IPCop configuration help

Tom-Vanderbilt
Tom-Vanderbilt used Ask the Experts™
on
Not sure if anyone can help me with trying to get my Internet connection up and running using IPCop 1.4.21.  I downloaded and installed IPCop with no problem.  I am doing a very basic network configuration with a static IP from my ISP on the red interface and my network on the green interface with no DHCP service needed for the internal network.  I put the static IP, DNS IP, and gateway IP addresses onto the red interface with no trouble.  I have my static IP that I am using on the green interface.  

I set my computers gateway address as the green interface address and use the same two DNS server addresses that was given to me by my ISP.  I cannot get any web pages to load up.  I try to ping something directly with an IP address and still nothing.  I am able to ping the gateway address that was provided to me by my ISP but I cannot ping the DNS servers provided.  I know that they are working because I can ping them from another location.  

I am stuck as to what to try.  I am pretty sure that everything is configured right in IPCop.  Below are some screenshots of my configuration.


network-status.JPG
services.JPG
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Andrew Hancock (VMware vExpert / EE Fellow)VMware and Virtualization Consultant
Fellow 2018
Expert of the Year 2017

Commented:
Have you allowed DNS rules from the Green to Red for DNS, and have you also granted ICMP Echo rules from the Green to Red also?

Author

Commented:
Are you talking about firewall rules?  The ports from green to red are all open by default.

Commented:
@Tom-Vanderbilt: right, you don't need to add rules to the configuration by default.

The IP address of the DNS server you have to give to the computers of your GREEN network is the address of the GREEN interface of IPCop. It is better that IPCop resolves the IP addresses.

Check if you are not confusing the RED and the GREEN interface of IPCop.

I never tried to run IPcop with no proxy running. This could be a problem. I would like to know if there is any reason for your proxy server not to run.

Author

Commented:
@pfrancois:  Ok I did not put the address of the green interface as a DNS server onto the computer I was testing.  I will have to try that tomorrow and see what happens.  As far as the proxy is concerned, I did not set the proxy up because I was not sure if I actually needed it or not.  I only installed IPCop and tried to get things going.  I haven't tried to start any of the other services.

Author

Commented:
Ok I tried setting the DNS setting on my computer to point to the IPCop IP address on the green interface and still nothing.  I also tried using the proxy service but that did not do anything either.  Now here is a weird thing.  This is the second kind of routing device that I have tried using to get a connection to the internet.  The first device that I tried is a Juniper SSG5 and I currently have an open question with that one here.  I also tried for the hell of it a basic Linksys wired router that I had laying around.  With that I was able to get a connection but I cannot use that because I am trying to use the device with the firewall and VPN that both IPCop or Juniper has.  

At this point I really am lost as to what the problem could be.  The setup is not that difficult, especially with IPCop.  It seems to be a hell of a lot easier to setup than the Juniper device is.  I know the Juniper is working because I have it setup on my other Internet connection but using a dynamic IP address from the ISP.  Works just fine.

Commented:
A common pitfall with IPCop is to connect the red interface to the LAN and the GREEN interface to the modem.

If you can configure your IPCop, I suppose you can login into IPCop with a SSH client. Try simple operations on IPCop itself like what you did with a computer from your LAN: ping the gateway address that was provided to you by your ISP and ping the DNS servers provided. If this doesn't work, the rest won't. And that would mean the problem is in the configuration of your DSL/cable modem.

Author

Commented:
I know that I do not have the interfaces switched (red on LAN and green on modem).  As far as pinging is concerned, I am able to ping the gateway address that was provided to me by my ISP but I cannot ping the DNS for some reason.  When I hook up the basic Linksys router, I am able to ping both the gateway and DNS servers.

Commented:
I suppose your configuration is as follows:

host 10.0.110.27 ---- switch ---- 10.0.110.42 IPCop 108.58.54.66 ---- modem ---- 108.58.54.65 ISP
                                        (doesn't connect)                  |
                                                                           Linksys router (connects)

Open in new window


I hope the drawing above remain clear with other fonts having other spacing than mine.

From your screenshot network-status.jpg, it is clear that the ISP stopped the dialogue with IPCop after transmitting only 6 packets. This could mean that the ISP is refusing to connect with IPCop, possibly because it doesn't recognize the MAC address of the Linksys router they use to see. That should be a reason why either the Juniper cannot connect.

