std_net_tgt,RED,,TCP,,80,ON,,,cust_srv,HTTP,HTTP,,,,,,,,,,00:00,00:00,ON,RED,,snat,,,,,second 3,ACCEPT,FORWARDFW,ON,src_addr,217.160.255.254/32,std_net_tgt,RED,ON,TCP,,1527,ON,,,TGT_PORT,1527,DerbyDB,,,,,,,,,,00:00,00:00,ON,RED,,snat,,,,,second 7,ACCEPT,FORWARDFW,ON,std_net_src,ALL,std_net_tgt,OpenVPN-Dyn,,TCP,,51820,ON,,,cust_srv,SSH,ssh,,,,,,,,,,00:00,00:00,ON,ORANGE,,snat,,,,,second 5,ACCEPT,FORWARDFW,ON,src_addr,217.160.255.254/32,std_net_tgt,RED,ON,TCP,,8000,ON,,,TGT_PORT,8000,HttpFileserver,,,,,,,,,,00:00,00:00,ON,RED,,snat,,,,,second 6,ACCEPT,FORWARDFW,ON,std_net_src,ALL,std_net_tgt,OpenVPN-Dyn,ON,UDP,,51820,ON,,,TGT_PORT,51820,Wireguard,,,,,,,,,,00:00,00:00,,AUTO,,dnat,,,,,second,ON | INTERNET | orange used interface 5: orange0: mtu 1370 qdisc noqueue state UNKNOWN group default qlen 1000 link/ether e2:3e:c8:2d:3e:1c brd ff:ff:ff:ff:ff:ff #aternative with 2 containers DMZ # without dns server # removed dns gcore from wireguard # removed dns gcore on ipfire containers # brctl addbr orange0 [root@demogitjava /]# route -n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 0.0.0.0 10.255.255.1 0.0.0.0 UG 0 0 0 red0 192.168.10.0 192.168.10.56 255.255.255.0 UG 0 0 0 wireguard 192.168.10.0 0.0.0.0 255.255.255.0 U 0 0 0 green0 192.168.10.0 0.0.0.0 255.255.255.0 U 0 0 0 orange0 [root@demogitjava /]# # alternative create file vi /etc/unbound/local.d/insecure.conf ######################### server: domain-insecure: demogitjava.ddns.net ######################### :w :q restart unbound /etc/init.d/unbound restart | container landingpage web ---> landingpage | 80 | container derbydb ---> derbydb | 1527 | container lanserver ---> lanserver | 8443 openwrt <----------------------------------------> client 1 ssh Graphical Support with Cipher chacha20-poly1305@openssh.com over vpn with web support ``` ``` docker run -it -p 0.0.0.0:444:444 --security-opt seccomp=unconfined --security-opt apparmor=docker-default --platform=linux/amd64 --name ipfiredmz --restart unless-stopped --kernel-memory=6M --detach --net=host --net=none --cap-add=NET_ADMIN --cap-add SYS_ADMIN --privileged --tmpfs /opt/docker jgsoftwares/ipfire:dmz /bin/bash ``` ``` vi /var/ipfire/ethernet/vlans vlan config GREEN_PARENT_DEV=vxlanwireguard GREEN_VLAN_ID=0 GREEN_MAC_ADDRESS=e2:3e:c8:2d:3e:1c RED_PARENT_DEV=eth0 RED_VLAN_ID=0 RED_MAC_ADDRESS=02:01:18:4f:53:80 ORANGE_PARENT_DEV=vxlanwireguard ORANGE_VLAN_ID=0 ORANGE_MAC_ADDRESS=e2:3e:c8:2d:3e:1c ``` ``` vi /etc/ntp/ntpInclude.conf server 2.rhel.pool.ntp.org prefer restart ntp /etc/init.d/ntp start ``` ``` vi /var/ipfire/ethernet/settings check mac address by vxlanwireguard an ethernet interface eth0 type command in container for soft reboot vi /var/ipfire/ethernet/settings CONFIG_TYPE=2 GREEN_DEV=green0 GREEN_MACADDR=e2:3e:c8:2d:3e:1c GREEN_DESCRIPTION='"tap: device on green0"' GREEN_MODE=NATIVE GREEN_ADDRESS=192.168.10.56 GREEN_NETMASK=255.255.255.0 GREEN_NETADDRESS=192.168.10.0 GREEN_DRIVER=tap RED_DEV=red0 RED_MACADDR=02:01:18:4f:53:80 RED_DESCRIPTION='"tap: device on red0"' RED_DRIVER=tap RED_MODE=NATIVE RED_DHCP_HOSTNAME=demogitjava.ddns.net RED_DHCP_FORCE_MTU=1500 RED_DHCP_RAPID_COMMIT=off RED_ADDRESS=217.160.255.254 RED_NETMASK=255.255.255.255 DEFAULT_GATEWAY=10.255.255.1 RED_NETADDRESS=217.160.255.254 ORANGE_DEV=orange0 ORANGE_MACADDR=0e:98:7f:b7:2d:ec ORANGE_DESCRIPTION='"???: Unknown Network Interface (vxlanwan)"' ORANGE_MODE=bridge ORANGE_DESCRIPTION='"tap: device on orange0"' ORANGE_DRIVER=tap ORANGE_ADDRESS=10.255.255.1 ORANGE_NETMASK=0.0.0.0 ORANGE_NETADDRESS=0.0.0.0 RED_TYPE=STATIC BLUE_DRIVER= BLUE_DEV= BLUE_MACADDR= BLUE_DESCRIPTION= ``` ``` this image is converted the qcow2 image over an debian system \ apt-get install virt-tar-out \ apt-get install libguestfs-tools \ simple convert form qrow2 to tar.gz on debian \ \ sudo virt-tar-out -a ipfire.qcow2 / - | gzip --best > ipfire.tar.gz \ cat ipfire.tar.gz | sudo docker import - jgsoftwares/ipfire:latest \ ```