Contents

List of Figures

Preface

If you are linking to the html version of this FAQ, please use the following format:

Where Section# is 1.2, 1.5.1, etc.

If you wish to contribute or request additional FAQs/tutorials, please see chapter 6.


This FAQ is in the process of being translated into a Wiki. Once the translation has been completed, this FAQ will be updated to point to the appropriate Wiki page. Please note, as this work is done after my full time job, it may take time for the entire translation to happen. You patience during this time is greatly appreciated.

THIS DOCUMENTATION IS PROVIDED ’AS IS’ AND IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION OR THE ASSOCIATED SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

Embedding this document on another site is prohibited. If you are reading this document and do not see a url starting with http://ipcops.com/faq, then report this to ds531 on ipcops.com.

Revision History

Official Documentation

Chapter 1
FAQ

1.1 IPCOP Setup Issues

1.1.1 I just downloaded IPCOP but it will not install. Help!

Check all of the following

• You verified the MD5 after downloading IPCOP
• You burned the files as an ISO, and did not just copy the ISO file to disk
• Your CD/DVD drive works (try using another drive)
• Your computer will boot from CD (make a boot disk if necessary)

1.1.2 I am trying to use IPCOP in a testing environment but I can not access the Internet. What is wrong?

Make sure that you do not have a subnet overlap. Your Red and Green subnets must be different.

1.1.3 I have a Red-Blue-Green setup but I can not access computer on Blue from Green. Help!

See section 1.1.2.

1.1.4 I have a Red-Orange-Green setup connected by a switch. None of my computers can access the Internet, why?

Make sure each zone uses a different switch. If you have one switch connecting multiple zones, you defeat the point of using a firewall.

1.1.5 Is there any way I can disable NAT on IPCOP?

Please see section 1.4.1.

1.1.6 IPCOP will not recognize all of my NICs, what do I do?

1. Remove all of your NICs
2. Install one NIC in your first (PCI) slot
   (make sure it is a 10/100 NIC which is supported in the Linux 2.4.34 kernel, use a Linux LiveCD which uses the Linux 2.4.34 kernel to check if your NIC is supported)
3. Boot the install
4. If IPCOP recognizes your NIC
   This slot is good
5. If IPCOP does not recognize your NIC
   This slot is BAD, make a note
6. Shutdown IPCOP
7. Move your NIC to the next slot
8. Repeat steps 1 through 7 until you have gone through all of your (PCI) slots

Now place your cards in KNOWN working slots and boot/install IPCOP as usual.

1.1.7 How do I SSH into IPCOP?

• From the web interface, enable SSH access (System – SSH)
• From your client, connect to IPCOP using port 222 not 22
• To verify the SSH server is running
  check the System Status page (Status – System Status) and make sure Secure Shell Server is running.

1.1.8 How can I remotely access the web interface?

You must enable External Access to IPCOP. This is done by Firewall – External Access.

1.1.9 I have enabled remote access to the web interface but I can’t connect. What’s wrong?

Many ISPs block port 445 due to a known Windows flaw. Most ISPs will deny blocking any port but if you question them on port 445, they will admit it. Trying to get your ISP to open this port for you will get you very little progress. Instead, change your SSL port on IPCOP.

1.1.10 How do I change my SSL port for the web interface?

See section 1.2.14.

1.1.11 How do I change my setup type after install?

To change your setup, login via the console and type ’setup’.

1.1.12 My NIC won’t work, what do I do? (PCI IRQ Conflicts)

Unlike ISA and EISA cards, PCI cards do not select their own IRQ line. Instead they can only select one of four ’interrupt pins’, which are mapped by the motherboard chipset to IRQ lines. That is, only the motherboard BIOS knows how the INT to IRQ mapping is wired, and thus only the BIOS can change the IRQ mapping for the card. The IRQ mapping is usually configured at boot time by the PCI BIOS setup, with the the exact assignment algorithm being BIOS-specific. In What Order Are PCI Cards detected? There is no fixed rule, but use the following guidelines:

• The primary PCI bus is Bus #0. (Most machines have only one PCI bus, so this usually presents no problem.)
• PCI device numbers are usually assigned in slot order.
• The left-most PCI slot facing the back panel (usually the one closest to the CPU) is often the lowest numbered.
• On-motherboard devices are assigned the highest device numbers on Bus #0. (This is so that a plugged-in adapter card overrides a built-in one.)
• Adapter cards with on-board PCI bridges, e.g. the 4 port AHA6944TX, are assigned Bus#1 and up, and thus these devices are the last detected.