Now there is no problem to put the Linksys router between the modem and IPCop and still have VPN working. That could be a solution, but then you have to define a default LAN server in the settings of your Linksys router.

Author

Commented:
Ok the only thing I was doing with the Linksys router was to test to see if I could get a internet connection with it in place of the IPCop box.  So with the Linksys router I tried and the modem is the one provided by the ISP (in this case Cablevision) that has to stay in the setup:

1: host  10.0.110.27---switch---10.0.110.42 Linksys 108.58.54.66---108.58.54.65 modem --->Internet
                                                                 (connects to Internet fine)

The configuration for IPCop that I am trying to do is exactly the same as above except you replace the Linksys with the IPCop box.  So it would look like this:

2:  host 10.0.110.27 ---switch--- 10.0.110.42 IPCop 108.58.54.66 ---108.58.54.65 modem--->Internet
                                                               (No connection to Internet)

With the IPCop setup, I can ping 108.58.54.66 & 108.58.54.65 with no problem.  The DNS servers that were provided to me by the ISP (167.206.7.4 & 167.206.254.1) is where I have the problem pinging.  Those lay on the other side of the modem provided to me:

2:    Internal network <--- 108.58.54.65 modem ---> DNS Servers (167.206.7.4 & 167.206.254.1)

Hope this clears it up.

Commented:
The only difference between the Linksys router and IPCop, as seen from the cable modem, is their MAC address. So is it possible that the cable modem refuses to connect any other device than the Linksys router according to its MAC address? Are there firewalling features into that cable modem? Can you surf to any webinterface (http/https) at 108.58.54.65?

Try to setup the RED interface of IPCop as DHCP and connect it then to the LAN side of the Linksys and let's see if that works.

Author

Commented:
I don't use the Linksys with the IPCop together.  Its either one or the other.  I only mentioned the Linksys because using that I can connect to the Internet with the host computer.  The Linksys is not even in the picture for what I am doing with the IPCop.  Where I labeled modem in my outline in the above message, that is not the Linksys, that is the cable modem that is issued by the ISP.

Commented:
I just proposed you to connect the Internet with both devices for debugging purposes.

If you don't want to do this, then the only track left over is to see if the cable modem restricts the access for some MAC addresses.

Author

Commented:
As far as the cable modem restricting certain MAC addresses, it doesn't do that apparently.  I checked with the ISP.  I would not be able to hook the Linksys router in after the modem because the connection coming from the ISP is a coax connection into the modem.

Commented:
Another track: if your IPCop cannot connect directly to the cable modem, try to put a switch (or a crossed cable) between IPCop and the modem.

Author

Commented:
@pfrancois:  I think it is connecting now.  I was going to take the IPCop box and try it at another location that has static IP.  I put the new address into the red interface and was going to take it there.  Something came up and I ended up putting the static IP address that I have at this location back in and for some reason it is now connecting.  Maybe it was something inside the settings that was screwing it up.  I don't even know but I will just keep this open till the end of the day to make sure that it stays up and running and will get back to you.  Thanks

Commented:
Great: keep me informed.

Author

Commented:
@pfrancois  Everything is still working great.  Just have one other quick question if you happen to know offhand.  Do you know if there is any kind of addon for IPCop that will redirect Internet traffic to a Websense server.  I have that option now on a Juniper SSG5 and wasn't sure if there was something like that for IPCop.  I have seen other addons for IPCop like Copfilter and URLFilter.  But wasn't sure if there was a redirector to a Websense server that I already have in place.

Thanks for all the help.
Commented:
I am new to websense. I went to their website and I see they tell they are the best of the world, but they don't explain exactly what they do. You can see that they provide several services: webfiltering, mail filtering and "data protection". What the latter means is not that clear to me. Anyway, there is no "websense addon".

The question is: Which kind of traffic do you want to redirect to a websense server? If you only want to redirect http/https traffic, you have the option to redirect you http/https traffic to an upstream proxy server in:

Services > Proxy > Upstream proxy (host:port) > Save

which can be the websense http proxy server.

Anyway, a lot of protection is already done by IPCop itself and if you use a VPN, your communications over the Internet will be encrypted in a secure way.

If you explain me more about the kind of service you expect from websense, perhaps I will be able to help you to use the tools present in IPCop, but perhaps it is better in that case to start a new topic.

Author

Commented:
Its no big deal.  Just wanted to throw that out there.  Its not something critical to me at this point.  I am good with the way IPCop is working right now.  Thank you very much for the help.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial