Category Archives: Content Filter

WFilter NGF vs. internet filtering appliances.

Internet filtering appliances(UTM) are very popular in business networks. In this article, I would discuss the difference of WFilter NGF with internet filtering appliances.

Comparing to WFilter NGF, appliances are easier to be deployed. You don’t need to install the system by yourself.

Advantages of appliances

  1. Easier to be deployed.
  2. No hardware compatiablity issue.

Disadvantages of appliances

  1. Most appliances can only work for 2-3 years.
  2. Bad expansion. In case you have more network clients, you need to buy new appliances.
  3. Very expensive. Even upgrade is not free.

Comparison

Despite of the above disadvantages, Internet filtering appliances are ideal for business network security.  With WFilter NGF,  you need to test hardware and install the system by yourself. However, it also has below advantages:

  1. You can DIY your own appliance.
  2. License is upgradable and movable.
  3. Free upgrade for lifetime.
  4. Most cost-effective.

So if you like WFilter NGF features, or prefer a more cost-effective solution, please choose “WFilter NG firewall”.

How to block non-domain devices to access internet in network?

Some users asked about how to prevent non-domain devices to have internet access in business network. So this is the guide, using WFilter Enterprise.

As you know,  WFilter can be integrated with microsoft active directory. So you can monitor and filter internet usage by domain usernames. For details, please check: Active directory Integration of WFilter

To stop non-domain devices, please follow below steps:

1. Set a restricted policy to devices in “Default IP Policy” of “user-device list”.

So devices will only have restricted internet access.

block_non_domain01_en

2. Set real policy to domain users in “Users” of “user-device list”.block_non_domain02_en

3. Modify the “Policy Apply” option.

In “Advanced Settings” of “Account Monitoring Settings”, you need to set “Policy Apply” to “User Policy First”. So user policy will overwrite device policy.

block_non_domain03_en

 

Following upbove steps,  non-domain devices have restricted internet access only. When logged with a domain user, user policy will be applied.

 

WFilter integrates with active directory — solution of content filtering with domain users.

Filtering by IP address and MAC address is enough for most networks. However, in networks with dynamic IP addresses or BYOD networks, you may not identify clients by IP or MAC. In this case, AD integration is a widely adopted solution for internet content filtering.

Both “WFilter Enterprise” and “WFilter NG Firewall” provides “AD integration” solution, which enables you to do reporting, monitoring and filtering with domain users.

1. AD Integration in “WFilter Enterprise”.

More details can be found at: Active directory Integration of WFilter Enterprise

2. WFilter NG Firewall

With WFilter NG Firewall, not only you can do “AD integration”,  you also can add “Local accounts” for monitoring, filtering and VPN access.

Faq en adconf001.png

Faq en adconf003.png

Please check: WFilter NG Firewall Active directory Integration Solutions

Introduction to WFilter NGF’s bandwidth optimize features.

You will come to the following solutions when your internet bandwidth is insufficient:

Actullay, these three solutions have disadvantages:

  • 1. Without access control, using multiple broadband connections can not bring better experience. It because downloading and streaming can easily consume most of your bandwidth.
  • 2. “Application blocking” can save your bandwidth. However, users experience are impacted. Users will complain about no streaming or downloading.
  • 3. Rate limiting does not optimize your bandwidth. Users will still complain about slow internet speed.

WFilter NG firewall brings a total solution for bandwidth optimization.

1. Powerful access control policy

With “Access Policy” modules, you can block p2p downloading, online streaming, streaming websites. Please check: Access Policy

2. Multi-WAN load balancing and routing

In case you have multiple broadband connections, WFilter NGF’s “Multi-WAN” module can help you to:

  • 1. Load balancing on multiple broadband connections.
  • 2. Setup routing policies. For example, a). business servers are routed to a dedicated connection, b). video sites are routed to another connection.

