API overview of WFilter NGF.

WFilter NGF has a built-in API library for developers to manipulate the entire system or integrate WFilter features. With APIs, you’re able to:

  • 1. Get bandwidth history.
  • 2. Get online users, including ip, mac, account, live connections.
  • 3. Terminate user connections, kick off user…
  • 4. Add/remove user from virtual group to apply policies.
  • 5. Extend user expire date.

In this post, I will use an API example to demonstate the API library usage of WFilter NGF. The requirement is simple: “a API call to set access policy and bandwidth rate limit for an ip address”.

1. First, we need to setup WFilter NGF.

Because “access policy” and “bandwidth shaper” are separate modules in WFilter NGF,  we need to setup a virtual group with policies applied. In the API call, we only need to add IP addresses into the virtual group to apply the rules.

1.1) New a “limited access” virtual group.

api01 api02

1.2) Setup policies to this group.

api03

2. Use php to call WFilter API.

Now, we’ve setup policies for the virtual group. To implement policies to an IP address, we only need to add this IP into this group.  We have a php SDK, you need to include the WFilterNGF.php to call the API functions.

api04

Isn’t it simple? You may check more details in WFilter API. If you have any suggestions or requirement, please feel free to contact us.

 

 

 

Facebook Comments

Three ways to block torrent traffic in your network.

Torrent downloading is annoying and can consume most of your bandwidth, so you might want to block torrent in your network. There are several ways to block torrent in your network. While in this post, I will introduce three solutions to block torrent(bittorrent, utorrent, qtorrent) with WFilter internet content filter and WFilter NG firewall.

Please be aware that “WFilter internet content filter(ICF)” and “WFilter NG firewall(NGF)” are total different products. WFilter ICF is a windows program, which is designed for pass-by deployment on a mirroring port. While WFilter NGF is a dedicated linux firewall system.

1. Block torrent with WFilter ICF

passby_router_topology.png

As you can see in the diagram, the WFilter internet content filter(ICF) shall be connected to a mirroring port in your router or switch. So it can analysis network packets and deploy internet access policies. Steps to block torrent with WFilter ICF:

blocktorrent01 blocktorrent02 blocktorrent03

2. Block torrent with WFilter NGF as a network bridge.

Network topology diagram:

Ros guide bridge.png

WFilter NGF acts as a network bridge, sitting between your router and switch. So it can filter internet traffic.

3. Block torrent with WFilter NGF as a network gateway.

Network topology diagram:

Ros guide gateway.png

In this topology, WFilter NGF acts as the gateway of your network to deploy internet access policies. Please be aware that you can install WFilter NGF in a virtual machine to act as a virtual gateway, here is a guide: Using a pre-built VMWare image of WFilter NG Firewall

You can setup “application control” policies to block torrent with below steps:

block_torrent1 block_torrent2 block_torrent3

 

When deployed and configured properly, both WFilter ICF and WFilter NGF can block torrent completely. All torrent clients will have zero uploading and downloading speed.

utorrent_4 block_torrent04[1][2] after.

 

WFilter ICF homepage: WFilter Internet Content Filter

WFilter NG homepage: WFilter NG firewall

WFilter videos: WFilter Videos

 

 

Facebook Comments

How to setup ip-mac binding in your switch?

For security purpose, you might want to bind ip address with MAC address for client devices. There are several IP-mac binding solutions, including ARP binding, port-based binding…

In this post, I will introduce the steps to setup port-based IP-MAC binding in your switch.

1. Cisco 2950

Syntax of cisco 2950 port-based IP-MAC binding.
Switch#config terminal
Switch(config)#Interface fastethernet 0/1
Switch(config-if)#switchport port-security mac-address xxxx.xxxx.xxxx ip-address 192.168.x.x

2. Huawei S5700

Syntax of Huawei S5700 port-based IP-MAC binding.
#interface GigabitEthernet 1/0/1
#user-bind mac-addr xxxx-xxxx-xxxx ip-addr 10.100.11.2

Other models have similar syntax. Port-based binding in switch is powerful, but it’s rather complicated to setup and maintaince, especially when you have a lot clients.

However, IP-MAC binding in gateway is easier to setup, also with powerful features, please check below screenshots in WFilter NG firewall.

3. WFilter NGF

ipbound01 ipbound02

When configured, DHCP clients will be assigned with static ip addresses; clients not matching the ip-mac binding relationship will be blocked.

Facebook Comments

A site to site ipsec vpn example.

