For reasons that will become clear if you read further, I have three pieces of advice:
- Do not expect a home cable/DSL router like the LinkSys WRT54G to work at capacity. It’s fine for a little Web surfing and some infrequent large downloads, but it’s going to fail intermittently at high duty cycles.
- If you’re thinking about installing an IPCop firewall, be sure to check the Hardware Compatibility List before you go out and buy network cards.
- Reset the cable modem.
A home cable/DSL router will work fine for general Web surfing, streaming media, downloading a file or two now and then, and for playing online games, but if you continuously run the thing at high bandwidth for long periods, it’s going to fail intermittently. It’s trivial to saturate a cable modem with my Web crawler. We were running 700 to 800 Kbps for hours on end, and the LinkSys router would just stop responding after a while. The internal network would remain up, but the external interface would go dead. That was okay when I was having trouble keeping my crawler running for more than a few hours at a time, but once I got it running reliably it was very annoying to have the router go down.
Somebody recommended that I install an IPCop firewall. So I pulled an old box (1 GHz AMD processor with 1 GB of RAM) out of the closet, downloaded the IPCop software, and tripped down to Fry’s for a few gigabit Ethernet cards since we decided to upgrade the internal network in the process. I’m a reasonably bright guy. How hard can it be? Right?
I forgot that I was dealing with Linux. And not a modern Linux distribution, but rather a very limited custom version whose install is not quite fully baked. The first thing I learned is that IPCop doesn’t support every network card in the world like Windows and the more general Linux distributions do. My own fault, really. I should have checked the hardware compatibility list.
I like Linux. Really. And IPCop is an incredibly well-done piece of software. Once you get it installed. It’s kind of disappointing that the installation instructions are so detailed, but also somewhat cryptic in places. In particular, the instructions don’t tell you that when the install probes for network cards, it’s probing for a network card–not all of the network cards. And the probe identifies the chip manufacturer rather than the board manufacturer. It’s a bit disconcerting when you have a LinkSys card and an Intel card in the machine, and the probe says that it found a DEC Tulip something or other.
I struggled with it for a while (par for anything new I do with Linux) and finally got it working in the test environment–with the IPCop RED interface hooked to the router, and the GREEN interface connected to a switch with another computer–simulating the final installation. It all worked great, so I plugged the cable modem into the IPCop box.
IPCop couldn’t see the RED interface. So I re-read the documentation, checked all the settings two or three times, and then sat back to scratch my head. Between putting out other fires and scouring the Internet looking for the answer, it was late afternoon before I stumbled onto the answer: reset the cable modem.
Apparently, the cable modem registers the MAC address of the first device it sees, and only that MAC address can directly access the modem without resetting–turning off the power and waiting a few minutes. I’m not sure why that’s the case, but it appears to be. I powered down the modem, waited a few minutes, and then brought everything back up. Success!
It’s now a little after midnight. The IPCop machine has been up for almost 8 hours and the crawler has been banging on it continuously. The firewall hasn’t burped, and we’re getting better throughput now than we did with the flaky router. So far, I’m highly impressed. I’ll have more to say about IPCop after I’ve worked with it for a few days.
I hope you aren’t getting your connection through Comcast. See http://www.gripe2ed.com/scoop/story/2007/4/16/01320/7728 for why.
No, not using Comcast. RoadRunner here, provided through Time Warner Cable. I’ve used lots of bandwidth before, and haven’t had a problem.
If a wrt54g could handle full bandwidth for days on end reliably, they would have gone even cheaper and slower. Those routers work great for their intended use of affordable consumer service, but they aren’t up to heavy loads over long periods. That’s just engineering in action.
Personally, I like OpenBSD as a router platform. On that task, it’s hard to beat. But since it’s a general purpose OS you’d have to hike up a steeper learning curve to get your firewall in place.
There are a lot of people in the local LUG who use IPCop. It should serve you well. If you start getting too tricky you may have some issues, but using it the way it’s meant to be used should be cake once you find your way around. This was almost certainly the best choice to get a capable firewall up without already knowing how to build one.
I agree with Darrin – use IPCop for what it was intended and you can’t go wrong.
I also use IPCops certificate based VPN capabilty to great effect – 4 sites linked 24/7 no problems.
The biggest problem I have encountered is people looking longingly at their old DSL/router and trying to incorporate it in their IPCop setup.
I’m not too sure what all “use it as intended” means, but I suspect I won’t be pushing the limits. A little DHCP, take advantage of the DNS cache, and probably some intrusion detection. Nothing fancy.
Oh, and I did find a way to incorporate the LinkSys router into the setup: it’s my wireless access point. One day if I get really ambitious I’ll set up a BLUE interface. For now, the router is hanging off the switch.
“Use as intended” means clicking things in the web interface, pretty much.
There are people doing “under the hood” stuff with IPCop to do more complex setups than would be possible by clicking around the provided interface.
The advantages of IPCop in that situation are debatable. At that point you’re dealing with the complexity of an outdated and customized Linux distro rather than a simple interface. Better to move to a “normal” distro then, or better yet OpenBSD.
And, yes, I think it’ll do what you need. You’ve picked something (IPCop) that’s designed for the task at hand. :)