Howto setup IPCop in a virtual machine

by Andreas ~ February 8th, 2005. Filed under: Linux, Virtualisierung.

This howto is based on the article “Server im Bauch” in the german magazine c’t 02/05, pages 96 to 99. The website of the original author Sven Ahnert is www.vmaschinen.de.

You will need VMware Workstation. I used version 4.5.1 on Windows XP Pro with 2 real NICs (one for DSL, one for my LAN). This howto explains how you can setup IPCop in a virtual machine and how you even can have servers in different virtual machines on your (virtual) orange network.

1) Create a new virtual machine: File -> New Virtual Machine.

In the wizard choose the following configuration: custom, Linux (Other Linux 2.6.x kernel), 32 MB RAM, Bridged Networking, SCSI Adapters Buslogic, Create a new virtual disk, Virtual Disk Type IDE, Disk Size 1 GB or greater if you need.

2) Update the hardware configuration: VM -> Settings

- remove USB controller and Audio
- add 2 more Ethernet Adapters
- the first NIC must be “Host-only” (green)
- the second “Custom” with a virtual switch “VMnet2″ (orange)
- the third “Bridged” (red)

3) Doubleclick on the virtual CD-Rom drive and choose “Use ISO image”, browse to an IPCop iso on your local harddrive.

4) Start the virtual machine, go through the IPCop startup configuration.

- green: 192.168.2.2 and 255.255.255.0 as subnet
- orange: 192.168.3.1, 255.255.255.0
- red: PPPoE

5) Good time to make a snapshot.

6) In VMware: Edit -> Virtual Network Settings -> Host Virtual Network Mapping

- VMNet1: click “…” and change “Subnet” to the IP-address 192.168.2.0 and 255.255.255.0
- VMNet0: bind the NIC for your DSL connection

7) In a web browser open https://192.168.2.2:445

-> Configure your internet connection under Network -> Dialup

8) Go to the windows network configuration on your Host PC, choose options for the VMware Network Adapter VMnet1 and set gateway and DNS to 192.168.2.2 (IP address and subnet should already be set to 192.168.2.1, 255.255.255.0).

9) Bind your DSL NIC only to the VMware Bridge Protocol, uncheck everything else.

10) Use this configuration for the LAN NIC on your Host PC: 192.168.1.1, 255.255.255.0, gateway 192.168.2.1, DNS 192.168.2.2

11) Configure your LAN PCs: 192.168.1.x, 255.255.255.0, gateway 192.168.1.1, DNS 192.168.2.2

12) Log in as root on your IPCop machine and use the following command:

route add -net 192.168.1.0 netmask 255.255.255.0 gw 192.168.2.1

If you add it to rc.local you dont have to enter it every time you restart your virtual machine.

13) Virtual server on orange: 192.168.3.2, 255.255.255.0, gateway 192.168.3.1, DNS from your ISP, use custom networking in VMware for the virtual NIC and bind it to the virtual switch VMnet2.

Addendum:

A very good illustration about the networking setup is provided in
www.vmaschinen.de/download/dmz_netzwerkzeichnung.pdf at page 3.

31 Responses to Howto setup IPCop in a virtual machine

  1. egas

    Has anyone tried this? I am interested in doing this and would love to gain some knowledge from anyone that has done this before?

  2. Klaus

    hello! i tried to set up my laptop with vmware workstation 5.0 with the newest ipcop version. But is ist possible to run ipcop with only one (real) nic??

  3. Glen

    I just have to say, I have been two days trying to get ipcop working in a VM and this is the ONLY solution that I have fully understood (not to mention it works!) Thank you very much!

  4. Peter

    I’ve installed IPCop and FLI4L in a virtual machine on my VMWare Server beta (without this installation instructions). My first firewall was FLI4L but my choice now is IPCop because it is better to configure via the web-interface. But both firewalls are running excellent and stable in a VM. Everybody who don’t want to run a second old PC for IPCop or FLI4L (because it is too loud or something else) choose VMWare Server (it’s free) and run the firewall in a Virtual Machine.

    Greetings Peter

  5. Andreas

    I made a preinstalled IPCop VM. You can download it here (32 mb) :

    http://www.com-magazin.de/addendum/firewall.exe

    root and admin password: leser

    Full documentation in com! magazine 04/06, page 80 - 84.

  6. jawed

    hi, i managed to setup ipcop but I’m having problems from the dhcp, it for some reason cannot get out ipcop to the rest of the network. I cannot ping from ipcop to the host machine. any ideas

  7. Andreas

    Ok, I see I’ll have to be a little bit more specific. First, start vmnetcfg.exe and switch to ‘Host Virtual Network Mapping’. Change VMNet1 to the IP address 192.168.2.0 and the subnet to 255.255.255.0.

