Migrating from IPCop to IPFire

Since 2008 I have been using the free Linux distribution IPCop to implement a customized firewall/a router. Of course, DSL providers also equip their customers with routers, but back then I was missing a couple of functions. To name some of them:

  • IPSec / OpenVPN
  • NTP time server
  • DMZ segmentation
  • WLAN access point with device filter

8 years later, things have changed. The most functions are now parts of modern routers such as Fritz. B.x - but not of mine. Therefore, the IPCop is still a very important part of my network. Since 6 years my IPCop is running very smoothly on a single-board computer by PC Engines: a ALIX.2D13. With 500 Mhz CPU and 256 MB memory, this computer is kinda outdated. In combination with IPCop, the computer did his job quite good while having a low power consumption of less than 10 watts.

IPCop or IPFire?

Unfortunately the development of IPCop stagnated in the last couple of years. The release of the current major version delayed back then in 2009, which was one of the motivations for the IPFire fork. IPFire version 1 was based on IPCop, the current main version 2 is based on Linux From Scratch like IPCop and only uses the web interface of IPCop.

But why IPFire rather than IPCop? Since I was using the ALIX computer for IPCop, I chafed at the bad WLAN hardware support. Back then, I tested a couple of IEEE 802.11n WLAN card, but no card supported with a higher speed than 54 Mbit/s. Even the current version doesn't support 300 Mbit/s - although the card supports it.

The IPCop project still refuses to support alternative architectures (e.g. armv5l boards). If I remember correctly, the justification was that many of those boards connect network chips per USB, which is considered to be an inreasonable solution. My personal opinion is that these kind of boards are enjoying great popularity in the last couple of years and - because of this - should be considered as important architecture. When checking the market, I see a lot of alternatives to my ALIX board. In spite of the age the board's price is still the same - around 150 euros. There would be a lot of cheaper ARM board. I really appreciate that IPFire supports some of these boards.


Basically I also disliked the casual conversation in the IPCop community. To name an example - threads by users running virtualized firewalls were closed without further ado. I know, the particular benefits and drawbacks of such solutions are disputable (especially regarding security in production environments) - but simply closing the thread is inappropriate and really unfriendly. I really have to admit that the IPCop is too restrictive and conservative for my taste.

IPFire on the ALIX.2D13

Finally, I decided to go for IPFire to upgrade the legacy 54 Mbit/s WLAN. Basically, the project names the following minimum requirements:

  • i586-compatible CPU with 1 GHz, alternatively a supported ARM board
  • 1 GB memory

IPCop memory consumption

In accordance with this, the ALIX.2D13 lacks resources because it only offers 500 Mhz CPU and 256 MB memory. In the official IPFire board I spotted some signatures telling me that the board is still suitable for running the most recent version. I also talked to the users in the IRC channel (#ipfire on irc.freenode.net). They told me that the board might still be useable when disabling some of the services such as proxy server or the IDS system.

Beside conventional ISO images, you will also find prepared images for devices with serial console in the project's download area. You will need such an image for some ALIX products as some of them are missing VGA ports. After backing up my previous IPCop installation, I flashed the most recent image on the CF card of my ALIX. Happily, the installation was very easy - it reminded me a lot on the IPCop process. The overhauled web interface adopted from IPCop also simplifies the migration. The equipped 300 Mbit/s WLAN card of my router worked out of the box - bloody brilliant!


IPFire memory consumption

Focussing on the performance for 2 weeks, I was unable to see any worsening. I copied some systems graphs from IPCop and compared them with IPFire. Like already mentioned, I'm not using any proxy servers or IDS services. In comparison with IPCop 2.x I can see a slightly higher memory consumption - but memory resources are also more caching. So - even if the IPFire projects recommends more hardware resources, a ALIX.2D13 board can still be a good firewall for smaller networks if you're disabling some services. In my network, I'm serving at about 20 clients - but for bigger production environments I would go for more powerful hardware.

I was kinda amazed that a nearly 10 years old board (production began in 2007) can still be used as router. It's also cool that the hardware survived the long-term usage at all. Somewhere in the future, I'm thinking about upgrading to a apu1d4 board, to focus on proxy servers. Especially the possibility of using a mSATA SSD would be great in this use-case.

If you're looking for a more innovative Linux distribution for routers, you really should have a look at IPFire.