Some users asked about how to prevent non-domain devices to have internet access in business network. So this is the guide, using WFilter Enterprise.
As you know, WFilter can be integrated with microsoft active directory. So you can monitor and filter internet usage by domain usernames. For details, please check: Active directory Integration of WFilter
To stop non-domain devices, please follow below steps:
1. Set a restricted policy to devices in “Default IP Policy” of “user-device list”.
So devices will only have restricted internet access.
2. Set real policy to domain users in “Users” of “user-device list”.
3. Modify the “Policy Apply” option.
In “Advanced Settings” of “Account Monitoring Settings”, you need to set “Policy Apply” to “User Policy First”. So user policy will overwrite device policy.
Following upbove steps, non-domain devices have restricted internet access only. When logged with a domain user, user policy will be applied.
WFilter Enterprise( WFilter internet content filter) supports monitoring and filtering of multiple VLANs clients from a central WFilter pc.
Below is the deployment diagram:
- The WFilter pc shall have two network cards.
- NIC1 shall be connected to the mirroring port.
- NIC2 shall be connected to the management VLAN, which can communicate with other VLANs.
- The mirroring port shall be configure to monitor the uplink port. (Connected to the up-layer router or firewall)
In WFilter, you also need to setup the “mirroring adapter” and “blocking adapter” in “System Settings”->”Monitoring Settings”. The mirroring adapter shall be the adapter connected to the mirroring port, while the blocking adapter shall be connected to the management VLAN.
Sometimes, you might want to block facebook video streaming to save your bandwidth. There is predefined protocol named “facebook videos” in WFilter, which can help you to block facebook video by a few clicks. Here is the protocol description: facebook videos protocol and ports.
In another post, I’ve demonstrated how to block facebook videos with WFilter Enterprise. In this post, I will guide you to block facebook videos with “WFilter NG firewall”, which is a linux NG firewall designed for business networks.
1. New a block facebook policy in “App Control”.
2. Set “facebook videos” to “Deny” in “streaming”.
3. That’s all. Now facebook videos will be blocked.
Please note, because short/small videos come from a same source as images, so blocking of facebook video does not short video cuts. Only medium or large size videos can be blocked.
Hotspot shield is a popular VPN service, with free version available. When launched, it will try to connect a lot TLS sites for traffic relaying. If you do packet sniffer with wireshark, you will see traffic from famous sites like “google.com, baidu.com…”. But in fact, it’s hotspot vpn traffic in the camouflage of normal TLS.
Anyway, our team has worked out a protocol pattern to block Hotspot shield traffic completely in your network. WFilter identifies Hotspot via signature matching, so no matter in which transfer type or client version, all Hotspot traffic can be blocked. Here is a protocol description of hotspot shield VPN: protocol and port range of Hotspot shield.
Below are the steps with WFilter NG firewall:
1. New a “block hotspot” app control policy.
2. Set “Hotspot shield” to “Deny”.
3. That’s all. Now hotspot shield will never be able to connect.
4. The blocking event in WFilter NG firewall.
Please note: all WFilter products can support blocking of hotspot shield, including WFilter NG firewall and WFilter Enterprise.
The ISP module of WFilter NG firewall provides a total solution of bandwidth rate limiting, cap limiting and reporting of ISP users. In this topic, I would like to introduce a paypal integration solution for your ISP service to run automatically. It works like this:
- Users get email/web portal notification of ISP account expire date.
- Users can click “renew” to make payment online via paypal.
- Upon receiving of a payment, payal will call a callback script to extend users’ expire date.
The whole process can all be done automatically. Below is a demonstration of certain steps:
The first, you need create payment buttons in your paypal business account.
The second, you need to have an order landing page in your website.
When users click “renew” in their userportal or email notification, they will be redirected to the landing page. The landing page shall parse the “token” field to get username, expire date and current bandwidth policy. So you can calculate the costs for renewing. You can find an example of the landing page in WFilter_paypal_sdk.
The third, you need to enable “Instand payment notifications” in your paypal profile for callback.
When enabled, paypal will call the callback url for WFilter NG firewall to extend user date.
