We (my Landlord and I) decided to settle on a cheap homegrade router to serve our network. The network covers two houses with a maximum 12 computers in each (although usually only about 6 in each). We noticed that the traffic was so intense that the router kept buckling. Basically it's DHCP server wasn't always giving out IP address. The router has no Firewall or Proxy and very limited in what it can do. I want more control over the network so I've decided to ditch the router and build an old Pentium 3 spec machine that will run either IPCop or Smoothwall. I've run them both through VMware and I like what they have to offer. Smoothwall has better documentation but IPCop has an extra 'blue zone' which I think I need. I've included some diagrams of the proposed network: One with IPCop running 3 zones and one with Smoothwall running two zones. Which setup and firewall do you think is best for my network? Can someone go through the pro's and con's of both diagrams?
IPCop. It's a fork of Smoothwall anyway. I'd install the addon engine and the BOT (block outward traffic) module, which will give you access to write advanced firewall rules. I fail to see the advantage of Smoothwall in this environment, so I can't really run you through the pros of that side of the diagram, but you could also implement IPCop with two interfaces in exactly the same manner. The major benefit of configuring the iPrism with two different zones would be that you could easily segregate the two networks, forcing them to act as two individual networks instead of one larger one. Also, the BLUE network zone in IPCop can be used to exclude any PCs which do not have their MAC addresses listed in the zone's allow list. You could also conceivably introduce filtering to one or both zones ala some transparent proxy magic (ala squid) and the Cop+ plugin (ala Dan's Guardian). I don't know if these features are attractive to you, but you can do it. Another option would be m0n0wall, although IPCop is probably easier to use depending on your networking background. IPCop does support QoS and traffic shaping, but the Linux kernel's shaper is not as nice as the BSD kernel's shaper. OTOH, since m0n0wall is based on BSD, the hardware support is not as good as IPCop, which is based on Linux. So, ultimately, I believe IPCop would be best for you except in the case that traffic shaping is your number one concern. In that case, take a long hard look a m0n0wall before you implement a firewall.
Can the addon proxy Squid filter out adverts? I've downloaded a few addons but I am not sure how to log in to IPcop through SSH How can I access the IPcop console remotely? Thanks EDIT: Just re-read your post - do I need to install the 'addon engine' before I install any addons? Where is the addon engine?
Squid is the ubiquitous proxy server for UNIX. It is the proxy used for most network appliances and content filters in the world which utilize proxy technology. So, in short, yes. But it is not squid's primary function, and there are many reasons why this would be impractical to implement. SSH is disabled on the IPCop by default, in favor the of the web interface over AES-256 (though only 128 in IE -- that browser stinks). You can enable SSH access in System --> Remote Access. But DO NOT enable SSH1, as it has had a history of security problems. >>> Addons for IPCop Firewall <<<
But what I don't understand is how I move those addons onto the IPCop hard drive! Do I have to share a folder on the IPCop server or can the IPCop server access an NFS share on my main computer?
Okay never mind that, i've Googled it! I want to ask you about Proxy servers though. I read on the IPCop wiki that the bigger the proxy cache, the more memory is needed. Also, if the cache is set too big then the server will spend more time trying to manage it and less time fetching webpages. Thus slowing down the internet for everybody on the network What size cache would you recommend for a server with a P3 ~700MHz, 128MB RAM and 3.2GB HDD? Do you have any general advice or experience with Proxies that you would like to share?
My advice: Don't use a proxy unless you have good reason to do so, e.g. you want web content filtering or have a connection with extremely high latency. Otherwise I'd just leave the proxy disabled and use the IPCop as a router/firewall.
Why do you advise against using a proxy? I thought proxies were supposed to 'speed up' the retrieval of web pages?
Nah, it's nonsense. I don't mean to come on too strongly here, but I do work with proxies for a living. The speed up may be true of larger files, more specifically those which are retrieved often, but it's rarely true for vast & varied content. The situation where a caching proxy is a good idea is, like I stated earlier, when your connection has abysmal latency (but relatively good burst speeds). Then you wouldn't notice an appreciable decrease in performance the first time somebody downloads a web page, but the next time it would be as fast as they could download it from the proxy server (which is much closer and has better bandwidth than the Internet connection). In your case you'd just be adding more latency, not decreasing it. Basically a proxy introduces much more handling of the traffic than a router or bridge. Look at the following example. It's a bit of an over-simplification, but I think it might help to get the point accross. Keep in mind that inter-kernel IO is a multitude faster than IO between the kernel and userland (e.g. software): Router: INTERNET -> NIC -> [kernel network stack] -> NIC -> [end user] Proxy: INTERNET -> NIC -> [kernel network stack] -> [squid proxy] -> [cache on HDD] -> [kernel network stack] -> NIC -> [end user] ..get the idea?
NP dude! Squid is a fantastic proxy, and it performs extremely well for a proxy. But it will still introduce latency and complexity by its very nature, so it's best to keep things as simple as possible. If you need content filtering and such however, squid & Dan's Guardian would be the first thing I'd look into. You can get that functionality for free with the COP+ package for IPCop. :good:
Have you tried the F@H addon for IPCop? I am going to install it once the server is up and running but I am a bit worried about the effects this could have on performance for the rest of the network.
It's a UNIX platform, so since it sets the 'nice' value for F@H as high as possible, all other system processes get a higher priority. This said, it still uses ram and CPU cycles, so it could increase latency slightly. It will also stress the hardware full-time and cause excess heat, so I really wouldn't recommend such a trivial thing for a production system.
BTW, it might please you (and your landlord) to know that your DIY firewall is actually spec'd higher than a $2500 Cisco PIX firewall: PIX-515E TECHNICAL SPECIFICATIONS • Processor: 433-MHz Intel Celeron Processor • Random access memory: 64 MB or 128 MB of SDRAM • Flash memory: 16 MB • Cache: 128 KB level 2 at 433 MHz • System bus: Single 32-bit, 33-MHz PCI
Hey Megamaced, here are three very basic proposals for your network deployment. It's up to you which will suit the need the best! Let me know if you need any additional proposals and I'll work something up.
Graphs two and three would probably be more suitable. I want the network to be 'plug and play' in a sense, so when a new tenant moves in all they have to do is plug in the network cable and away they go. This would not be possible for the 'blue' household in graph one. Graph two is probably the best way to go but I didn't think it was possible to assign two network cards to the GREEN network? I think I tried it before and it wouldn't let me. That's why I opted for the blue network - to run as an additional green-like network. Graph three solves the Green / Blue network issue but what of the internet speed for the second house? Will they notice any lag having to go through an additional switch? Thanks in advance
No, it's just a layer-2 switch -- store & forward. If the switch is adding latency, you need a new switch.
Right well I think i've covered everything for now. I am just waiting for the computer parts to arrive and then I'll build it and get it connected to the network. In the meantime I am still playing around with IPCop using VMware. It's best that I totally familiarise myself with it before I use it in production I'll let you know how it goes
OK, and I'll be glad to help if you have issues, though I don't anticipate any. I use IPCop for my own network, and also for several production networks I've setup. If it helps, here are the plugins I typically use: Net-Traffic, BlockOutTraffic, IPTraf, and RedMAC