    Now open your windows network settings. Set the IP address of your lan connection to 192.168.1.1, subnet to 255.255.255.0, gateway to 192.168.2.1 and DNS to 192.168.2.2. Now right click on VMnet1 and make sure that the IP address is 192.168.2.1, subnet 255.255.255.0, gateway 192.168.2.2 and DNS 192.168.2.2. This should work.

  8. Matthew

    I have been trying to setup IPCOP as my firewall under VMware for Linux, but I’m having trouble as VMware for Linux is different than VMware for Windows. The main differences are setting the host virtual network mapping and binding the DSL nic to the VMware bridge protocol. Any chance you could provide an IPCOP walkthrough for the Linux version of VMware? Thanks in advance.

  9. Andreas

    Sorry, but I never even installed Vmware for Linux.

  10. Kevin

    Thanks in advance to everyone who takes the time to compare this to their own config and offers advice.

    I followed your directions and can’t seem to get it to work. I’m a networking neophyte so I’m sure I did something wrong. First my problem: I cannot translate DNS to IP addresses nor PING Internet IP addresses using a root login to IPCop nor from Windows. The IPCop instance can ping 192.168.2.1, 192.168.2.2, 192.168.3.1. It cannot ping 192.168.1.1.

    At one point during the process, my VMnet1 adapter reported IP 192.168.2.1 gw 192.168.2.1, 192.168.2.2. I changed this so that it now uses only gw 192.168.2.2. Also, VMnet8 was using 192.168.136.x so I updated that to 192.168.3.x to match the IPCop Orange subnet.

    Here are my settings using ipconfig/all from a dos prompt in the host O/S:

    Windows IP Configuration
     
      Host Name . . . . . . . . . . . . : xxxx
      Primary Dns Suffix . . . . . . . :
      Node Type . . . . . . . . . . . . : Unknown
      IP Routing Enabled. . . . . . . . : No
      WINS Proxy Enabled. . . . . . . . : No
     
    Ethernet adapter VMware Network Adapter VMnet8:
     
      Connection-specific DNS Suffix . :
      Description . . . . . . . . . . . : VMware Virtual Ethernet Adapter for VMnet8
      Physical Address. . . . . . . . . : 00-50-56-C0-00-08
      Dhcp Enabled. . . . . . . . . . . : No
      IP Address. . . . . . . . . . . . : 192.168.3.1
      Subnet Mask . . . . . . . . . . . : 255.255.255.0
      Default Gateway . . . . . . . . . :
     
    Ethernet adapter VMware Network Adapter VMnet1:
     
      Connection-specific DNS Suffix . :
      Description . . . . . . . . . . . : VMware Virtual Ethernet Adapter for VMnet1
      Physical Address. . . . . . . . . : 00-50-56-C0-00-01
      Dhcp Enabled. . . . . . . . . . . : No
      IP Address. . . . . . . . . . . . : 192.168.2.1
      Subnet Mask . . . . . . . . . . . : 255.255.255.0
      Default Gateway . . . . . . . . . : 192.168.2.2
      DNS Servers . . . . . . . . . . . : 192.168.2.2
     
    Ethernet adapter Local Area Connection:
     
      Connection-specific DNS Suffix . :
      Description . . . . . . . . . . . : NVIDIA nForce Networking Controller
      Physical Address. . . . . . . . . : XX-XX-XX-XX-XX-XX
      Dhcp Enabled. . . . . . . . . . . : No
      IP Address. . . . . . . . . . . . : 192.168.1.1
      Subnet Mask . . . . . . . . . . . : 255.255.255.0
      Default Gateway . . . . . . . . . : 192.168.2.1
      DNS Servers . . . . . . . . . . . : 192.168.2.2

    Here is the result of ifconfig executed from the IPCop instance:

    eth0 Link encap:Ethernet HWaddr: 00:0C:29:25:18:EC
      inet addr:192.168.2.2 Bcast:192.168.2.255 Mask:255.255.255.0
      UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
      RX packets:1046 errors:0 dropped:0 overruns:0 frame:0
      TX packets:1783 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000
      RX bytes:83968 (82.0 KB) TX bytes:375377 (366.5 KB)
      Interrupt:9 Base address:0×1080
     
    eth1 Link encap:Ethernet HWaddr: 00:0C:29:25:18:F6
      inet addr:192.168.3.1 Bcast:192.168.3.255 Mask:255.255.255.0
      UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
      RX packets:0 errors:0 dropped:0 overruns:0 frame:0
      TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000
      RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
      Interrupt:10 Base address:0×1400
     
