Howto setup IPCop in a virtual machine

This howto is based on the article „Server im Bauch“ in the german magazine c’t 02/05, pages 96 to 99. The website of the original author Sven Ahnert is

You will need VMware Workstation. I used version 4.5.1 on Windows XP Pro with 2 real NICs (one for DSL, one for my LAN). This howto explains how you can setup IPCop in a virtual machine and how you even can have servers in different virtual machines on your (virtual) orange network.

1) Create a new virtual machine: File -> New Virtual Machine.

In the wizard choose the following configuration: custom, Linux (Other Linux 2.6.x kernel), 32 MB RAM, Bridged Networking, SCSI Adapters Buslogic, Create a new virtual disk, Virtual Disk Type IDE, Disk Size 1 GB or greater if you need.

2) Update the hardware configuration: VM -> Settings

– remove USB controller and Audio
– add 2 more Ethernet Adapters
– the first NIC must be „Host-only“ (green)
– the second „Custom“ with a virtual switch „VMnet2“ (orange)
– the third „Bridged“ (red)

3) Doubleclick on the virtual CD-Rom drive and choose „Use ISO image“, browse to an IPCop iso on your local harddrive.

4) Start the virtual machine, go through the IPCop startup configuration.

– green: and as subnet
– orange:,
– red: PPPoE

5) Good time to make a snapshot.

6) In VMware: Edit -> Virtual Network Settings -> Host Virtual Network Mapping

– VMNet1: click „…“ and change „Subnet“ to the IP-address and
– VMNet0: bind the NIC for your DSL connection

7) In a web browser open

-> Configure your internet connection under Network -> Dialup

8) Go to the windows network configuration on your Host PC, choose options for the VMware Network Adapter VMnet1 and set gateway and DNS to (IP address and subnet should already be set to,

9) Bind your DSL NIC only to the VMware Bridge Protocol, uncheck everything else.

10) Use this configuration for the LAN NIC on your Host PC:,, gateway, DNS

11) Configure your LAN PCs: 192.168.1.x,, gateway, DNS

12) Log in as root on your IPCop machine and use the following command:

route add -net netmask gw

If you add it to rc.local you dont have to enter it every time you restart your virtual machine.

13) Virtual server on orange:,, gateway, DNS from your ISP, use custom networking in VMware for the virtual NIC and bind it to the virtual switch VMnet2.


A very good illustration about the networking setup is provided in at page 3.

  1. Has anyone tried this? I am interested in doing this and would love to gain some knowledge from anyone that has done this before?

  2. hello! i tried to set up my laptop with vmware workstation 5.0 with the newest ipcop version. But is ist possible to run ipcop with only one (real) nic??

  3. I just have to say, I have been two days trying to get ipcop working in a VM and this is the ONLY solution that I have fully understood (not to mention it works!) Thank you very much!

  4. I’ve installed IPCop and FLI4L in a virtual machine on my VMWare Server beta (without this installation instructions). My first firewall was FLI4L but my choice now is IPCop because it is better to configure via the web-interface. But both firewalls are running excellent and stable in a VM. Everybody who don’t want to run a second old PC for IPCop or FLI4L (because it is too loud or something else) choose VMWare Server (it’s free) and run the firewall in a Virtual Machine.

    Greetings Peter

  5. hi, i managed to setup ipcop but I’m having problems from the dhcp, it for some reason cannot get out ipcop to the rest of the network. I cannot ping from ipcop to the host machine. any ideas

  6. Ok, I see I’ll have to be a little bit more specific. First, start vmnetcfg.exe and switch to ‚Host Virtual Network Mapping‘. Change VMNet1 to the IP address and the subnet to

    Now open your windows network settings. Set the IP address of your lan connection to, subnet to, gateway to and DNS to Now right click on VMnet1 and make sure that the IP address is, subnet, gateway and DNS This should work.

  7. I have been trying to setup IPCOP as my firewall under VMware for Linux, but I’m having trouble as VMware for Linux is different than VMware for Windows. The main differences are setting the host virtual network mapping and binding the DSL nic to the VMware bridge protocol. Any chance you could provide an IPCOP walkthrough for the Linux version of VMware? Thanks in advance.

  8. Thanks in advance to everyone who takes the time to compare this to their own config and offers advice.

    I followed your directions and can’t seem to get it to work. I’m a networking neophyte so I’m sure I did something wrong. First my problem: I cannot translate DNS to IP addresses nor PING Internet IP addresses using a root login to IPCop nor from Windows. The IPCop instance can ping,, It cannot ping

    At one point during the process, my VMnet1 adapter reported IP gw, I changed this so that it now uses only gw Also, VMnet8 was using 192.168.136.x so I updated that to 192.168.3.x to match the IPCop Orange subnet.