The full php SDK soure code can be downloaded at here: WFilterNGF_Paypal_SDK_1_0.zip
Please note, we only provide a simple callback example. To make it work, you need to do below modifications at least:
- Customize the landing page. For example, provide “1 month” and “2 months” choices.
- Customize the callback php script. The default script extend this user for one month only.
For any question, please feel free to contact IMFirewall Support. We’re always will to help.
WFilter NG firewall has an ISP module, which is designed as a total solution for ISP management. You can check the details at this post: the ISP module of WFilter NG Firewall, a total solution for ISP management, and a online guide at: ISP management.
I would like to demonstrate how you can manage expiring and expired users in the ISP module.
1. You can add expiring and expired to different groups.
When enabled, certain users will be added to groups automatically. So you add more policies to these groups in “Access Control” and “Bandwidth”. For example, you can:
a). Send expiring notification to expiring users with “Web Push” module. Users can renew online, and renew process can be complete automatically.
b). Restrict internet access of expired users. Please note that login is not allowed for expired PPPoE and WebAuth users.
2. Email notification to expiring users.
You can schedule email notification to expiring users at different time point(for example, 30 days before expiry). Users also can click the “order now” link in email to renew their account. Please check below screenshots.
A sample email received:
More details can be found at here: WFilter NG Firewall ISP Module
Some users get confused about “WFilter Enterprise” and “WFilter NG firewall”, so in this topic I would like to discuss the difference about these two products.
Though they are all named as “WFilter xxx”, ”WFilter Enterprise” is a pass-by web filtering software for windows pc, while “WFilter NG firewall” is a linux-based firewall system which shall be installed in a dedicated x86 pc.
WFilter NG Firewall
- 1. A total solution for bandwidth optimize, access control, VPN.(UTM and NG firewall)
- 2. Deployment: gateway, bridge.
- 3. Installation: x86 PC or virtual machine
- 4. License: 30-day free trial
- 1. Pass-by monitoring windows software solution.
- 2. Recommend deployment: pass-by
- 3. Installation: shall be installed in a windows PC.
- 4. License: 30-day free trial
How to choose?
The first, you need to confirm your requirement. If you only need “internet access control”, both “WFilter Enterprise” and “WFilter NG firewall” can satisfy you. If you need “bandwidth shaper” or VPN features, you need to choose “WFilter NG Firewall”.
The second, you need to choose the prefered deployment. In case you don’t want to change current network topology or add a new network device, you need to choose “WFilter Enterprise” which can be deployed with your current topology unchanged. If you agree to replace your current router/firewall, or add a transparent network bridge, please choose “WFilter NG firewall”.
The third, please be aware that WFilter Enterprise is a windows software program, which can be installed instantly. While WFilter NG firewall is an operation system, you need a dedicated PC and burn a CD or usb stick to install it.
In a recent update of WFilter NG firewall, we have re-designed the “bandwidth shaper” feature. Now “bandwidth shaper” becomes easier to be understood and configured.
Let’s take a look.
The shaper rules list:
Bandwidth shaper policy:
In each policy, you need to define total UP and DOWNLOAD bandwidth for this rule. If this rule is applied to multiple clients, all the clients share the defined TOTAL bandwidth. Please note: “ the minimum bandwidth defines the static allocated bandwidth, while the maximum bandwidth is dynamic allocated.”
All clients applied by this rule have fair bandwidth sharing. You may also enable “client maximum rate” if you want to limit bandwidth rate for each IP.
In “ISP” module, the “Rate Limit” policy has the same settings as “bandwidth shaper”, as described in above.
Filtering by IP address and MAC address is enough for most networks. However, in networks with dynamic IP addresses or BYOD networks, you may not identify clients by IP or MAC. In this case, AD integration is a widely adopted solution for internet content filtering.
Both “WFilter Enterprise” and “WFilter NG Firewall” provides “AD integration” solution, which enables you to do reporting, monitoring and filtering with domain users.
1. AD Integration in “WFilter Enterprise”.
More details can be found at: Active directory Integration of WFilter Enterprise
2. WFilter NG Firewall
With WFilter NG Firewall, not only you can do “AD integration”, you also can add “Local accounts” for monitoring, filtering and VPN access.
Please check: WFilter NG Firewall Active directory Integration Solutions