This guide covers installing IPFire and includes the items you will need configure to during installation. The procedure will take about 10 to 15 minutes depending on the speed of your computer.
If you have any questions that aren't covered here, please check the the IPFire forum.
During installation, IPFire will ask you questions about your network and your setup. The default configuration is safe for most situations, but you may change it as requred.
Before starting, make sure that your hardware is compatible with IPFire.
Next download IPFire and choose the installation method that best suits your environment. This guide covers installing IPFire with a CD as it is the most popular method.
Installation via USB drive is actually the same as the CD based installation. Another very simple method of installation is the PXE installation.
There is a short video tutorial by Aaron Philpott which explains the installation process. If you don't want to read, watch it over here: https://www.youtube.com/watch?v=u7-qKaI78TM
Burn the ISO to a CD, and then boot the computer with the disc in the drive. You may need to configure your BIOS to boot from the CD drive.
When the installation starts, the first screen will ask you to choose your display settings.
Usually accepting the default setting works fine.
The boot options are:
If your monitor doesn't support 1024×768 pixels, enter novga.
First, you have to prepare the USB drive
If you are installing from one USB drive onto another USB drive, in some cases the BIOS may be unable to find a boot device. If this happens, just start the installation without inserting the second USB device. After the welcome screen appears, connect the second USB device and IPFire should complete the installation without any problems.
After a few seconds, you will be presented with a screen where you can decide the language for the installation and the web interface. Use the arrow keys to move around the available languages, and the enter key to select one.
If you want to translate IPFire into a language which is not yet supported, please contact the developer-team at “firstname.lastname@example.org”.
On the next screen you will see a welcome screen in your chosen language. You'll be informed that if, at one of the following screens, you press “Cancel”, the setup will be aborted and the PC will be restarted.
Next, you will be advised that all data on your hard drive will be erased and that the hard drive will be prepared for IPFire.
Danger! Any file system and current data on the target drive will be permanently deleted and replaced by the IPfire File structure
Note: Because accidentally selecting the wrong disk could result in data loss, it is a good idea to disconnect all disks except the one where IPFire will be installed.
Next you must choose the filesystem to use. Available options are: Reiser4, ReiserFs, ext3 and ext4. The default is ext4, but many installations run on ext3, so it is safe to select this if you are unsure. Some of our developers see Reiser4 as a better choice for larger environments.
If you need more information, please contact the developers in the forms
Important! If your target drive is small, the install process will warn you, but will allow you to continue. Be careful if you continue, as the install may abort at any time if the disk fills up completely (In this situation, there could be incomplete installation tasks, or a very small swap partition which could harm performance)
Now the hard drive is being partitioned and formatted for real. This process can take several minutes depending on the size of the hard drive. After this, the system files will be unpacked on the hard drive.
After the copy process has completed the CD is ejected and should be removed from the drive.
On the next screen the keyboard layout and the timezone need to be selected. If you're unsure of the layout to use and are using an English installation, keep the default “us” keyboard.
When the keyboard layout and timezone have been chosen, continue with configuring the “hostname”. This is the name IPFire will be known by on the network.
Important! If your network will be working with VPNs, it is necessary to use a different name for each IPFire machine.
Important! The name “gateway” is reserved and can not be used.
Since you must have a domain-name, it will be asked for on the next screen. In a default installation this is “localdomain”. If you own a domain, please enter it here.
Once you have finished this, continue on setting the passwords.
Important! As a security measure the password you type will not be displayed on the screen. If you make a mistake, use the backspace key.
Here you are asked to enter the root password twice to confirm that it matches. Type the password, press Enter, type it again and press Enter a second time.
The root account is the superuser account in linux. Use this account when logging in to a console to make major changes to your configuration.
Tip You can run setup again (and, if necessary, change passwords) by logging in to the “root” account and entering “setup”.
You will be asked for the web interface admin password in the next screen.
Important! For security reasons the admin account should not use the same password as the root account, even if you are the only administrator of the IPFire system.
For more tips on passwords, please read here.
Now you are getting to the heart of IPFire, the setup of the network. As described in the preparation steps, you should already know how your own network will be set up in the following steps.
In a standard IPFire installation it is Green + Red, which means 2 Networks. Typically you have one network for your home computers, your Green network, and then an Internet connection for the other network, your Red network.
A maximum of 4 networks is possible - namely Green, Blue, Orange and Red.
|Red||WAN||External network, Connected to the Internet (typically a connection to your ISP)|
|Green||LAN||Internal/Private network, connected locally|
|Orange||DMZ||The DeMilitarized Zone, an unprotected/Server network accessible from the internet|
|Blue||WLAN||Wireless Network, A separate network for wireless clients|
When using Blue, it is recommended to assign it to a nic and connect a separate access point to it. Still it is also possible to assign a supported wireless card Blue status but the “hostapd” add on will be required to handle wireless connections.