    Here are my settings using ipconfig/all from a dos prompt in the host O/S:

    Windows IP Configuration
      Host Name . . . . . . . . . . . . : xxxx
      Primary Dns Suffix . . . . . . . :
      Node Type . . . . . . . . . . . . : Unknown
      IP Routing Enabled. . . . . . . . : No
      WINS Proxy Enabled. . . . . . . . : No
    Ethernet adapter VMware Network Adapter VMnet8:
      Connection-specific DNS Suffix . :
      Description . . . . . . . . . . . : VMware Virtual Ethernet Adapter for VMnet8
      Physical Address. . . . . . . . . : 00-50-56-C0-00-08
      Dhcp Enabled. . . . . . . . . . . : No
      IP Address. . . . . . . . . . . . :
      Subnet Mask . . . . . . . . . . . :
      Default Gateway . . . . . . . . . :
    Ethernet adapter VMware Network Adapter VMnet1:
      Connection-specific DNS Suffix . :
      Description . . . . . . . . . . . : VMware Virtual Ethernet Adapter for VMnet1
      Physical Address. . . . . . . . . : 00-50-56-C0-00-01
      Dhcp Enabled. . . . . . . . . . . : No
      IP Address. . . . . . . . . . . . :
      Subnet Mask . . . . . . . . . . . :
      Default Gateway . . . . . . . . . :
      DNS Servers . . . . . . . . . . . :
    Ethernet adapter Local Area Connection:
      Connection-specific DNS Suffix . :
      Description . . . . . . . . . . . : NVIDIA nForce Networking Controller
      Physical Address. . . . . . . . . : XX-XX-XX-XX-XX-XX
      Dhcp Enabled. . . . . . . . . . . : No
      IP Address. . . . . . . . . . . . :
      Subnet Mask . . . . . . . . . . . :
      Default Gateway . . . . . . . . . :
      DNS Servers . . . . . . . . . . . :

    Here is the result of ifconfig executed from the IPCop instance:

    eth0 Link encap:Ethernet HWaddr: 00:0C:29:25:18:EC
      inet addr: Bcast: Mask:
      RX packets:1046 errors:0 dropped:0 overruns:0 frame:0
      TX packets:1783 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000
      RX bytes:83968 (82.0 KB) TX bytes:375377 (366.5 KB)
      Interrupt:9 Base address:0x1080
    eth1 Link encap:Ethernet HWaddr: 00:0C:29:25:18:F6
      inet addr: Bcast: Mask:
      RX packets:0 errors:0 dropped:0 overruns:0 frame:0
      TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000
      RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
      Interrupt:10 Base address:0x1400
    eth2 Link encap:Ethernet HWaddr: 00:0C:29:25:18:00
      inet addr: Bcast: Mask:
      RX packets:70273 errors:0 dropped:0 overruns:0 frame:0
      TX packets:13 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000
      RX bytes:4419915 (4.2 MB) TX bytes:1942 (1.8 KB)
      Interrupt:5 Base address:0x1480
    lo … skipped …

    If I do turn on the TCP/IP protocol for the NIC attached to my cable modem, then Windows is able to see the Internet and I get the following output from ipconfig. One thing I noticed that seems important is that DHCP IP address from my modem is 12.x.x.x instead of obtained by IPCop.

    Ethernet adapter Local Area Connection 2:
      Connection-specific DNS Suffix . :
      Description . . . . . . . . . . . : Marvell Yukon 88E8001/8003/8010 PCI Gigabit Ethernet Controller
      Physical Address. . . . . . . . . : XX-XX-XX-XX-XX-XX
      Dhcp Enabled. . . . . . . . . . . : Yes
      Autoconfiguration Enabled . . . . : Yes
      IP Address. . . . . . . . . . . . : 12.x.x.x
      Subnet Mask . . . . . . . . . . . :
      Default Gateway . . . . . . . . . : 12.x.x.x
      DHCP Server . . . . . . . . . . . : 12.x.x.x
      DNS Servers . . . . . . . . . . . : 63.x.x.x
      Lease Obtained. . . . . . . . . . : Saturday, April 15, 2006 12:45:56 PM
      Lease Expires . . . . . . . . . . : Wednesday, April 19, 2006 12:45:56 PM

  9. I’m sorry about that last post. I went to a lot of trouble to format it for everyone using <pre> and &nbsp; so that it would show up exactly as on your systems; however, the post button stripped all that away.

  10. Maybe it’s just not working with a cable modem. Normally (with DSL) your eth2 should be bound to PPPoE and not to an IP address. I don’t know what’s the right configuration for a cable connection, sorry.

  11. Hi all,
    I want to setup IP COP for a network of more than 1000 users. I need to try in a test bed I know I have done it long time back, but now need to refresh my memory. Can I achieve this in an Virtual environment where I can pass all my LAN clients through IP cop and restrict them as per my requirement, (I know in a physical box we can do this, and can be done), but I wanted to know in the virtual environment can we achieve the same results in a physical environment. I may be sounding stupid, but then this is where u guys come in..

    thanks help is appreciated.


  12. If you want to have a first look on IPCop, a virtual environment is a good way to start. Inside the VM it feels the same. The main difference is that you have to set up your virtual pc and networking first.