1.1.13 I want to use Gigabit ethernet NICs. Does IPCOP support Gigabit ethernet NICs?

IPCOP supports all NICs that are support under the Linux 2.4.34 kernel. While it is possible to modify IPCOP to support other Gigabit ethernet NICs, not many ISP support speeds greater than 200 Mbps. While Gigabit ethernet NICs might speed up data transfers between Green, Blue and Orange, most times your limiting factor will be hard drive read/write speeds.

1.1.14 I have added a second subnet/LAN to IPCOP. How do I get the web proxy to allow web request?

Edit /var/ipcop/proxy/acl and add the required lines to allow your second subnet/LAN.

1.1.15 How do I setup Dynamic DNS on IPCOP?

IPCOP has a built-in Dynamic DNS update client. To use it correctly, you must understand how IPCOP reads your hostname. For example, if your host name is

Your hostname is Example1 and your domain is Dyndns.org.

1.2 Administrating IPCOP

1.2.1 What is the difference between Port Forwarding and External Access?

Port Forwarding is for accessing computers behind IPCOP.
External Access is for accessing IPCOP itself.
For information on allowing traffic between interfaces, see Figure 1.1 on page §.

1.2.2 I just looked at my status page and noticed I am running a web server. What is it and how do I stop it?

IPCOP uses Apache[5] (an open source web server) to display the web interface to you. Without the web server, you would be unable to access/control IPCOP via your web browser. By default, only Green (and Blue if enabled through Blue Access) can access the web interface.

1.2.3 My consumer router has UPNP, how do I enable it on IPCOP?

IPCOP does not support UPNP.

1.2.4 My consumer router has Port Triggering, how do I enable it on IPCOP?

IPCOP does not support Port Triggering.

1.2.5 I have multiple IP addresses from my ISP. How do I configure IPCOP to respond to all of them?

First configure IPCOP to use a static IP address (see section 1.1.11). Once you have done that, goto the Alias page (Network – Alias) and add the additional IP addresses you want IPCOP to use.

1.2.6 I have added IP addresses to the Alias page but all of my requests come from one IP address. How do I change this?

By default, IPCOP will send all traffic out through the default IP address. You can use a mod called SNATGui[6] to have a particular computer send out via one of your Alias IPs.

1.2.7 How do I copy a file over to IPCOP?

Make sure you have enabled SSH via the web interface. Copying over files must be done through SFTP. For Windows users, use WinSCP[7] [see section 3.8 for more information on WinSCP].

1.2.8 How do I test port forwarding, external access, and/or my firewall for open ports?

To successfully test your IPCOP setup, you MUST be OUTSIDE of your network. If you are inside your network and attempt to use your Red address, the results that you get will not be accurate. For troubleshooting directions, please see section 1.5.4.

1.2.9 When I do a port scan, IPCOP shows port 113 is closed. How do I make port 113 unreplied?

Some older websites/programs use port 113 (Ident) to check if a remote computer exists on the connection. For this reason, IPCOP by default response to port 113 with a closed response. If you want IPCOP not to respond to port 113, do the following:

• Goto your web interface
• Goto the External Access page (Firewall – External Access)
• Remove port 113 from the External Access page

1.2.10 What traffic is allowed between interfaces?

1.2.11 My traffic graphs are not updating, what do I do?

The steps to make your graphs work again are as follows:

1. Login to IPCOP via consol or remote ssh (on Windows use Putty[10]) [see section 3.9 for more information on using Putty].
2. At the console, run ’/usr/local/bin/makegraphs’
   • If you get ’ipac-ng chains or rules corrupted, fix this with fetchipac -S’ then
     • Run ’fetchipac -S’
   • If you get ’Error in RRD::update for cpu: illegal attempt to update using time’ then
     • Run ’rm /var/log/rrd/*’
     • Run ’rm /home/httpd/html/graphs/*’
3. Now when you run ’/usr/local/bin/makegraphs’

Traffic graphs should now be fixed.

1.2.12 I am trying to update IPCOP, do I have to apply all patches in order?

IPCOP updates need to be applied in the correct order. If you have a 1.4.5 install and the current version is 1.4.10, then you must apply the patches in the correct order (i.e. 1.4.6, 1.4.7, 1.4.8, etc) and reboot as required (so new kernels are applied).

1.2.13 How do I edit files on IPCOP?

Make sure you have enabled SSH via the web interface. Editing files must be done through SFTP. For Windows users, use WinSCP[7] [see section 3.8 for more information on using WinSCP].

