The ISP module of “WFilter NG firewall” designed for ISPs to manage users and bandwidth plans.
Beside “user web portal”, a recent update of “WFilter NG Firewall” added “Email Notification” feature. So users can get email notification of their bandwidth usage.
As shown in the above diagram, you can set different email alert frequency for “valid users” and “cap exceeded users”, with different email contents.
This feature will be helpful for ISPs who prefer use email alert rather web portal.
Many users asked about email monitoring and recording features of WFilter. Actually, WFilter, including “WFilter Enterprise” and “WFilter NG firewall”, all are able to record SMTP, POP3, IMAP and web-based emails on network. However, there are some limitations of this feature.
This post will discuss WFilter’s email monitoring features and solutions.
1. Monitoring of email clients
An email client receives emails via POP/IMAP protocols, sends emails via SMTP protocol. In today, SSL encryption is widely used for email clients. There are two kinds of SSL encryption: “SSL Connection” and “STARTTLS”. With WFilter, you can:
- Monitoring emails via plain SMTP/POP/IMAP.
- Email attachments can also be recorded.
For SMTP/POP/IMAP over SSL, you have two solutions:
Solution 1: block SSL email connections to force email clients using plain email protocols.
When blocking is applied, email clients need to be re-configured to disable SSL encryption.
Solution 2: Enable “SSL Email Inspection” with “WFilter NG Firewall”.
This feature can intercept SSL connections and record SSL emails. However, “STARTTLS” still can not be recorded, even “SSL Email Inspection” is enabled. Please check: SSL Email Inspection
2. Monitoring of Web Emails
Web email means receiving and sending emails within a web browser. Please note that web emails received can not be recorded, while http outgoing emails can be recorded by WFilter. Please note:
- Outgoing http web emails can be recorded.
- Https web emails can not be recorded.
- Not all http attachments can be recorded. It depends on the uploading protocol.
- For http web emails not recorded, you may contact us for a web email format upgrade.
Sometimes you will come to the following solutions when your internet bandwidth is insufficient:
- Use more than one broadband connection.
- Block applications which consume much bandwidth. For example, you might use “WFilter Enterprise passby internet content filter windows software” to block downloading and online streaming.
- Limit the real-time bandwidth rate for clients. This can be done in your router of firewall.
However, these solutions have disadvantages:
- Without access control, using multiple broadband connections can not bring better experience. It because downloading and streaming can easily consume most of your bandwidth.
- “Application blocking” can save your bandwidth. However, users experience are impacted. Users will complain about no streaming or downloading.
- Rate limiting does not optimize your bandwidth. Users will still complain about slow internet speed.
WFilter NG Firewall brings total solutions for bandwidth optimization.
1. Powerful access control policy
With “Access Policy” modules, you can block p2p downloading, online streaming, streaming websites. Please check: Access Policy
2. Multi-WAN load balancing and routing
In case you have multiple broadband connections, WFilter NG Firewall’s “Multi-WAN” module can help you to:
- Load balancing on multiple broadband connections.
- Setup routing policies. For example, a). business servers are routed to a dedicated connection, b). video sites are routed to another connection.
For more details, please check: Muti-WAN
3. Bandwidth priority
With the “Priority” module, traffic with higher priority goes first. For example, you can set business servers traffic to the highest priority. So even the network is extremly busy, servers bandwidth won’t be influenced.
When installed, there are default rules: email > web > p2p and streaming. You also can customize your own rules.
For more details, please check: bandwidth priority
4. Bandwidth shaper
This module is for you to set bandwidth rate for clients. You can set the rate to ip ranges, user group or department.
Each group have a “maximum bandwidth rate” and “minimum bandwidth rate”. The minimum rate ensures the clients to have this bandwidth rate even the line is busy.
For more details, please check: bandwidth shaper
Try WFilter NG Firewall now: WFilter NG Firewall
In this article, I’m going to walk you through setting up a two-VLAN network with a Layer 3 switch(Cisco 3550). I am also going to setup WFilter NG Firewall as the gateway to routing for this VLANs.