  13. Is there a reason that the lan NIC on ipcop must be bound to a „host-only“ connection. I tried bridging it to the server’s lan NIC, but it couldn’t get an IP from my ISP – which is strange as I didnt touch the red NIC on IPCop’s binding.

    Any ideas? – I don’t really want to have to use seperate networks as it gets complicated and I cannot use the blockouttraffic MOD for IPCop to restrict outgoing traffic on my network.

    Thanks a lot,


  14. I have a laptop. My Internet connection gets into a Wireless Access Point and I can connect to it. I don’t have to dialup anything to be connected. Internet runs perfectly! I want to create a Firewall using a VMware.

    How can I make the Firewall (VMware) to connect to the Internet before my PC does and block everything he must block?

  15. I managed to setup the above configuration in Linux. The only problem that I see is this: it seems that IPCop allows DMZ systems ( to access LAN … How do I setup firewall rules within IPCop to disable that?

  16. Hello,

    I have a Linksys router because I use a wireless connection. I use this guide to get a second DMZ.

    – VMNet0: bind the NIC for your DSL connection

    I have to say I cant bind it to my ISP modem because I use a router. I have one DMZ host with my router (to be connected from the internet). Instead of this I have to bind it to my router. I use this internal IP as being my DMZ host:

    Linux eth0

    Gateway: (router)

    I only have to add 2 DNS servers of my ISP in order to get my DMZ working of my router working (to be connected from the internet).

    When I use your guide I probably have to link VMNet0: to my router. I can just add to act like the Internet connection with subnet I can give also my 2 DNS server of my ISP.

    Now I need atleast 2 Orange DMZ zones (to be connected from the internet).

    The question is. Does this work at all? Thank you very much for giving me an answer.


  17. how to do with only RED + Green ?

    I Have :
    => 1 Lan chip on my motherboard : Broacom 570
    => 1 Network Adaptater PCI : Intel Pro 1000 MT
    => 1 Network Adaptater PCI : Netgear GA 311
    + 1 Switch Gigabit.

    I run Vmware Workstation 5 on XP.
    Both are installed on a SATA hard drive : Raptor 10 000 trs 36 Go. Vmware hase his own partition.
    I use XP for my FTP server (ioFTPd) : data are on a Raid5 and the software manager works only under XP…

    I want :
    – The card Netgear Ga 311 for RED in DHCP
    – The card Intel Pro 1000 Mt for Green with IP, connected to my switch
    – The motherboard chip Broadcom 570 with IP connected to my switch (not in Orange, not in DMZ)

    VMware with IPCOP and FTP with XP is a great solution wich only need 1 computer switch on 24/7.

    Thank to the author’s tutorial

  18. Hi.
    Is the purpose of step 9 to only give IPCop access to the DSL Nic, i.e. can the host no longer access the DSL Nic when you’ve done that step?

    How does the host then get access, is it by virtue of being part of one of the virtual networks (i.e. VMnet1 or VMnet2)?

    Thanks for the execellent turorial.

  19. Help me please,
    I cannot access internet in host machine (XP SP2)
    after accessing internet in the guest.How to resolve.
    I am using bridged connection and NAT and DHCP disabled

  20. thanks for this great howto! i plan to put my webserver into the DMZ and maybe will use the same method for costomers networks.
    it „almost“ works already. heres my question to you:
    i got ipcop installed and working without any problems, and can use the vm-host to surf internet. but the lan clients can’t. now here is the strange thing: from ipcop i can ping the ..1.1 (the vm-hosts lan interface), and i can pang from a lan client the ..2.1 (the vm-net interface to the DMZ) but then i can’t go farer. it confuses me, coz the route between the ..2.0 and ..1.0 seem to work. but i still can not ping the ipcop from a lan client nor the other way. all firewalls are off. for any clue or hint i would be very thankful. and sorry for my poor gramma… english isn’t my native 😉


  21. Trojanix: you’ll need to enable RRAS/IP forwarding in your server. I’ve spent 5 hours in your very same situation until I found it.

  22. I look forward to trying this. I currently run a separate IPCOP box, and server. I’m going to consolidate both using beefier hardware as I think the permium for running small appliances is too great. I’d rather built a server type PC which has enough power to run all. Will post back with installation experience.

  23. …. Is it possible to run multiple concurrent Guest IPCops in VMWare? I have 3 Different ISPs and running 3 IPCop boxes. I want to save on electricity.
    Somebody may advise me to use commercial DSL router such as WRT54G or variants… It can’t run HTTP Proxy such as squid. …

  24. …. Thanks Andreas… I manage to run multiple guest IPCops in VMWare. I turned off the NAT feature of the Virtual Network Adapter.. I even deleted the Virtual NICs and binded Physical NICs on VMNICs 1 to 5 (BTW, I have 5 NICs in the box). Then I chose 1 Card (VMNIC) to serve as GREEN through the rest of the IPCOPs running… Other 3 VMNICs are binded with separate RED IP Address/Connection. Then the 5th VMNIC as served as DMZ…