• Navigate to the file in question and select ’Edit’
• Edit the file as required
• Save changes

1.2.14 How do I change the http and https ports IPCOP uses?

You have several options to change the ports IPCOP uses:

• IPCOP command line change program
• Use GuiListenPorts addon[8] (after installing Addon Server[9])
• Run /usr/local/bin/setreservedports [PortToUse]
• Edit files manually

Please also see 1.8.3 for information on command line control over external access.

If you chose to edit the files manually, use the following steps:

1. Edit Apache configuration files
   1. Connect to IPCOP via SSH using port 222
      (on Windows connect using Putty[10] [see section 3.9 for more information on using Putty])
   2. Type ’cd /etc/httpd/conf’
   3. Type ’vi httpd.conf’
   4. Find and replace all instances of 445 (only two entries to change) with the port number you wish to use
   5. save and close httpd.conf
   6. restart apache (type: killall httpd and then httpd -DSSL)
2. Change the port forwarding reserves
   1. Edit ’/home/httpd/cgi-bin/portfw.cgi’
   2. Find line that looks like this: my @tcp_reserved = (81,222,445);
      change the 445 to the same port you changed above
   3. Save the changes
3. Edit IPCOP header file
   1. Edit ’/var/ipcop/header.pl’
   2. Change the following to reflect your new port

      ### Make sure this is an SSL request   if ($ENV{’SERVER_ADDR’} && $ENV{’HTTPS’} ne ’on’) {   print "Status: 302 Moved\r\n";   print "Location: https:#$ENV{’SERVER_ADDR’}:445/$ENV{’PATH_INFO’}\r\n\r\n";   exit 0;   }

1.2.15 How do I set multiple public IP addresses with my PPPoE/PPPoA connection?

The External Alias menu is shown in the web interface only when IPCOP’s Red interface is set to Static. To access the External Alias menu and set multiple IP addresses, do the following:

1. First add the Aliases to the WebGui
   1. Open https://IPCOP_IP:445/cgi-bin/aliases.cgi
   2. Enter the Alias IPs
      Note: This only adds the IP addresses to the Web Interface ONLY
2. Now added them to the IPCOP system
   1. Edit /etc/rc.d/rc.local
   2. Add

      # PPPoe Aliases -------------------------------   sleep 3;   /sbin/ifconfig ppp0:1 [IP Address 1] netmask [IP Subnet 1]   /sbin/ifconfig ppp0:2 [IP Address 2] netmask [IP Subnet 2]   # PPPoe Aliases ---------------------------------

3. Reboot and test using ifconfig

1.2.16 How do I login to IPCOP?

During install of IPCOP, you were prompted to create a password for several accounts. Theses accounts have specific uses described below:

• root- This is a Linux account and is used to login to IPCOP via the console and SSH. This account CAN NOT login to IPCOP via the web interface.
• admin- This is an Apache account and is used to login to IPCOP via the web interface. This account CAN NOT login to IPCOP via the console or SSH.
• backup- This is a Linux account and is used to login to IPCOP for backup purposes only. This account was added to IPCOP around version 1.4.13 (and is disabled if you have been upgrading from prior versions).

1.2.17 How do I change the port IPCOP uses for SSH?

You need to manually edit several files, use the following steps:

1. Edit SSH configuration files
   1. Connect to IPCOP via SSH using port 222
      (on Windows connect using Putty[10] [see section 3.9 for more information on using Putty])
   2. Type ’cd /etc/ssh’
   3. Type ’vi sshd_config’
   4. Find ’Port 222’ and replace with the port number you wish to use
   5. save and close sshd_config
2. Change the port forwarding reserves
   1. Edit ’/home/httpd/cgi-bin/portfw.cgi’
   2. Find line that looks like this: my @tcp_reserved = (81,222,445);
      change the 222 to the same port you changed above
   3. Save the changes
3. Restart SSH
   1. Run /usr/local/bin/restartssh This will terminate your SSH session. Reconnect on the port you set to verify SSH has changed.

   If you enabled External Access, update the rules to reflect your new SSH port.

1.2.18 I am receiving the following error message when trying to change settings in the web GUI: ’Invalid referer: doesn’t match servername!’

To be able to change settings throught the GUI, IPCop requires your browser to send referer info. If the browser does not send referer info, modifications are ignored and ’Invalid referer: doesn’t match servername!’ is logged. Referer settings can be found/modified: in FF open about:config, search for network.http.sendRefererHeader and modify from 0 to 1 (or 2 which is default). in Opera go Tools-¿Preferences-¿Network and tick ’Enable referrer logging’.

