Never Ending Security

It starts all here

Installing IPCop as a Virtual Machine on Proxmox VE

Installing IPCop as a Virtual Machine on Proxmox VE

How I  virtualized my IPCop installation on Proxmox VE hypervisor.  This how-to assumes you already have a running Proxmox VE host.  If you want to try  Proxmox VE click here.  Other requirements are, there needs to be two physical network cards installed on the Proxmox host. Three if you intend to setup DMZ.

After downloading the latest IPCop installation iso.  I have to upload the iso to my Proxmox host local storage.

From the Proxmox web panel click on local (proxmox-name-of-your-proxmox-host).  Then click Content tab then Upload.  Which brings up the upload window.  Browse to location of the downloaded IPCop iso then click upload.

upload ipcop to proxmox

Creating a Linux Bridge

This is the part I miss using VMware ESX control panel assigning virtual switches and nic cards.  Proxmox web interface has the ability to create Linux Bridges and OVS switches for virtual machines to use but the configuration I am going to use can’t be done through the Proxmox web interface.  This has to be done through the command line.

Note: I found it easier to keep the other physical network cards unplugged except for one nic card which will be used by the Proxmox web control panel.  As I created each virtual bridge it was only then I plugged in the associated nic card.  This made it easier for me to identify as to which physical nic card to assign to each virtual bridge added.

The image below shows starting with one plugged in nic card.

one nic plugged

I prefer to  use vi when editing files so I had to install it first.

apt-get install vim

Connect to Proxmox host using SSH.

ssh -l root proxmox-server-ip

What the following bridge settings mean.

bridge_stp off # disable Spanning Tree Protocol

bridge_fd 0 # no forwarding delay

bridge_ports eth0 # which nic card to attach

Move to the network directory.

cd /etc/network

Edit the interface file.

vi interfaces

Copy and paste below after any configuration already in there.

## this is for IPCop WAN nic

auto vmbr1
iface vmbr1 inet manual
bridge_ports eth1
bridge_stp off
bridge_fd 0

Save and exit.


Each time a network bridge is created a reboot is needed to apply new settings.

# reboot

After Proxmox reboots your network settings should look similar to mine.  The IP address for vmbr0 and gateway settings have been erased for security reasons.  vmbr1 settings for Port/Slaves, IP address, Subnet mask and Gateway are intentionally left blank.  This is to make sure any network traffic coming through vmbr1/eth1 will pass through IPCop WAN virtual nic.

bridge network

My IPCop topology created using this free online drawing tool.


Create IPCop virtual machine

From the top right corner of web interface click on Create VM.  Name the Virtual Machine.  Click next.

ipcop vm name

Choose the new Linux versions. Click next.

ipcop linux version

Using default storage called local.  This will be where my virtual machine images will be stored.  From drop down choose IPCop iso we uploaded earlier. Click next.

ipcop iso

Hard disk settings.  Bus/Device is set to use IDE.  When I tried to use VirtIO, IPCop was unable to find the hard disk during installation. I picked raw format for speed.  Click next.

hard disk ipcop

For CPU type I am using KVM32.  Why I went with kvm32 click here.

ipcop cpu type

Allocate memory.  Click next.

ipcop memory

Add nic card for LAN (GREEN) use.  I am using the Intel E1000 model to make it easier to identify which nic card to assign for GREEN use. Click next.  Then click finish.

ipcop lan nic

Now add the WAN (RED) nic.  Click on IPCop vm then Hardware tab menu.  Then for bridge use vmbr1 we created earlier.  For nic card model use Realtec RTL8139.  Click add.

wan ipcop nic

This is what my hardware looks like.  Mac addresses erased for security reasons.

hardware summary

Click on Start to start the IPCop VM from the right top menu.  The status should show OK on the task panel below.  Status will also show resource usage.  To complete setup we will need to connect to VM using Console.  Click on console.  Which brings up the IPCop boot screen.  Click inside the console window then click enter key on the key board.

Note: if console window only shows white blank screen just click reload.

ipcop boot screen

Choose language.

choose ipcop language

Click ok to begin installation.

start ipcop install

Choose keyboard setting.

ipcop keyboard setting

Choose timezone and set correct time.

ipcop timezone

Accept hard drive to install on.  When ask are you sure you want to continue choose Ok.

ipcop hd

This will be a Hard Disk install.

hard disk ipcop

Installation begins.

ipcop install progress

We’re not restoring from backup click tab to skip.

skip backup restore

Install done.    Click enter.

install completes

Choose a name.

ipcop name

Enter domain name.

domain name

Choose static.  Depends of course on how your WAN setup.  Mine is a static IP.

choose static

 Network Card Assignment

This is why I wanted to use two different nic models so I could easily identify which nic card to assign.  I already know bridge vmbr0 is using eth0 on the Proxmox host.  This is also where the Promox web interface is listening on.

The Realtek virtual network device will be assigned to WAN (RED).  Choose select then RED. Tab to asssign.

red nic

Do the same for the Intel Card but this time assign it to GREEN for internal LAN use.


