Replacing a router with IPCop

For reasons that will become clear if you read further, I have three pieces of advice:

  1. Do not expect a home cable/DSL router like the LinkSys WRT54G to work at capacity. It’s fine for a little Web surfing and some infrequent large downloads, but it’s going to fail intermittently at high duty cycles.
  2. If you’re thinking about installing an IPCop firewall, be sure to check the Hardware Compatibility List before you go out and buy network cards.
  3. Reset the cable modem.

A home cable/DSL router will work fine for general Web surfing, streaming media, downloading a file or two now and then, and for playing online games, but if you continuously run the thing at high bandwidth for long periods, it’s going to fail intermittently. It’s trivial to saturate a cable modem with my Web crawler. We were running 700 to 800 Kbps for hours on end, and the LinkSys router would just stop responding after a while. The internal network would remain up, but the external interface would go dead. That was okay when I was having trouble keeping my crawler running for more than a few hours at a time, but once I got it running reliably it was very annoying to have the router go down.

Somebody recommended that I install an IPCop firewall. So I pulled an old box (1 GHz AMD processor with 1 GB of RAM) out of the closet, downloaded the IPCop software, and tripped down to Fry’s for a few gigabit Ethernet cards since we decided to upgrade the internal network in the process. I’m a reasonably bright guy. How hard can it be? Right?

I forgot that I was dealing with Linux. And not a modern Linux distribution, but rather a very limited custom version whose install is not quite fully baked. The first thing I learned is that IPCop doesn’t support every network card in the world like Windows and the more general Linux distributions do. My own fault, really. I should have checked the hardware compatibility list.

I like Linux. Really. And IPCop is an incredibly well done piece of software. Once you get it installed. It’s kind of disappointing that the installation instructions are so detailed, but also somewhat cryptic in places. In particular, the instructions don’t tell you that when the install probes for network cards, it’s probing for a network card–not all of the network cards. And the probe identifies the chip manufacturer rather than the board manufacturer. It’s a bit disconcerting when you have a LinkSys card and an Intel card in the machine, and the probe says that it found a DEC Tulip something or other.

I struggled with it for a while (par for anything new I do with Linux) and finally got it working in the test environment–with the IPCop RED interface hooked to the router, and the GREEN interface connected to a switch with another computer–simulating the final installation. It all worked great, so I plugged the cable modem into the IPCop box.

IPCop couldn’t see the RED interface. So I re-read the documentation, checked all the settings two or three times, and then sat back to scratch my head. Between putting out other fires and scouring the Internet looking for the answer, it was late afternoon before I stumbled onto the answer: reset the cable modem.

Apparently, the cable modem registers the MAC address of the first device it sees, and only that MAC address can directly access the modem without resetting–turning off the power and waiting a few minutes. I’m not sure why that’s the case, but it appears to be. I powered down the modem, waited a few minutes, and then brought everything back up. Success!

It’s now a little after midnight. The IPCop machine has been up for almost 8 hours and the crawler has been banging on it continuously. The firewall hasn’t burped, and we’re getting better throughput now than we did with the flaky router. So far, I’m highly impressed. I’ll have more to say about IPCop after I’ve worked with it for a few days.