For more details, please check: Muti-WAN

3. Bandwidth priority

With the “Priority” module, traffic with higher priority goes first. For example, you can set business servers traffic to the highest priority. So even the network is extremly busy, servers bandwidth won’t be influenced.

When installed, there are default rules: email > web > p2p and streaming. You also can customize your own rules.

For more details, please check: bandwidth priority

4. Bandwidth shaper

This module is for you to set bandwidth rate for clients. You can set the rate to ip ranges, user group or department.

Each group have a “maximum bandwidth rate” and “minimum bandwidth rate”. The minimum rate ensures the clients to have this bandwidth rate even the line is busy.

For more details, please check: bandwidth shaper

Try WFilter NGF now: WFilter NG firewall

WFilter NG Firewall, a linux based next generation firewall and routerOS, is released.

After two years of development, we’re now pleased to announce a new product: “WFilter NG Firewall”, a linux based next generation firewall and routerOS.

WFilter NG Firewall is a routerOS system, which can only be installed in a x86 pc by now. It integrates most features of “WFilter Enterprise”, together with several new features “bandwidth optimizer”, “Multi-WAN”, “user authentication”, “VPN” and others.

WFilter ROS brings you powerful live connection monitoring and access control. Features highlights:

  1. Live connection monitoring and control: you can kill live connections, or add user to the punish group.
  2. URL database supports up to 60+ web categories
  3. Set internet access policy by network, ip address, mac address or username.
  4. Monitor MAC addresses of clients in subnet. Please check: MAC Detector
  5. IP-MAC binding in multi-segments networks. Please check: IP-MAC Binding
  6. Smart bandwidth optimizer and shaper. Please check: Bandwidth Optimizer

Both “enterprise license” or “free license” are supported. The free license is for life-time and has no users limit.

You may download WFilter ROS at: http://www.wfilterros.com

WFilter 4.1 added monitoring by mac address solution for multiple-segment networks.

What is “by mac address monitoring mode”?

WFilter supports both “by ip address monitoring mode” and “by mac address monitoring mode”.

In “by mac address mode”, WFilter identifies a client device based on it’s physical MAC address. Even ip address of this device is modified(either by DHCP or by hand), WFilter still can identify it correctly. So the monitoring mode is useful in DHCP networks.

I would recommend you to choose monitoring mode in below steps:

  1. If ip addresses are static(or can be static), “by ip address” monitoring mode is recommended.
  2. If ip addresses are dynamic, “by mac address monitoring mode” is recommended for single-segment networks.

2. by mac address solution for multiple-segment networks

In a multiple-segment network, the core switch(gateway) will hide the real mac addresses of client devices, which makes the mac address monitoring mode not working.

In WFilter Enterprise 4.1, a program named “MAC Address Collector” is included. This program can detect and gather mac addresses of client devices via SNMP or ARP.

With “mac address collector”, you can monitor by mac addresses even in multiple-segment network.

More details and guide documents can be found at: Monitoring by mac addresses solutions

How to monitor and filter internet activities of PPPOE users?

PPPOE is widely used for user authentication and traffic accounting. However, it’s a little difficult to monitor and filter PPPOE clients’ internet usage and behavior.

In this example, we will demonstrate you to monitor and filter PPPOE clients with WFilter Free. Please notice that only non-encrypted and uncompressed PPPOE traffic can be supported. So the first step is to configure your PPPOE server for non-encryption and non-compression.

1. PPPOE server settings

Let’s take windows 2003 and RouteOS for examples.

1). 2003 Server Configuration

If you are using windows 2003 server as the PPPOE server, please follow below steps to configure:

In “Properties” of the “Routing and Remote Access”, disable “software compression” and “LCP” in the “PPP” tab.

Edit “remote access policy” for “no encryption” in “Edit Profile”. Notice: The default two policies shall all be modified.



2). ROS Configuration

If you are using routeOS as PPPOE server, please follow these steps to disable compression and encryption:

In “PPP” tab of “Profiles”, click “Protocols” and disable compression and encryption.