With the “IPSec VPN” module in WFilter NGF, you can build a secure site-to-site VPN by a few clicks. In this post, I will demonstrate a typical usage of site to site ipsec vpn. Please check the diagram at first.

ipsecVPN

When successfully configure, A,B,C will have full access of each other. Please check below steps:

Suppose you have 3 networks:

  • Headquarter A, static public ip address, LAN subnet is 192.168.10.0/24.
  • Branch B, PPPoE internet access, LAN subnet is 192.168.30.0/24.
  • Branch C, PPPoE internet access, LAN subnet is 172.16.1.0/24.

Now let me guide you to build a virtual private network(VPN) for these three locations.

1 Settings for Headquarter A

  • Setup the IPSec tunnel

Ipsec center01.png

Ipsec center02.png

  • Enable forwarding of branches

Without this setting, branches can access headquarter, but no access between branches. Ipsec center03.png

2 Branch B

  • Setup the IPSec tunnel

Ipsec client01.png

  • Add a routing rule to branch C

Set branch C’s LAN subnet to “Destination”, set headquarter A’s public IP to “Gateway”. Without this routing rule, branch B can not access branch C.

Ipsec client02.png

3 Branch C

  • Setup the IPSec tunnel

Ipsec client03.png

  • Add a routing rule to branch B

Set branch B’s LAN subnet to “Destination”, set headquarter A’s public IP to “Gateway”. Without this routing rule, branch C can not access branch B.

Ipsec client04.png

By above steps, A,B,C are now in a virtual private network. If you don’t want access between B and C, there is no need to add the firewall and routing rules.

Facebook Comments

Turn your old PC into a firewall appliance.

You may have an old desktop PC sitting in a closet or somewhere. Did you know that you still can make it useful? In this guide, I will demonstrate the steps to turn your old pc into a network firewall appliance.

diy_wfilter_cover

1. First, please check what you need to prepare.

diy_wfilter01

1.1) an old desktop pc.
1.2) a gigabit ethernet adapter.
1.3) a usb stick.

2. Mount the ethernet adapter and connect the cables.

There is only one onboard ethernet adapter, so I need to add another PCI adapter.

diy_wfilter02

The green chip on left is the new added ethernet adapter.

diy_wfilter03

Now let’s connect the cables.

diy_wfilter04

3. Install WFilter NGF system.

Now you can install WFilter NGF with your usb stick. Please check a more detailed guide at here: WFilter NG Firewall Installation Guide

You shall be able to the console upon successful installation.
diy_wfilter05

Set your laptop to “dynamic ip address” and open http://192.168.10.1 in browser, you can access webUI to set the system up.

4. See what I get.

The CPU is “Intel Pentium Dual CPU E2160 1.8G”, 2GB DDR2 RAM, 160G harddisk.

diy_wfilter06

Let’s check the performance. Wow, it can handle 200+ clients with 20K concurrent connections. Isn’t it amazing?

diy_wfilter07

 

For more features of WFilter NGF, please check: WFilter NG firewall

Facebook Comments

DIY a firewall appliance for your network.

As WFilter NG firewall released a free 50-user license, there is an opportunity for small business and home users to DIY powerful firewall appliances. ou may read this post first to take a sight of the free license: Free license of WFilter NG firewall is now available

all

In this post, I will guide you certain steps to build a firewall appliance.

1. First, you need to buy an appliance box and a harddisk.

all

 

1). A 4/6 interfaces atom D525 networking appliance. (Less than $200)

2). A Seagate 1TB disk.

3). One usb stick.

2. Mount the disk.

mountdisk

3. Get a display monitor, and burn WFilter ISO into the usb stick.

Here is a guide for installation: http://wiki.wfilterros.com/Installation_of_WFilter_ROS

usb

install01_en

Console terminal after installation:install02_en

4. Now connect your laptop to LAN interface and setup basic networking parameters.

Set laptop to “obtain ip address automatically”, then open http://192.168.10.1 in your browser.install03_en

Choose the free license:install04_en

5. Connect all the cables.

rack

6. Done, now you can setup more policies to speed up your internet access.

dashboard_en

 

freelicense07

Isn’t it exciting? You won’t be able to find any better solution for small networks.

Download WFilter NG firewall now!

Facebook Comments

Free license of WFilter NG firewall is now available.

Free license of WFilter NG firewall is now available in the last build of WFilter NGF(1.1.2017.06.05). Except remote support, free license has all features of WFilter for 50 users. You can use this license in any networks, including business.

freelicense01

Now let’s see what we can do with this free license.

