Update 6/06/2006: This remains here to help anyone looking for info about ipcop, but I have moved on to using a Linksys WRT54G v3 router running the DD-WRT firmware as my local network control device. It has good DHCP, VPN, SIP and QOS capabilities and is highly configurable. Highly recommended! Be sure to get a WRT54G v1-4, WRT54GL or WRT54GS for your router. The current WRT54G (v5) is a completely different chipset and is not customizeable.
I spent the better part of this afternoon fussing with IPCOP 1.4(alpha5) to get it set up the way I want it. IPCOP is an excellent firewall/router package based on Linux. The newer 1.4 offers many improvements over the 1.3 version, and hopefully will go beta soon. There are a number of small bugs in this alpha, none that appear to be major, just a small pain for me getting things set up because of my particular wants and needs.
I installed IPCOP on my temporary host for it — really way over powered for the job and needed for other uses — an Athlon 1.2GHz machine. Eventually I want to get one of the EPIA CL series of low power mini-itx boards and build it into the router/gateway/firewall. The installation and basic configuration of IPCOP was smooth and the new web interface is much more useful than the current 1.3 version interface. I was disappointed by the limited QoS configuration options that the web interface allows – only based on ports. I need QoS mainly for the Vonage system, and it is easy enough to give high priority to it based on IP or mac address, then give varying levels of priority to other traffic based on port and traffic type.
I started with a fairly standard setup for IPCOP — an external ethernet (RED) connect to the Comcast cable modem, an internal (GREEN) ethernet to my computer network, and an ORANGE DMZ(De Militarized Zone) ethernet connection that I planned to use for both the Vonage ATA(Analog Telephone Adapter) and a development /testing web server. Unfortunately IPCOP is not configured to allow DHCP serving on the ORANGE network and the Vonage ATA is not set up to allow forcing it to use a fixed IP. The stock Cisco 186 (without the custom Vonage firmware) will allow you to set it to a fixed IP, but the Vonage installed firmware locks out that option. I understand not allowing DHCP on the DMZ, but for my purposes it presents a problem. So I switched the ORANGE network to be what IPCOP calls a BLUE network, designed to be used for wireless connectivity and such. It supports DHCP across the BLUE interface and from what I understand it should have provided me with almost exactly what I was looking for. Unfortunately the Vonage, and for that matter my sister-in-law’s new laptop, could not complete the DHCP process to get an IP assigned. I added the mac address from the Vonage ATA as a fixed assignment with no luck either. Every time the ATA (and the laptop) would end up with a partially completed DHCP assignment, and the IP range was from the GREEN interface not the BLUE.
At this point I gave up using the IPCOP web interface to get the job done, as I said there are still a few bugs to work out, and SSH’d into the IPCOP box. After about 20 minutes of vim’ing through all the files to see how they were — generally speaking — making IPCOP tick, I hacked the DHCP web interface cgi and added my own subnet assignments, along with changing the firewall rules to create, in essence two separate, isolated GREEN networks. I can add some pinholes to allow essential communication between the networks that I want. So the BLUE net is now not quite a DMZ, but an isolated network from the main internal net (on GREEN).
The IPCOP machine is truly the weak link in this scheme, but then it is fairly small and well vetted code base, with the main firewall rules on the RED interface still pretty tight. The good news is that both networks work independently as they should and the Vonage ATA grabbed the proper IP right off the bat. I still have to add some QoS rules to the system, and as I said before I was slightly disappointed that the QoS web interface only allows port based rules, but that should be easy enough to implement in rc.d files through SSH. Overall IPCOP is an excellent firewall/gateway system that will run on just about any legacy machine out there. For most purposes it will set up in about 5–10 minutes and does not need much by way of tech experience. I knew going in that this was an alpha code base — I knew there would probably be issues. The issues were all in all minor, and should be fixed well before the release version comes out, well except probably the QoS issue, but that is really a design and implementation choice, not a bug.
All through this I was working from both my Toshiba (5205-S703) laptop and my sister-in-law’s new Toshiba Satellite A15-S129 laptop. I really do like Toshiba’s laptops. This one was on sale for about $800 after rebates and Niki desperately wanted to replace the aging Micron GoBook that I got helped her get when I worked for MicronPC — what, 5 years ago. So she ordered it online and had it delivered to me so I could go over it and add a few apps and such that she wants. The Satellite is larger than what she is used to but this $800 laptop offers quite a bit of power and features — 40GB hard drive, DVD/CDRW, 10/100 NIC, 256MB DDR (max 1GB), 15" XGA display, decent speakers built in and powered by a 2.4GHz Celeron. Obviously for me this isn’t the best notebook for processing photo’s and doing 3D work, but for her it will be a lightspeed jump from the old 300MHz GoBook! It would also make an excellent system for my wife and my son to use, as they mainly want it for Quicken, web and email but they don’t want a full blown desktop or even a hidden desktop with a flat panel. Temporarily, if it will handle the load of modern flash and director based games, the GoBook will be their laptop, I doubt it would sell on eBay or similar places as it is a 4-5 year old notebook.
Update:
The whole purpose of updating IPCOP to 1.4, adding QoS rules and putting the Vonage ATA on it’s own network interface was to maximize the quality of the Vonage phone “line”. We have been getting too many drop-outs in the line if the computer was accessing the net at all. Being served by cable modem, we have plenty of bandwidth (checked often and at various times) to handle both the Vonage and light to moderate net use simultaneously. So far the new configuration and the QoS rules have made a dramatic improvement in the line quality (sorry, reverting back to telco speak for what is essentially a pure TCP/IP device). I’ll have to bug my folks or someone with a standard landline phone to do more comprehensive tests. I figure I can ramp slowly up to two or three downloads of the latest Fedora from a fast mirror and a large upload to my server to really see how well the Vonage holds up with the QoS rules I put in place.
Available from Amazon:
