Category Archives: How to filter internet access

How to block facebook videos streaming with WFilter NG firewall?

Sometimes, you might want to block facebook video streaming to save your bandwidth. There is predefined protocol named “facebook videos” in WFilter, which can help you to block facebook video by a few clicks. Here is the protocol description: facebook videos protocol and ports.

In another post, I’ve demonstrated how to block facebook videos with WFilter Enterprise. In this post, I will guide you to block facebook videos with “WFilter NG firewall”, which is a linux NG firewall designed for business networks.

1. New a block facebook policy in “App Control”.blockfb_video01

2. Set “facebook videos” to “Deny” in “streaming”.
blockfb_video02

3. That’s all. Now facebook videos will be blocked.
blockfb_video1 blockfb_video2

Please note, because short/small videos come from a same source as images, so blocking of facebook video does not short video cuts. Only medium or large size videos can be blocked.

How to block hotspot shield VPN in network with WFilter NG firewall?

Hotspot shield is a popular VPN service, with free version available.  When launched, it will try to connect a lot TLS sites for traffic relaying. If you do packet sniffer with wireshark, you will see  traffic  from famous sites like “google.com, baidu.com…”. But in fact, it’s hotspot vpn traffic in the camouflage of normal TLS.

Anyway, our team has worked out a protocol pattern to block Hotspot shield traffic completely in your network. WFilter identifies Hotspot via signature matching, so no matter in which transfer type or client version, all Hotspot traffic can be blocked. Here is a protocol description of hotspot shield VPN: protocol and port range of Hotspot shield.

Below are the steps with WFilter NG firewall:

1. New a “block hotspot” app control policy.

block_hotspot_01

2. Set “Hotspot shield” to “Deny”.block_hotspot_02

3. That’s all. Now hotspot shield will never be able to connect.

hotspot_blocked

4. The blocking event in WFilter NG firewall.

block_hotspot_03

Please note: all WFilter products can support blocking of hotspot shield, including WFilter NG firewall and WFilter Enterprise.

TradeManager Black & white list is now supported in WFilter 4.1

The following example will show you how to use TradeManger black list.

1. New a blocking level named “trademanager”

2. Configure the black list

Notice: you should add “aliint” before your account, and save the configuration.


3. Apply the blocking level

4. Check blocking of TradeManager

5. Check real-time block

As you can see in the above example, TradeManager accounts in the black list will not be able to login.

WFilter 4.1 version is coming.

Finally, WFilter 4.1 version is coming to the beta testing after two years of development. Now let me show you the exciting new features in this new version.

1. More deployment solutions

More deployment solutions are added, especially for wifi networks. We also added solutions to monitor by mac address in multiple segments networks. In WFilter 4.0 version, only “by ip address” mode is supported, the new version will retrieve mac address information from your core switch via SNMP.

2. More monitored content

Added support for ip protocols and ip fragment. For web monitoring, WFilter new version will record browser type(userAgent) as well.

3. Faster UI speed

We adopted fastcgi technology in the new 4.1 version, which makes great improvement on UI loading speed. Monitoring performance is also improved.

4. New UI design

Added “common” menu for you to define common used menus, so you can open a page within one click.

We also re-designed the “online computers” page.


5. New “Protocols” system

With this “protocols” system, you can download and share protocols within a few clicks. You will never have the pain to configure new protocols any more.

6. New “Plugins” system

We integrated a set of tools for network monitoring and management, which is still growing. You can get plugins for network discovery, wfilter management and other related features.

7. New “web content push” feature

This feature enables you to push web content without a real blocking. You can define time interval, web push triggers for this content to appear regular in client computers.

8. More flexible policy settings

With the last version, it’s easier to assign policy for new detected devices, and set default OU policy for new detected AD users.

New version downloading URL: WFilter 4.1

Please notice: WFilter 4.1 version is still in beta testing, and some features are not fully tested. This version is only for preview and testing purpose. So if you already have a stable WFilter 4.0 running, it’s not wise to replace it with this beta version.

How to monitor and filter internet activities of PPPOE users?

PPPOE is widely used for user authentication and traffic accounting. However, it’s a little difficult to monitor and filter PPPOE clients’ internet usage and behavior.

In this example, we will demonstrate you to monitor and filter PPPOE clients with WFilter Free. Please notice that only non-encrypted and uncompressed PPPOE traffic can be supported. So the first step is to configure your PPPOE server for non-encryption and non-compression.

1. PPPOE server settings

Let’s take windows 2003 and RouteOS for examples.

1). 2003 Server Configuration

If you are using windows 2003 server as the PPPOE server, please follow below steps to configure:

In “Properties” of the “Routing and Remote Access”, disable “software compression” and “LCP” in the “PPP” tab.

Edit “remote access policy” for “no encryption” in “Edit Profile”. Notice: The default two policies shall all be modified.



2). ROS Configuration

If you are using routeOS as PPPOE server, please follow these steps to disable compression and encryption:

In “PPP” tab of “Profiles”, click “Protocols” and disable compression and encryption.

2. Monitor PPPOE clients in WFilter

2.1) Choose the internal adapter

Now WFilter is able to parse PPPOE traffic. In this example, we just install WFilter free in the windows 2003 PPPOE server.

You need to choose the internal adapter as the “monitoring adapter” in “System Settings”->”Monitoring Settings” of WFilter.


2.2). Setup client policy

Add a block policy to block web surfing.


Apply this policy to PPPOE clients’ ip ranges


2.3). Check Blocking

PPPOE clients get blocked.

Blocking events in WFilter.

WFilter deployment with a network tap.

1. What is network tap?

Network tap is also a good way to monitor network traffic. Comparing to “port mirroring” switch, it has several advantages:

  1. Handy and flexible, requires no power supply.
  2. Once a network tap is in place, the network can be monitored without interfering with the network itself.
  3. Low cost, you even can dry it by yourself.

Guide to make a network tap can be found at below links:

  1. Throwing Star LAN Tap
  2. Building an Ethernet Tap
  3. Throwing Star LAN Tap
  4. Create a passive network tap for your home network

The disadvantages of network tap:

  1. Can not monitor gigabit networks. Requires “filterable tap”.
  2. The monitoring port does not allow outgoing traffic. Therefore you need three network cards in the monitoring computer, two for monitoring, another for communication.

This blog will guide you to deploy WFilter with “Throwing Star LAN Tap”.

2. Deploy the LAN Tap.

First, you need to attach three network cards in the monitoring computer.

In this example, this lan tap is connected between the router and first switch(J1 and J2). Monitoring ports J3 and J4 are connected to two adapters of the monitoring computer.

Actually it does not require ip address for the monitoring adapters. In this example, we assign “192.168.1.181″, “192.168.1.182″ to the two monitoring adapters(Assigning an ip address makes it easier for us to identify the adapter in WFilter). The third adapter is assigned with “192.168.2.189″.

3. Setup WFilter

Check the two monitoring adapters in “System Settings”->”Monitoring Settings”. The blocking adapter shall be choosed as the third adapter for sending blocking packets.

Now we’re able to monitor client computers. You will notice that one monitoring adapter only get incoming packets, while another adapter only get outgoing packets. This is how network tap is designed.


Client computers also can be blocked.

How to block stock market trading programs in network?

Employees can spend hours on reading market data and online stock trading. To keep productivity, it is necessary to block online trading traffic during working hours.

This tutorial will guide you to block “Nest trader” and “(IIFL) Trader Terminal” traffic in your network.

Since WFilter does not have these two protocols supported in default, you need to add customize protocols in “System Settings”->”Customize Protocols”.

1. Block IIFL trade terminal

1). Add a new protocol named “IIFL Trader”, choose a protocol type.

2). Add a new pattern, choose pattern “Type” as “TLS”. Set pattern content as “swaraj\.indiainfoline\.com”.

3). Check “Block IIFL Trader” in your blocking policy.

4). Now IIFL trader can be blocked.

2. Block “Nest trader”

1). Add a new protocol named “Nest Trader”, choose a protocol type.