1.2.19 I don’t like the builtin graphs, where can I get better graphs?

Allan Kissack has a great site with multiple traffic graph mods[11]

1.3 Using IPCOP

1.3.1 I just installed IPCOP and I can not get an IP Address from my ISP. Help!

If you are using a cable modem, your ISP may be locking you to one IP address at a time. First try power cycling your cable modem. If that does not work, then you have two options:

• Power down your cable modem and wait for your DHCP lease to expire (usually around 4 hours)
• Set your IPCOP MAC address to your computer’s address

To change your MAC address (version 1.4.x):

1. IPCOP Addon
   • Download and install the Addon Server[9]
   • Download and install RedMAC[12]
   • Configure the Red MAC address through the web interface
2. IPCOP Addon via command line
   • Download and install RedMAC for IPCOP 1.4.13-1.4.15[13]
     For install directions, please see the readme file.
3. IPCOP Commandline At the IPCOP command prompt enter the following command -

   ifconfig [interface name] hw ether [new MAC address]         Example  ifconfig eth0 hw ether 01:02:03:04:05:06

1.3.2 IPCOP keeps crashing when I use p2p/bittorrent clients, what do I do?

It has been reported that high number of connections through IPCOP can cause problems. One way to prevent IPCOP from crashing is by lowering the maximum number of connections your p2p/bittorrent client will use.

1.3.3 How do I add a custom host to IPCOP’s DNS?

There are two ways

• Add the host to Hosts page (Services – Edit Hosts).
• Add the host to the Hosts file (/etc/hosts).

Using the Host page option will overwrite any changes to /etc/hosts.

1.3.4 How do I use the builtin traffic shaper?

The builtin traffic shaper has three classes of priority. By default, traffic that does not have an assignment (i.e. ports not specified through the web interface) will have the Normal priority. This setup allows you to specify which traffic you want to have a higher or lower than Normal (or bulk) priority.

1.3.5 How do I change my MTU settings?

Change red MTU by adding system(’/sbin/ifconfig ppp0 mtu 1458’); in /etc/ppp/ip-up

1.3.6 I am getting a Snort ’Oink Oink’ error, how do I fix it?

If you are getting the following error:

You need to do the following:

• Connect to IPCOP via SSH using port 222
  (on Windows connect using Putty[10] [see section 3.9 for more information on using Putty])
• At the console, run

  cd /etc/snort   chown snort:snort rules   cd rules   chown snort:snort *.*   chown snort:snort *

1.3.7 Snort fails after rules update, what do I do?

To fix this, you will need to edit ’/usr/local/bin/snortrules.pl’

• Login to IPCOP using putty or WinSCP (remember SSH on IPCOP is port 222 not 22)
• Edit /usr/local/bin/snortrules.pl
• Find

  my $rulesbranch="current";

  and replace with

  my $rulesbranch="2.6";

• Save the file
• You may have to wait 15 mn after a previous rules load to be allowed to load rules again

1.3.8 How do I rebuild my Zerina certificates?

To remove the old certs and generate new certs

• Stop the openvpn server
• Run the uninstall for zerina
• Run the install for zerina
• Regenerate the certs like normal

1.3.9 How do I run OpenVPN on Vista?

To run OpenVPN-GUI on Vista:

run /bin/openvpn-gui.exe as administrator

add to config file: route-method exe route-delay 2

As you found out, it works, but the ADD ROUTE command fails - the above changes will fix that (it’s a known bug in VISTA/OPENVPN-GUI).

1.3.10 How do I control access for VPN clients to my servers?

Please take a look at the documentation located on the Zerina site

1.3.11 I have added a computer to Blue but it is not connecting to the Internet. What do I do?

Make sure you have read over the Blue Mantra

• Blue must be on a separate physical wire from Green (not on same hub/switch)
• Blue must be on a separate logical subnet.
• Blue cannot access Red unless Blue Access are opened.
• Blue cannot access IPCOP unless Blue Access are opened.
• Blue cannot access Green unless pinholes are opened.
• Blue can be port-forwarded to in exactly the same manner as Green.
• When using an access point, you must add each computer individually to Blue Access.
• When using a wireless router and connecting via the WAN port, you must add the MAC address of the wireless router to Blue Access (see 3.2.2).
• When using a wireless router and connecting via the LAN port, you must add each computer individually to Blue Access (see 3.2.1).
• When adding a computer to Blue Access, you can control access by:
  • MAC Address Only
  • IP Address Only
  • MAC and IP Address

1.3.12 How do I use DNS servers with IPCOP (i.e. which to specify for each interface)?

The ipcop firewall has a caching dns proxy built in, and you need to understand how this affects your DNS configuration.