2. Monitor PPPOE clients in WFilter

2.1) Choose the internal adapter

Now WFilter is able to parse PPPOE traffic. In this example, we just install WFilter free in the windows 2003 PPPOE server.

You need to choose the internal adapter as the “monitoring adapter” in “System Settings”->”Monitoring Settings” of WFilter.


2.2). Setup client policy

Add a block policy to block web surfing.


Apply this policy to PPPOE clients’ ip ranges


2.3). Check Blocking

PPPOE clients get blocked.

Blocking events in WFilter.

WFilter deployment with gargoyle router.

1. Gargoyle Router Introduction

Gargoyle is an OpenWrt distribution which aims to be easy to use through a simplified Web interface. Gargoyle can extend your wireless router into a powerful Linux system. even if your router hardware does not support “port mirroring” function, you can also enable traffic mirroring by software mirroring.

This blog will guide you to install “port-mirroring” program in your Gargoyle router and deploy WFilter for internet monitoring and filtering. We assume you already has an Gargoyle router, if not, please check Gargoyle homepage to get the latest firmware.

2. Port-mirroring program

Port-mirroring is an open source project sponsored by IMFirewall Software, it is designed to mirror network traffic on linux systems.

2.1. Installation

For detailed installation guide, please check Port-mirroring open source packet mirroring. In this guide, let’s take linksys wrt54g router as an example.

Steps:

a). opkg update.

b). opkg install http://port-mirroring.googlecode.com/files/port-mirroring_1.3-1_12.09_brcm47xx.ipk

Because gargoyle is based on openwrt attitude adjustment 12.09 branch, we need to install the build for openwrt 12.09.

2.2. Configuration

You need to edit /etc/config/port-mirroring to set the mirroring target and mirrored source interfaces.

In this example, we choose “eth0″ wireless adapter as the mirrored source interface.

2.3. Start Port-mirroring

/etc/init.d/port-mirroring start

3. Check monitoring in WFilter

Now WFilter shall be able to monitor client computers.

How to deploy WFilter with tomato router?

The “–tee” option of iptables can mirror network packets to a target ip address. With this feature, you can deploy monitoring easily when you have an embed Linux router.

In this tutorial, we will guide you to deploy WFilter using a Tomato router(firmware version: v1.28).

1. Enable SSH login in Tomato

Enable “SSH Daemon” in “Administration” – “Admin Access”.

2. Login into your Tomato router.

Login into your Tomato router using any ssh client.

3. Enable the ipt_ROUTE module.

For “–tee” option to work, you need to enable the “ipt_ROUTE” module, which is not enabled by default.

4. Add the iptables rule for packet forwarding.

In this example, we forward packets to “192.168.1.100″.

5. List and verify iptables rules.

You can list your iptables rules to check whether this rule is successfully added.

6. Add startup script.

If you want this rule to exist after router rebooting, you need to add these two commands into the startup scripts in “Administration – Scripts”.

modprobe ipt_ROUTE

iptables -A PREROUTING -t mangle -j ROUTE –gw 192.168.1.100 –tee


7. Check your WFilter settings.

Please notice, “iptables” will not forward original mac addresses of packets. Therefore, you can not use “by mac address” monitoring mode of WFilter, use “by ip address” instead.

Done.

How to deploy WFilter free with mikrotik routerOS(ROS)?

The “packet streaming” feature in RouterOS can send network packets to a network parser for analysis. In case when you don’t have a manageable switch, you can enable this feature for WFilter to monitor and filter network computers.

In this blog, I will demonstrate you to set up WFilter free for web filtering with RouterOS.

Enable Packet Streaming

In “Tools”->”Packet Sniffer”, choose the lan interface as the sniffer interface.

Set the WFilter server ip as the streaming server

Done, now you shall be able to monitor all network computers in WFilter Free or WFilter Enterprise.

Let’s add a blocking policy to check.

First, add a blocking level.

Block web surfing

Second, apply this blocking policy to target ip range.

Check blocking