How-To build a Diskless Home Firewall & Family Friendly URL Filter for $78

Preface

I’ve been wanting to update my IPCop Firewall for quite a while. My current IPCop firewall box, on an old no-name computer I picked up for free about 5 years ago was starting to fail. Noisy CPU and case fans, hard drive clicking, and then the finally a hard drive failure to boot put the nail in the coffin. It was Sunday morning. I needed something cheap, quiet and power efficient that could run my firewall.

Getting the Bits and Pieces

Figure 1. ‘Acer’ IPCop Firewall, Web Proxy and URL Filter.

I’ve been attracted by the low profile form factor of the Acer line of desktop computers you see in OfficeWorks. However, $400-500 for a brand new PC that was just going to end up a firewall, was not in my budget. I had priced a new low profile (I mean even thinner than the Acer’s) case at a PC shop about a year or so ago, which at the time was somewhere over the $100 mark. Not sure who would be open on a Sunday, I headed down to the nearest Ed’s PCs. Thankfully, they were open. Unfortunately, no low profile new cases were in stock. However, sitting out the back in the service area were a couple of Acer low profile PCs that looked like they had been discarded.

I asked if we could check one out to see if at least it displayed the BIOS. We opened up one box. It was an ACER AX3960 (Core i3, circa 2011). There was no hard disk, optical drive or RAM. After some fiddling around with connections to a keyboard and monitor, adding a stick of RAM, and firing up the power, we got the BIOS to display, prompting us to choose the correct boot device. I was at least in business. Now for the next problem.

Figure 2. IPCop Firewall Distribution logo.

For those not familiar with it, IPCop Firewall is a free Linux firewall distribution. It is geared towards home and SOHO users. The IPCop web-interface is very user-friendly and makes usage easy. IPCop allows you to setup up to four network interfaces – RED, GREEN, BLUE and ORANGE – which requires a corresponding Ethernet Network Interface Card (NIC) for each. My installation would require just the RED and GREEN network interfaces – RED to interface with the connection to the big bad world outside (via my Modem/ADSL Router) and GREEN to interface with the trusted network sitting behind the firewall. I would therefore need just two NICs. The ACER box had one integrated Ethernet port, which was great. However, being a small form factor, there were only two slots on the motherboard for add-on cards. A PCI Express Card slot and a graphics card slot. The PCI Express slot had a TV card in it, which I could do without. However, Ed’s PCs had no low profile PCI Express network cards in stock, but they said another store may have one. For now, I’d have to look elsewhere. The sales rep threw in an old 500GB drive, and for $40 I walked away with the foundation of my new firewall. At 10cm wide and around 26cm tall, it was quite compact for a PC and ran very quietly.

Once I got home, I wanted to see if I could at least get the IPCop setup to run on the Acer. First I tried installing IPCop from a USB memory stick, but couldn’t get the Acer to boot it. I would need an optical (CD/DVD) drive. However the Acer was SATA interface only, and I had no spare SATA optical drives hanging around. So my project would have to wait.

The next day I headed over to another Ed’s PCs, hoping to pick-up a low profile NIC and perhaps a second hand SATA optical drive. I was in luck. They gave me a second hand Lite-On SATA optical drive for $5. But they had no low profile PCI Express NICs in stock. However, the sales rep suggested an alternative. A USB-to-Ethernet adapter. The Acer was full of USB ports – six in the rear and five in the front. So for $25 I grabbed an adapter, with the assurance that if it didn’t work I could bring it back. While I was there, the rep made mention of a NAS (network attached storage) box he had setup for their shop. It ran off a USB flash memory stick. I started wondering, after my failed hard disk drive, if some kind of flash drive could work in my IPCop box.

Figure 3. SanDisk Ultra microSDHC UHS-I Card with Adapter acting as an IPCop flash drive.

Realising the Acer AX3930 actually came with an integrated SD-Card reader, on the way home, I called in at OfficeWorks and picked up an 8GB Class 10 SanDisk Ultra MicroSDHC UHS-I card (48MB/s) for $8. This would now become my diskless IPCop box. Things were looking good.