• Your clients in green need to use your DNS server in green only
• Your DNS server in green needs to use ipcop as it’s upstream server, NOT your ISP’s DNS servers
• Your DNS server in orange (which seems wrong unless you have a lot of servers) needs to use only your ISP’s DNS, NOT the ipcop or the DNS server in green.

If your clients in green need to resolve IP addresses for servers in Orange, add these IP addresses and names into your DNS in green.

1.4 Advanced IPCOP setups

1.4.1 How do I configure IPCOP to work in 1:1 NAT mode?

IPCOP by default is a NAT router. You can configure IPCOP to map IP addresses using SNATGui[6] or use a firewall which supports 1:1 NAT such as Pfsense[14].

1.4.2 I added a wireless access point to the Blue NIC and I can’t access the web. What’s wrong?

Before a computer can access the web from the Blue zone, it must be added to Blue Access page. You can add the IP address and/or the MAC address of the computer in question. Once this has been added, the computer should be able to access the Internet. If you are using a wireless router, please see the tutorial in section 3.2.

1.4.3 How do I configure IPCOP to force registration of wireless users before they can access the Internet (a.k.a. I want a Captive Portal on IPCOP)?

While there exists some mods, such as CopSpot[15], to add Captive Portal features to IPCOP, other firewall products such as Pfsense[14] have Captive Portal built in. While you can mod IPCOP to support Captive Portal, Pfsense offers a better working solution. Any mods you do to IPCOP by break with IPCOP upgrades (see section 1.7.2).

1.4.4 How do I use multiple WAN interfaces with IPCOP?

As of the current version (1.4.21), IPCOP does not support multiple WAN interfaces. While it is possible to hack IPCOP to use multiple WAN interfaces, you will most likely do more damage to the Iptables in the process. Other firewall products, such as Pfsense[14], do support multiple WAN interfaces. There are hints that IPCOP version 1.5 will support multiple types of the same interface.

1.4.5 How do I configure IPCOP to support load balancing?

Please see section 1.4.4.

1.4.6 How do I setup multiple of the same type of interface?

As of the current version (1.4.21), IPCOP does not support multiple types of the same interface. While it is possible to create more than one of each interface, you will most likely do more damage to the Iptables in the process. Extra Interfaces[16] allows you to create up to four (4) additional Grey interfaces. Pfsense[14] does support multiple NICs of any type (32 at maximum). There are hints that IPCOP version 1.5 will support multiple types of the same interface.

1.4.7 I want to prevent outbound traffic, how do I do this?

By default, the current version of IPCOP (1.4.21) does not block outbound traffic. You can use a mod called Block Out Traffic (BOT)[17] to define what traffic is allowed outbound.

1.4.8 I have blocked port Y but program X can still connect to the Internet. How do I block program X from connecting?

Many programs will attempt to use other ports including ports 80 (http) and 443 (https) if the default port is blocked. There are a few things you can do

• Uninstall the program from the computer and don’t let the user run as Administrator
  While this seems unreasonable it has a purpose and is the most effective way to block program X. If you are a business and/or parent, you own the machine and are allowed to control what happens on it.
• Install L7 Protocol Blocker[18].
• Configure BOT[17] or Banish[19] to block the destination of the program you wish to block
  For Example, to block AIM you could block all access to AOL’s Servers.

1.4.9 What are Cron Jobs/How do I edit IPCOP’s Cron Jobs?

Cron jobs are Unix/Linux automated jobs. The layout of the Cron is as follows:

To edit IPCOP’s Cron jobs:
Login to IPCOP’s console and type ’fcrontab -e’

1.4.10 Multiple NAT routers behind IPCOP

If you are going to setup multiple NAT routers behind IPCOP, make sure each router is using a different subnet. If you would like IPCOP to be able to forward traffic to a particular client not on IPCOP’s subnet, you will need to add route statements so IPCOP knows how to route the traffic.

1.4.11 How do I block inbound traffic from repeat offenders?

There was an addon called Banish[19]. The last version of Banish available is hosted here[20].

1.4.12 How do I allow the ’dial’ user to access more IPCOP web interface pages?

• Login to IPCOP using putty or WinSCP (remember SSH on IPCOP is port 222 not 22)
• Edit /etc/httpd/conf/http.conf
• Find the following:

  <Directory /home/httpd/cgi-bin>       AllowOverride None       Options None       AuthName "Restricted"       AuthType Basic       AuthUserFile /var/ipcop/auth/users       Require user admin       <Files index.cgi>           Satisfy Any           Allow from All       </Files>       <Files credits.cgi>           Satisfy Any           Allow from All       </Files>       <Files dial.cgi>           Require user a