1. Choose “free license” on first time login.

freelicense02

2. Powerful reports and statistics.

freelicense03

3. Archive web browsing and email history.

Web activity recording

freelicense04

Email activity recording

freelicense05

SSL inspector

freelicense06

4. Deploy internet content filtering policies

With the free license, you also can get “website black&white list”, “website category filtering”, “application control”, “IP-mac binding”, “Web content pushing”…

freelicense07

5. Bandwidth optimization and rate limit

Free solutions for bandwidth priority optimization, bandwidth rate limiter and multiple WAN load-balancing and WAN fail-over.

freelicense08

6. Various user authentication.

Local accounts, active directory integration, PPPoE, web authentication(facebook WiFi).

freelicense09

And the “ISP management” module, a total solution for users/bandwidth management.

freelicense10

7. VPN tunnels

freelicense11

8. Extensions

freelicense12

9. License

Now let’s check the license: life-time free for 50 users.

freelicense13

Isn’t it exciting? You won’t be able to find any better solution for small networks.

Download WFilter NG firewall now!

Facebook Comments

Tips to stop WannaCry ransomware in your network.

In this weekend, WannaCry swept Europe and Asia quickly, locking up critical systems like the UK’s National Health Service, a large telecom in Spain, several universities in China and other businesses and institutions around the world. Once infected, the infected computer denies access, and demands the equivalent of around $300 in bitcoin for decryption.

StQ0-fyfeutp8502656

In this post, I would introduce the important tips to block WannaCry attack.

1. Install Security Patches. Microsoft has released security patches that fix SMB flaw currently being exploited by the WannaCry ransomware, with most version of Windows supported — including Windows XP, Vista, Windows 8, Server 2003 and 2008.
2. Block incoming connections on TCP port 445 in your router/firewall. This rule blocks attacks from internet.
3. For windows DMZ hosts, you also need to block TCP port 445 in firewall settings.
4. To protect VLANs being attacked by an infected VLAN, you can block TCP port 445 in VLAN ACL rules of your core switch.

virus_en01

Using the “network health checker” extension of WFilter, you also can check whether there are “Suspicious Hosts ” in your LAN network. Hosts with massive connections will be identified as “Suspicious”.

virus_en02

Facebook Comments

Powerful networking diagnose tool sets for IT professionals.

toolsethome
As a network professional, when things go wrong in your network, the right tools are required to minimize network downtime.
In this post, I will reveal you the extension system in WFilter, a powerful tool sets for networking issues.

At a first galance

toolset01

All WFilter systems have an “extension” library, which contains a powerful free tool sets for IT administrators. Most extensions are free. Even supported in WFilter free, a freeware for network internet filtering and monitoring.

Now let’s see what we can do with WFilter extensions:

1. Scan client devices in network

With “network scan” extension, you can get a complete list of network clients, including IP, MAC, manufactor and open ports…
toolset02

2. Discover and scan DHCP services in network

The “Network DHCP discover plugin” of WFilter can scan DHCP services in your network by a single click. It will list all dhcp servers ip addresses, MAC addresses and MAC manufactures.

3. Detect NAT sharing services in network

Detect illegal NAT sharing in network.

4. Check network health of availability, IP conflict, ARP spoof and broadcast storm

This extension can:

  1. check availability and ping performance of dns servers.
  2. check availability and ping performance of internet sites.
  3. check availability and ping performance of local network hosts.
  4. check whether there is ip conflict in local network.
  5. check whether there is arp spoof running in local network.
  6. check whether there is broadcast storm in local network.

5. Scan proxy servers in network

6. Graph ping performance of multiple hosts

With this plugin, you can get ping performance and graph reports for multiple hosts in a period of time.

A complete extesions list can be found at here: WFilter extensions. And more will come. The most important thing is that most extension are free, supported in “WFilter internet content filter(commercial)”, “WFilter NG firewall” and “WFilter Free”.

Isn’t it exicting? Download WFilter Now!

Facebook Comments

Monitor network bandwidth with cisco switch.

In this post, I will bring you a bandwidth monitoring solution based on your cisco switch. In case your router/firewall does not have bandwidth monitoring features, or you need more detailed reports, this solution can help you.

First, the network topology diagram:
cisco1

 

Most cisco switch supports “port mirroring(SPAN)” feature. You may use below commands to enable it:

1. Set source port

Switch(config)#monitor session 1 source interface Fa0/23

2. Set target port

Switch(config)#monitor session 1 destination interface Fa0/22 ingress vlan 1

Then, you need to install a passby filtering program(ie: WFilter internet content filter) in a windows PC, and connect this PC to the “target port”. So you can monitor internet bandwidth and live connections of network clients.

The new diagram:

cisco2

Now let’s check what you can monitor with WFilter:
1. Clients List

2. Live Connections

3. Bandwidth Reports

QQ截图20170505164907

QQ截图20170505164940

 

Facebook Comments