Assembly and IPCop Installation

Once home, I installed the optical drive, left out the 500GB drive I had picked up the day before, and instead, inserted the microSD-Card in the slot on the front of the Acer box. I screwed it all back together, inserted the USB-to-Ethernet adapter in one of the USB ports, connected the Ethernet cables, inserted the IPCop installation disk I had burnt earlier from the latest IPCop ISO image, and fired up the box. IPCop booted from the optical drive, and prompted me for the storage media location, offering the SD-Card as the only option. To my delight, IPCop installed on the card without a hitch.

When I was prompted for the network interface cards, again to my delight, the USB-to-Ethernet adapter was recognised. It was listed as an Asix device, a company with experience in embedded Ethernet systems. Once I had chosen the interfaces for the GREEN and RED networks, installation proceeded as per usual.

Figure 4. Asix USB-to-Ethernet adapter acting as the IPCop RED interface.

Connecting the GREEN Network

If you only have one computer that you want connected to the IPCop firewall, you would simply connect the GREEN interface port on the IPCop box to the ethernet port on your PC. However, I would be connecting multiple devices-both wired and wireless-to the firewall. I would need some kind of wireless access point and Ethernet switch. For my setup, the interface of the GREEN network connects the Acer IPCop box to a TP-Link Wireless N Router. I couldn’t find a wireless switch with Ethernet LAN ports, so the TP-Link router was my next best option. Along with Wireless N capability, the TP-Link comes with four Ethernet LAN ports and a one WAN port.

Figure 5. TP-Link Wireless N Router (Model TL-WR740N)

With this router, there were two ways I could connect the GREEN network to the IPCop box. The first would be to connect via the WAN interface on the wireless router, and enable the router’s inbuilt DHCP service in order to assign addresses to devices on my network. Alternatively, I could disable the DHCP service in the wireless router, and connect the GREEN Ethernet interface to one of the four LAN ports on the TP-Link, effectively using the wireless router as a ‘switch’. I would then enable the DHCP service on the IPCop box to assign addresses to the devices on the GREEN network. I chose the second method. This method lets IPCop assign addresses to all devices – wired or wireless – including PCs, tablets, phones and wireless printers we have set up in our home. The IPCop web interface firewall management page allows me to see every device connected to the GREEN network, and manage each devices access to the network explicitly.

Proxy Server and URL Filter

I was pleasantly surprised that within 20 minutes of arriving home, I now had a working IPCop firewall. I spent a few more minutes enabling the transparent proxy server on the IPCop box through the easy to use web interface. I then enabled and customised the included URL Filter. I’d used Cop+ in the past, which brings Dansguardian, a very good free web filter, to IPCop. However, with the latest updates to IPCop, Cop+ no longer works. So the URL filter is the next best thing. While it doesn’t offer dynamic scanning of pages for banned expressions, like Dansguardian did, it does scan on URL’s, including terms entered in internet searches. With three kids in the house, my main concern here was ensuring any adults only stuff stays outside the firewall. ;-)

Conclusion

My ‘new’ Acer IPCop firewall with URL filter, runs quietly, is energy efficient, diskless, and, with its low profile, sits nicely out of the way.

Figure 6. My ‘Acer’ Low Profile IPCop Box next to a can of Beans for comparison purposes. ;-)

Project Costs

IPCop Firewall – $0
Acer AX3960 second-hand box with Core i3 motherboard, 1 module of 1GB RAM – $40
Ethernet-to-USB adapter – $25
Optical drive – $5
8GB SanDisk microSDHC Card (48 MB/s) with Adapter – $8
TOTAL COST: $78

Note on Green Network

For connecting more than one PC or device on your home network to the GREEN interface on the IPCop firewall, you could use any old router or switch you have lying around. I was using an old Linkys WAG200G ADSL router, with DHCP switched off. But it was only a wireless class G rated at 54Mb/s max. The TP-Link being a wireless class N router is rated at 150Mb/s. In practice, Windows shows it running at 73 Mb/s. Still it’s faster than the Linksys. My cost for the TP-Link Model TL-WR740N was $39.