2). Add a new pattern, choose pattern “Type” as “TCP SEND”. Set pattern content as “^\x00\x00\x00\x13\x52\x55\x00\x0f\x6c\x69\x63\x65\x6e\x73\x65\x5f\x63\x68\x65\x63\x6b\x65\x72″.

3). Check “Block Nest Trader” in your blocking policy.

4). Done. Now Nest trader will also be blocked.

Does port mirroring influence my network speed?

For pass-by monitoring and filtering, you need to setup a mirroring port in your switch. When port mirroring feature is enabled, the switch will replicate data from other ports onto a single port for monitoring purpose. Since the original packets will not be hold or delayed, port mirroring does not affect your network speed theoretically.

However, inproper port mirroring settings will cause heavy load in your switch and even cause packet loss.

So please consider the following points when configuring a mirroring port:

  1. Do not mirror multiple ports to one port until necessary.
  2. If it is required to mirror multiple ports, please make sure the total mirrored ports throughput will not exceeds the mirroring port throughput limit.
  3. For WFilter, mirroring the internet port is enough. Usually, only the router/firewall port needs to be mirrored.
  4. If your switch does not allow outgoing traffic on the mirroring port, or you’re using WFilter to filter internet access for more than 50 computers, it is recommended to use two network adapters: one is for monitoring only, another one is for filtering.

How to check whether port mirroring settings are correct?
How to check whether a switch supports port mirroring?
Why a port mirroring switch is required to monitor my network?

How to filter the internet access for business network?

The internet has been turned to an invaluable tool in business. However, the availability of internet currently has given
an important risk factor to the employer liability and at the same time
consumes the employers 90% of hours in productivity.

Therefore internet access shall be filtered and restricted to keep the working productivity of your employees.

There have several ways to filter internet access:

1. Setup an network internet filtering program.
With a filtering program, you will be able to filter internet access of all computers in your network from ONE computer only.
There have a lot such products in the market. For example, WFilter
Enterprise, or Websense Enterprise are very helpful for you to filter internet access of network computers.

Passby internet filtering products usually require you to setup a mirroring port in a manageable switch. Setting up a mirroring port does no change to your network toplogly and it will not influence your network performance.

2. Setup ACL policy in your Router/Firewall/UTM. Firewall devices can
enable you to block websites/ports/ip addresses. So you also can setup
ACL rules in your firewall to block certain traffic. For more
information about UTM solution, please visit http://www.astaro.com

3. Filter websites from the dns server. You may try “opendns” solution.
Opendns solution is simple and easy to setup. However, with this
solution, there can only have one policy for your entire network.

How to block internet access of guest computers in network?

Guest computers might come and leave for a network. However, unmanaged internet access of guest computers could be a nightmare for your network. Guest computers can consume most of your bandwidth with p2p downloading, and download copyrighted materials or virus which might be harmful.

This tutorial will guide you to setup a default internet blocking policy for guest computers with WFilter 3.3 version.

1. Set a different ip address range for guest computers.

If guest computers share a same ip address range with your existing computers, you won’t be able to recognize them. For management purpose, the guest computers shall be in a different ip address range. For example:

1. Allocate all you existing computers with static ip addresses from “192.168.1.0″ to “192.168.1.200″.

2. In your wireless AP, set the DHCP range from “192.168.1.200″ to “192.168.1.250″.

Now every guest computers(mostly laptops) will get an ip address in range “192.168.1.200 – 192.168.1.250″. Then you can set a blocking policy for them in WFilter.

2. Setup default blocking policies for certain ip ranges.

Now you can setup a default blocking policy for ip address in range “192.168.1.200 – 192.168.1.250″. Every new computers in this ip range will be applied with this default policy.

Please notice: If you can not setup a different DHCP range for guest computers, you also can enable this “default monitoring policy” for new found computers. This feature is for WFilter to automatically configure monitoring and blocking policy when it detects a new computer.

More information, please check “WFilter Enterprise”.

Other related links:

How to
block internet downloading?

How
to monitor internet usage on company network?

Internet
monitoring software for business

How to filter
web surfing?

How
to block websites and restrict internet access?

How
to block HTTPS websites on my network?