All of the previously chosen networks must have a network interface card (NIC) assigned. In some cases, you may not have a NIC to assign to Red – for example when using a dialup modem. For more information about the different linktypes, see here. If you know what MAC address is related to which NIC you can assign them now.
In the simplest network, Red and Green, you basically have a 50/50 chance. The easiest thing is just assign one to each, if you can't ping out from your IPFire installation, change the network cables and try again. Keep in mind that you may have to reset your ISP's equipment (cable modem, etc.) before it will recognize a new device. A different NIC counts as a different device.
Assign addresses to your network interfaces. Any valid IP address reserved for a LAN will work here (like 192.168.*.*). It is standard practice for the interface to be on .1 of the range for a local network. Here you must configure your networks and subnet masks. A standard setting for a Green interface would be 192.168.0.1 with a subnet mask of 255.255.255.0.
Important! Don't use IPs twice! Also, the IPs of the different interfaces must not be in the same subnet. As an example: Red=192.168.2.X, Orange=192.168.1.X, Green=192.168.0.X)
This warning can be ignored when installing from a physical CD, since you are not yet connected to a network. You will have to take care when modifying networking settings afterwards from a remote shell using the command “setup”.
The “Red” interface is special because its configuration depends on your ISP and the way it configures your external connection (your Internet connection).
Depending on your connection type you must setup your corresponding details. If you are unsure, try DHCP. If necessary, get the required settings from your ISP, such as which type of authentication is required, and what authentication credentials (if any) you will have to provide.
In addition to specifying your connection type you might have to set up your Gateway (the next hop after your IPFire) and most probably your preferred DNS (Domain Name Service) servers. If you've selected DHCP in the previous step, then these values will be configured automatically, so no need to specify them here.
The last thing to configure is the DHCP (Dynamic Host Configuration Protocol) Server for the Green Interface. You just have to enable the DHCP server by enabling the tick within the brackets and enter the start and end values of your desired IP range. A widely used range is 192.168.0.2 and 192.168.0.254 so type it into the corresponding fields unless you prefer another IP range. You can not use the IP Address of your Green Interface and also the last IP of your green network range. P.e. for your 192.168.0.0/24 network it is 192.168.0.255 you can not use. You can narrow always it down to a smaller range if you do not plan to use that many PCs in your green network, or to reserve space for static IPs. These settings can always be changed later using the command line program “setup”.
You have now reached the end of the installation procedure.
You are not done yet, but you have completed the largest part of the configuration.
Note: If you are unable to reach the Web-Interface after installation, or if you wish to make changes in the future, log on to the console and type: setup. From there you can check your configuration for errors and make changes.
If you install IPFire on a USB Stick or on a USB harddisk, the installer will recognize the device as sd(X). After a reboot it is possible that udev renamed the device to ub(X), which is very unlucky because neither grub.conf nor fstab are correct at this point. If this problem occurs, first take a note of the new name of the USB-device (mostly uba). After that, you can take the easy way and start the installation once again and before you reach the point where the installer prompts you to reboot, press ALT+F2 to change to the console. In /harddisk you should still be able to see the current target-harddisk. Now rename all entrys sd(x) to ub(x) in the file /harddisk/etc/fstab. Repeat this for the file /harddisk/boot/grub.conf (can also be done with edit at boot-time). Now, change back to the installer and reboot normally.
The faster and a “little” harder way is to start the installer but to abandon a new installation. Instead, mount the target harddisks with the console (ALT+F2) and apply changes just as described above under fstab and grub.conf (you should have some experience using mount and umount).
Alternatively it is possible (on some systems necessary), to copy IPFire directly to a flash card. On the download page there exist dedicated images. For Intel (Alix) and ARM ( Dreamplug ) find the following examples. For other systems use these as templates.
The Alix Board is an embedded PC by the swiss manufacturer PC Engines based on a AMD Geode LX CPU. The main advantage of using such an embedded system is the decreased amount of power your router consumes. An Alix Board consumes about 5W at a voltage of 12V DC. Because most of the boards 'only' have a console ouput via RS232 (rather than an expensive video output) the installation procedure of IPFire on an Alix-board is quite worth an article.
