Tuesday, July 31, 2007

Cloning a MAC address in IPCOP

IPCop is a great SOHO linux firewall distribution that is custom built using the Linux From Scratch (LFS) toolkit. I have been using it for many years first toying with the 1.3.x versions and finally deploying the 1.4.x versions to my home network and in productional enterprise environments. I have been very impressed that given minimal hardware (200MHz PII, 128MB SDRAM, and 10GB HDD), I have been able to obtain darn close to wirespeed routing with NAT translation for 100Mbps connections (actual speeds were able to hit 12MBps sustained). With built in DHCP server, support for up to four networks (public (RED), private (GREEN), DMZ (ORANGE), and a seperate LAN (BLUE often used for wireless networks), there are really a lot of options available.

My biggest gripe has been with their lack of supporting MAC address cloning. As many of you that have cable networks know, cable companies often use poor man's security by adding MAC address restrictions to their DHCP servers. In order to get an IP address that is routable to the the Internet, you need to have the MAC address with which you originally registered with the cable company. Many of us are ditching our Linksys boxes in order to use a better featured and more powerful firewalling solution and therefore our only option is to either clone our MAC or attempt to suffer through the tech support hotline music only to get a rep that has no idea what a MAC address is. Don't you hate it when you the customer have to tell the company's representative how to do their job?

Well, according to many of the blogs and posts out there, thats your only option with IPCop. I am here to say "Not any more." We just need to change the MAC address on the public interface BEFORE IPCop attempts to make a DHCP request. I figured out a real clean way to do this before after spending a few hours in the code base but have long since forgotten where I documented what I did. This time I had less time and had to find a faster way even if it was less elegant.

First log into the box (either on the console or through SSH) and login as root (you remember your root password right)? Edit the following file (vi and nano are installed by default):

nano /etc/rc.d/rc.red

This is merely a perlscript file that will get executed as the last part of the rc.netaddress.up process. Scroll past the first few lines. You will see a boilerplate header, some includes, some variable definitions, and finally, look for the section that says:

# read vars back from file

In my version (1.4.13), there are 4 lines after that line. Add a carriage return to get a new line and add the following line after all those &General:readhash lines:

system ('/sbin/ifconfig', 'eth2', 'down', 'hw', 'ether', '00:12:ef:34:2a:ee');

Replace eth2 with the name of your WAN (RED) interface and, of course, use the MAC address which you want the IPCop box to clone. Save the file, reboot, and enjoy your night free of long monotonous elevator music.

1 comment:

Anonymous said...

Thanks so much for this info. I just did this on IPCop 2.0 and it's working like a charm.