As in the above network topology diagram:
- There are two VLANs in the Cisco 3550 swith( Vlan2 – 192.168.2.0/24, and VLAN3 – 192.168.3.0/24).
- WFilter NG Firewall is in subnet 192.168.1.0/24.
- The uplink port of Cisco 3550 has IP address 192.168.1.5.
Configuring the Cisco switch
Commands to setup the Cisco 3550 switch:
Setup port VLAN
Switch(config-if)#switchport mode trunk
Switch(config-if)#switchport access vlan 2
Setup VLAN IP and subnet
Switch(config)#interface vlan 2
Switch(config-if)#ip address 192.168.2.1 255.255.255.0
Setup the uplink port
Switch(config-if)#ip address 192.168.1.5 255.255.255.0
Enable IP Routing
Configuring WFilter NG Firewall
For WFilter NG Firewall to route VLANs traffic, you need to add VLAN subnets in “Routing” of WFilter NG Firewall.
IP conflict in local network is annoying. When it happens, it will cause intermittently connections, and it’s difficult for an IT administrator to locate the conflicted devices.
With WFilter, you can do much more.
First, you can block the conflicted IP address with a message. So the client might fix this issue by himself. As shown in below figure, you can send a message “Your ip address conflicts with our server, please correct it ASAP”. This message will show up when browsing http sites.
Also, you can run the “Network Health Checker” extension, which can test ip conflicts in your network. Please check the below screenshots:
Now you may talk to the person with “HuaWei” mobile to fix this issue.
Extension home page: “Network Health Checker”
Wiki page: Check network health of availability, IP conflict, ARP spoof and broadcast storm
For ISP network management, you will need:
- User authentication.
- Monitor and filter of internet activities.
- Bandwidth shaper.
- Accounting and statistics.
Usually, you will need several systems to achieve this goal. Today, WFilter NG Firewall, a linux based next generation firewall provides a total solution for ISP network management, with below features:
- Two types of authentication: “Web Auth” and “PPPoE Auth”.
- An “Internet Usage” module to record web surfing, downloading activities.
- Rich internet access control policies: web filter, application control, ip-mac binding …
- Bandwidth policies of realtime rate limit and monthly bandwidth cap limit.
- Bandwidth optimize solutions.
- Internet usage and bandwidth statistics.
- A web push feature to push statistics, web page and advertise.
All these features can be configured in the “WFilter ISP module“.
More details can be found at here: WFilter NG Firewall ISP Module
A new protocol, IDM has been supported in WFilter NG Firewall for both enterprise license and free license.
Here is the protocol description: How to block IDM in network?
You can block IDM by setting IDM to “deny” in “App Control”.
Now IDM downloading won’t start anymore.
Both HTTP and HTTPS downloading can be blocked.
In google chrome, a new protocol named QUIZ, is implemented. The protocol description can be found at https://www.chromium.org/quic
It says QUIZ can improve website performance by 3%. However, because QUIZ is an UDP based encrypted protocol, domains support QUIZ will not be blocked with WFilter’s web filter.
This issue happens in Chrome browser to Google sites only(including youtube). To make web filter working, you’re recommended to block QUIZ completely.
In pass-by deployment with WFilter Enterprise, you’re recommended to block udp ports “443 -65534″ in your firewall and router.
In WFilterROS, you can block QUIZ in the “app control” module.
Demonstrations of blocking youtube.
When QUIZ is not blocked, you can only see QUIZ traffic when visiting of youtube with chrome.
Block QUIZ in app control.
Now “QUIZ” connections are all blocked, and youtube can be blocked by WFilter.
This site http://blog.wfilterros.com is the new blog site of WFilter NG Firewall.
Blog of WFilter and IMFirewall Software can be found at http://blog.imfirewall.us