First of all you should get the latest image for the Alix-board : Downloads. The name of the image is “ipfire-2.15.1gb-ext4-scon.i586-full-coreXX 1).img.gz”. As you may have noticed the filename already tells you that this image fits on a at least 1GB-CF-Card and that it uses the file-system ext4. The Image does an autoresize at first boot so it is suggested to use larger cards. (1GB is ok for testing but cannot updated to new versions) As already mentioned above, Alix Boards have been designed to boot from flash memory (e.g. CF Cards). Flash memory is very sensitive in terms of writing procedures on it. Therefore we need a special file system which extends the life expectancy of your CF Card dramatically. Ext4 (with disabled journal), is the file system that's used in this special 'embedded' edition of IPFire, minimizes the access to your flash memory because this filesystem hasn't got the so called 'journaling' features that cause a lot of access to your harddisk or flash memory.
To avoid a lot of trouble with faulty downloads you should check your image's md5 hash, using a tool of your choice. You'll find the checksum for the image by appending the suffix '.md5' to the download URL.
Depending on the OS you use, there are several possibilities how to get the image onto your CF-Card.
OS independent steps
The most comfortable way is using physdiskwrite, a tool written by Manuel Kasper the main developer of the m0n0 Project Put all the files you need (physdiskwrite.exe, ipfire-2.11.2gb-ext2-scon.i586-full-coreXX.img.gz) into a folder. Then open the command-line interface and go to this previously created folder (useful commands: dir, cd) and execute 'physdiskwrite ipfire-2.11.2gb-ext2-scon.i586-full-coreXX.img.gz'. Physdiskwrite will ask you onto which device you want to write the image.
Important! Be careful, if you enter a wrong number, physdiskwrite could destroy data on your computer's hdd!
The process may take a while, so get yourself a coffee and enjoy the show.
Put your CF-card into your cardreader. With the command “tail -f /var/log/messages” you can find out as which device the card is recognized in your system. It is important to know if the card is named sde, sdf, sdc or something similar. You can exit this view by pressing Ctrl+C.
In Ubuntu / Kubuntu you will get root by entering “sudo su -”. In this case, a simple “sudo” wont work because we will access the hardware directly. With
zcat ipfire-2.15.1gb-ext4-scon.i586-full-coreXX.img.gz > /dev/sdx
the image will be written to the CF-Card. Please remember to substitute the sdx with the output of “tail -f /var/log/messages”.
Important! Be careful, if you enter a wrong device name, zcat could destroy data on your computer's hdd!
This procedure will take about 20-30 minutes, depending on the speed of your computer.
Put the finished CF-card into the Alix-board. Connect a cross-link-cable to the Alix-board and the other end to your computer. Start the minicom program ( or any other terminal program ) on your computer and set it so it can talk to the Alix-board:
Enter Ctrl+A followed by the z-key to get into the main-menu. Enter the configuration with “O” and then “Serial port setup”. Here you will see the settings for the serial connection. Press “e” to set the transfer-speed to 115200 (the E-key). Now you see that the baudrate 115200 is marked. Press enter several times to exit the menues. Remember to select the right serial device!
With Core update 56, the baudrate has been changed to 115200. Please, check and change it, to have a proper output. Look above for the correct instructions. The Alix board itself has a default of 38400. Therefore to watch the whole strartup or to change BIOS parameters you have to change this also. The manual of PC Engines describes how to do that. Either you press 'S' during the memory test or, much easier, press the little push button S1 near the CF slot when you switch power on.
This means, for the first start of the Alix board you must set minicom baudrate to 38400. With this you can invoke the menu of the Alix BIOS to set the 115200 baudrate. After leaving the menu, just switch mincom back to 115200 and you can follow the IPFire boot messages.
Turn on your Alix-board and watch what is happening on your screen. The Alix-board transfers what it announces to the serial connection and minicom shows you what is arriving at the computer.
You will see the Alix-board starting up, followed by boot of Linux. At first start, the initramdisk will be rebuild and 'setup' will be started to configure the basic settings. You will be asked for the keyboard layout and more. Its also important to assign your network-cards (for red, green, orange and blue).
The red connection leads to the internet, where you can get all sorts of potentially bad things. Because of that, we chose the signal-color red.
The green connection leads inwards to your local network (to your computer or switch). Nothing harmfull can come from here, hence the color green.
The color orange tells us that here is something that needs our attention - your server, which is connected totally free without any protection to the outside world.
Blue symbolizes the sky….the air, through which your wireless LAN transports its data…in a radius of up to 300 meters everyone can see your WLAN and could try to penetrate it. Hence, it needs special care and attention when configuring it.
Now you have configured your connections with the functions they will fullfill in the future.
Next, it is important to activate and set the DHCP server. Please pay attention to that the used IP range must fit the IP address of IPFire on Blue and Green. If the router has the IP address 192.168.0.1 f.e., the IP range must be 0 (the second last number). The IP range is something like a department of a company. One department cannot see the other and because of that the IP ranges must be the same. Therefore the DHCP-server should assign IP addresses from 192.168.0.x to 192.168.0.y
At startup you will see several error-messages, which you can ignore, because the setup is made for CD installation and the scripts want to stop service tasks that have not been started.