When all cards have been assigned tab to Done.


Assign Internal IP for GREEN interface.

internal ip

Assign WAN IP for RED interface.

wan ip

Assign DNS name servers to use and WAN gateway.

wan gw

Skip enabling DHCP unless you need it activated for your LAN.

skip dhcp

Create password for the next three screens for each IPCop user account.


Installation is finally done!


After IPCop reboots login on the console to test if you can ping an internal IP and WAN IP.  Login as root.

You should be able to ping out to an external IP.  I am pinging Google’s nameserver below.

ping out test

I am also able to ping an internal IP.

ping success

I now have a functioning IPCop firewall.  But what if I wanted to add another nic card so I can place some hosts in DMZ?

Adding an IPCop DMZ

Here is one of the reasons it is good to use a DMZ network.  NY Times Article.

To make this work I had to add another physical network card on my Proxmox server.  I then had to add another bridge for DMZ use.

Again we have to edit the file.

vi /etc/network/interfaces

Adding this right below the vmbr1 we created earlier.

## this is for IPCop DMZ nic
auto vmbr2
iface vmbr2 inet manual
bridge_ports eth2
bridge_stp off
bridge_fd 0

Save the file.


Reboot Proxmox host.

Checking the network configuration on our Proxmox host you will find a new bridge called vmbr2.  With the associated physical nic eth2 showing it is active.  We now could assign this to our virtual IPCop firewall.


Go ahead and shutdown the IPCop vm we will then add a virtual nic from the hardware tab menu. I am adding another model Intel E1000 for this virtual nic which will attached to the physical nic card eth2.

dmz nic

Go ahead and start the IPCop vm to setup our new virtual nic card. Logging as root on the console. Then type setup > enter.


Scroll down to Networking.  Tab to select.

networking setup

Scroll down to Drivers and card assignments.  Tab to select.

assign card and drivers

There is the unassigned Intel card.  Tab to select.

assign intel

Scroll down to Orange.  Orange in IPCop speak is the color assigned to DMZ zones.  Blue as you guessed it is assigned for Wifi hot spots. Tab to assign.


All 3 virtual nics should be assigned.  Tab to done.

all cards assigned

Now we will need to add an IP for the Orange nic card.  This IP will be used as a gateway for any computers or devices which are connected to the Orange switch or Hub.

Scroll down to Address settings.  Tab to select.

address settings

Select which interface to configure. Tab to select.

orange ip

Put in IP from any of the private class range. Tab ok. Then tab Go Back > Go Back.  Then exit setup.

class b

You should be able to ping the IP in the Orange zone.

ping replies

Connecting to IPCop web interface

With our networking setup done time to connect to IPCop from the web browser. IPCop uses port 8443. Point your browser to your IPCop’s IP address (GREEN).  (your browser will prompt you to accept an unsigned certificate. Go ahead and accept the IPCop certificate).

If you need to change IPCop default gui port to something else other than 8443, you could do so by doing it on the command line.  The command below will change the port to 5445.

/usr/local/bin/ --gui 5445

Login using the credentials you created earlier to manage IPCop this would be admin.

First thing I like to do after I login is to check for IPCop updates. From the System menu > updates.  Here it shows I have three updates to apply by clicking on the green down arrow beside each update. Then click apply.

ipcop updates

After applying all updates I want to check if there are any open ports open through IPCop going into my LAN.  First I will change the gateway setting on my Mac to use the IP address of the GREEN zone which was

mac gw

Using this website I can scan my IPCop WAN IP in this example I was using IP  Below are my results if it were open a green indicator will show next to the port number.

scan results

Checking my IPCop firewall logs the DROP scan results show up.

drop results

Looking at my IPCop virtual machine’s status from Proxmox control panel.  I can see very low resource usage I even reduced my original memory allocation of 2.5 GB to 1 GB.


There is also a nice real time view for CPU, Memory, Network and Disk IO usage.  Available for each virtual machine.


This is the part I really like about the Proxmox hypervisor I am able to backup a running virtual machine without shutting down the vm.  It will still be accessible while the backup snapshot is in progress.  Yes this feature comes free with the Proxmox hypervisor unlike free versions of ESX.  There was a time I had to use a commercial tool from Trilead to backup my virtual machines on free ESX. Not anymore!

When I did a backup to my nfs storage.

nfs storage

It took only 21 seconds to complete a backup of my IPCop vm.

backup time

Upon looking at the real space being used by my IPCop vm this tells me I could have allocated a smaller hard drive space when I created my virtual machine earlier.  If I was using qcow2 I can resize the virtual disk from the web control panel.  Why I decided to use the raw format? This was based on what I have read from Promox support forum if you want performance speed use the raw format.

I hope this will urge you to virtualize IPCop using the rock solid reliable Open Source bare metal hypervisor called Proxmox ve.

This concludes the tutorial Installing IPCop as a Virtual Machine on Proxmox VE.


Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s