    eth2 Link encap:Ethernet HWaddr: 00:0C:29:25:18:00
      inet addr:10.14.225.178 Bcast:255.255.255.255 Mask:255.255.254.0
      UP BROADCAST NOTRAILERS RUNNING MTU:1500 Metric:1
      RX packets:70273 errors:0 dropped:0 overruns:0 frame:0
      TX packets:13 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000
      RX bytes:4419915 (4.2 MB) TX bytes:1942 (1.8 KB)
      Interrupt:5 Base address:0×1480
     
    lo … skipped …

    If I do turn on the TCP/IP protocol for the NIC attached to my cable modem, then Windows is able to see the Internet and I get the following output from ipconfig. One thing I noticed that seems important is that DHCP IP address from my modem is 12.x.x.x instead of 10.14.225.178 obtained by IPCop.

    Ethernet adapter Local Area Connection 2:
     
      Connection-specific DNS Suffix . : cable-company.com
      Description . . . . . . . . . . . : Marvell Yukon 88E8001/8003/8010 PCI Gigabit Ethernet Controller
      Physical Address. . . . . . . . . : XX-XX-XX-XX-XX-XX
      Dhcp Enabled. . . . . . . . . . . : Yes
      Autoconfiguration Enabled . . . . : Yes
      IP Address. . . . . . . . . . . . : 12.x.x.x
      Subnet Mask . . . . . . . . . . . : 255.255.252.0
      Default Gateway . . . . . . . . . : 12.x.x.x
      DHCP Server . . . . . . . . . . . : 12.x.x.x
      DNS Servers . . . . . . . . . . . : 63.x.x.x
      204.x.x.x
      Lease Obtained. . . . . . . . . . : Saturday, April 15, 2006 12:45:56 PM
      Lease Expires . . . . . . . . . . : Wednesday, April 19, 2006 12:45:56 PM

  11. Kevin

    I’m sorry about that last post. I went to a lot of trouble to format it for everyone using <pre> and &nbsp; so that it would show up exactly as on your systems; however, the post button stripped all that away.

  12. Andreas

    Maybe it’s just not working with a cable modem. Normally (with DSL) your eth2 should be bound to PPPoE and not to an IP address. I don’t know what’s the right configuration for a cable connection, sorry.

  13. NSW9

    Hi all,
    I want to setup IP COP for a network of more than 1000 users. I need to try in a test bed I know I have done it long time back, but now need to refresh my memory. Can I achieve this in an Virtual environment where I can pass all my LAN clients through IP cop and restrict them as per my requirement, (I know in a physical box we can do this, and can be done), but I wanted to know in the virtual environment can we achieve the same results in a physical environment. I may be sounding stupid, but then this is where u guys come in..

    thanks help is appreciated.

    sandy

  14. Andreas

    If you want to have a first look on IPCop, a virtual environment is a good way to start. Inside the VM it feels the same. The main difference is that you have to set up your virtual pc and networking first.

  15. Rob Golding

    Is there a reason that the lan NIC on ipcop must be bound to a “host-only” connection. I tried bridging it to the server’s lan NIC, but it couldn’t get an IP from my ISP - which is strange as I didnt touch the red NIC on IPCop’s binding.

    Any ideas? - I don’t really want to have to use seperate networks as it gets complicated and I cannot use the blockouttraffic MOD for IPCop to restrict outgoing traffic on my network.

    Thanks a lot,

    Rob

  16. frengifo

    I have a laptop. My Internet connection gets into a Wireless Access Point and I can connect to it. I don’t have to dialup anything to be connected. Internet runs perfectly! I want to create a Firewall using a VMware.

    How can I make the Firewall (VMware) to connect to the Internet before my PC does and block everything he must block?

  17. Jure

    I managed to setup the above configuration in Linux. The only problem that I see is this: it seems that IPCop allows DMZ systems (192.168.1.0/24) to access LAN … How do I setup firewall rules within IPCop to disable that?

  18. Mark

    Hello,

    I have a Linksys router because I use a wireless connection. I use this guide to get a second DMZ.

    - VMNet0: bind the NIC for your DSL connection

    I have to say I cant bind it to my ISP modem because I use a router. I have one DMZ host with my router (to be connected from the internet). Instead of this I have to bind it to my router. I use this internal IP as being my DMZ host: 192.168.1.103.

    Linux eth0

    IP: 192.168.1.103
    Subnet: 255.255.255.0
    Gateway: 192.168.1.1 (router)

    I only have to add 2 DNS servers of my ISP in order to get my DMZ working of my router working (to be connected from the internet).