It should startup fine once you put power on the device. Once it is started, you should be able to access it on the address you gave it in the setup. For this example let's assume the address is 192.168.0.1 . The webserver will be listening on port 444. So just enter the following into your webbrowser
and press ENTER. Now you should see the web-interface. You will be prompted to accept the certificate. Your browser needs this certificate to classify the webserver as trustworthy and to allow to view the pages.
Now you can look at the webpages and amongst others enter the data for your internet-provider….
Have fun !
First, you need an SD or a USB drive. Plug it into your favorite computer. Download the image (see http://wiki.ipfire.org/en/hardware/arm/kirkwood at the bottom of the page) and then copy the image to your drive. IT WILL OVERWRITE ANYTHING ON THE DRIVE.
zcat ipfire-2.11.1gb-ext2-scon.armv5tel-full-core53-beta2.img.gz > /dev/sd?
where /dev/sd? is /dev/sda, sdb, whatever your SD or USB is. It is possible to find out the correct designation with the following command.
tail -f /var/log/messages
Drop first the command and plug then the drive in, the screen should show then which sd[?] it is.
You can change the partition sizes (prior sd?4 = /var) with GParted or something if you like.
This puts a copy of the IPfire image on the SD/USB. However, the DreamPlug will not automatically boot from it. The following instructions tell you how to do that most easily.
Plug your JTag module into the DreamPlug. There are two wires, one marked “JTag”, one marked “UART”. Metal parts go up (there are plastic guides on the bottom side that fit into slots in the hole in the JTag and the DreamPlug). Also, plug the mini-usb into the JTag, but don't plug it into your computer yet.
You never know what port the JTag will come up as.
tail -f /var/log/messages
(or syslog) will tell you. Do that and then plug the JTag module. You should see /dev/ttyUSBx, where x will be 0, 1, stuff like that. This is your port. The message will likely say something about “ftdi_sio”, which is the Linux module that handles the JTag.
Open minicom with the -s option to go immediately into setup:
I find that it is best done as root as you can save your config. Now, set the Serial Device (/dev/ttyUSBx), BPS and parity (115200, 8N1) and be sure to set Flow Control to NONE! ←- Very important. Save your setup if desired, then Exit Setup mode.
Boot the DreamPlug. Allow it to come up to a login prompt. The default login is “root” with a password of “nosoup4u”.
Reboot the DreamPlug and watch for the following screen. As soon as you see “Hit any key to stop autoboot:” (see below),
press a key to stop autoboot. If you miss the prompt, you will have to do this again.
Restarting the system.
U-Boot 2011.06-02334-g8f495d9-dirty (May 31 2011 - 02:06:26) Marvell-DreamPlug SoC: Kirkwood 88F6281_A0 CPU running @ 1200Mhz L2 running @ 400Mhz SysClock = 400Mhz , TClock = 200Mhz DRAM: 512 MiB SF: Detected MX25L1606 with page size 256, total 1 MiB In: serial Out: serial Err: serial Net: egiga0, egiga1 88E1116 Initialized on egiga0 88E1116 Initialized on egiga1 Hit any key to stop autoboot: 0
You will see a prompt that looks like this:
At this point, copy the script at http://people.ipfire.org/~arne_f/testing/kirkwood/uboot-env.txt into your clipboard, then paste it into the screen. This does not modify the internal SD on the device, but changes the boot loader so it will boot first from an attached USB, second from an inserted SD, and last from the internal SD.
You will have the Marvel> prompt again. If you want to just test this boot loader, type
at the prompt. Your system will boot, but on the next reboot, you will have to go through the whole thing again. If you want to permanently change the boot loader, type
and on the next boot, it will search all of the devices as described above.
Assuming you have set everything correctly, you will see IPFire start up and begin the installation setup sequenze.
Note: Minicom does not display the setup screen well. I tried it in VT102 and ANSI and it is just “interesting”. It is also possible to use Putty. If you have done an IPFire install before, you should be able to figure it out. However, watch closely for what changes when you press the up/down keys.
It is possible to run IPFire in a virtual machine as a guest operating system.
Danger!Many would argue that running a firewall in a virtual machine is a Bad Idea® from a security perspective and should only be done for the purposes of testing. That discussion is outside of the scope of this document.
If you are running IPFire on top of the VMware hypervisor, use pakfire to install openvmtools:
[root@ipfire ~]# pakfire install openvmtools
IPFire includes the modules required to work properly in a Hyper-V environment, but those modules are not enabled by default. To enable those modules, add the following four lines to the file /etc/sysconfig/modules and reboot:
hv_blkvsc hv_netvsc hv_storvsc hv_vmbus