    When I use your guide I probably have to link VMNet0: to my router. I can just add 192.168.1.103 to act like the Internet connection with subnet 255.255.255.0. I can give also my 2 DNS server of my ISP.

    Now I need atleast 2 Orange DMZ zones (to be connected from the internet).

    The question is. Does this work at all? Thank you very much for giving me an answer.

    Mark

  19. fets

    how to do with only RED + Green ?

    I Have :
    => 1 Lan chip on my motherboard : Broacom 570
    => 1 Network Adaptater PCI : Intel Pro 1000 MT
    => 1 Network Adaptater PCI : Netgear GA 311
    + 1 Switch Gigabit.

    I run Vmware Workstation 5 on XP.
    Both are installed on a SATA hard drive : Raptor 10 000 trs 36 Go. Vmware hase his own partition.
    I use XP for my FTP server (ioFTPd) : data are on a Raid5 and the software manager works only under XP…

    I want :
    - The card Netgear Ga 311 for RED in DHCP
    - The card Intel Pro 1000 Mt for Green with IP 192.168.2.1, connected to my switch
    - The motherboard chip Broadcom 570 with IP 192.168.2.2 connected to my switch (not in Orange, not in DMZ)

    VMware with IPCOP and FTP with XP is a great solution wich only need 1 computer switch on 24/7.

    Thank to the author’s tutorial

  20. Ronald

    Hi.
    Is the purpose of step 9 to only give IPCop access to the DSL Nic, i.e. can the host no longer access the DSL Nic when you’ve done that step?

    How does the host then get access, is it by virtue of being part of one of the virtual networks (i.e. VMnet1 or VMnet2)?

    Thanks for the execellent turorial.

  21. anoop

    Help me please,
    I cannot access internet in host machine (XP SP2)
    after accessing internet in the guest.How to resolve.
    I am using bridged connection and NAT and DHCP disabled

  22. SteZZz

    here it doesn’t work, my red network doesn’t get dhcp from my isp

  23. Trojanix

    thanks for this great howto! i plan to put my webserver into the DMZ and maybe will use the same method for costomers networks.
    it “almost” works already. heres my question to you:
    i got ipcop installed and working without any problems, and can use the vm-host to surf internet. but the lan clients can’t. now here is the strange thing: from ipcop i can ping the ..1.1 (the vm-hosts lan interface), and i can pang from a lan client the ..2.1 (the vm-net interface to the DMZ) but then i can’t go farer. it confuses me, coz the route between the ..2.0 and ..1.0 seem to work. but i still can not ping the ipcop from a lan client nor the other way. all firewalls are off. for any clue or hint i would be very thankful. and sorry for my poor gramma… english isn’t my native ;)

    greez

  24. BlogPandora » Virtualización

    [...] Para comenzar tengo que ponerle 2 placas de red más a un equipo que ya tengo destinado para eso y con la ayuda de este link, voy a comenzar a instalar IPCop y ver como me va. ya les avisaré como me fue.   [...]

  25. Fernando

    Trojanix: you’ll need to enable RRAS/IP forwarding in your server. I’ve spent 5 hours in your very same situation until I found it.

  26. EvylRat

    I look forward to trying this. I currently run a separate IPCOP box, and server. I’m going to consolidate both using beefier hardware as I think the permium for running small appliances is too great. I’d rather built a server type PC which has enough power to run all. Will post back with installation experience.

  27. .pferde

    Wow complete setup manual with FAQ.
    Thanks for help.
    p.

  28. xyano

    …. Is it possible to run multiple concurrent Guest IPCops in VMWare? I have 3 Different ISPs and running 3 IPCop boxes. I want to save on electricity.
    Somebody may advise me to use commercial DSL router such as WRT54G or variants… It can’t run HTTP Proxy such as squid. …

  29. Andreas

    Interesting question. It may be possible if you have enough PCI slots in your machine for at least four ethernet adapters.

  30. xyano

    …. Thanks Andreas… I manage to run multiple guest IPCops in VMWare. I turned off the NAT feature of the Virtual Network Adapter.. I even deleted the Virtual NICs and binded Physical NICs on VMNICs 1 to 5 (BTW, I have 5 NICs in the box). Then I chose 1 Card (VMNIC) to serve as GREEN through the rest of the IPCOPs running… Other 3 VMNICs are binded with separate RED IP Address/Connection. Then the 5th VMNIC as served as DMZ…

  31. johnny

    2qIxun Thanks for good post

  32. ivy

    can i possibly use ipcop on laptops? how?

Leave a Reply