Category Archives: Network management

How to bind ip address with mac address in network?

IP and MAC address binding is usually configured in network switch or router(gateway). An effective IP-MAC binding solution needs to:
1. Be able to integrate with the DHCP server to assign static IPs to clients.
2. Have option to block or allow internet for un-bound devices.
3. Be able to do IP-MAC binding in multi-subnet networks.

In this post, I will demonstrate the “IP-MAC binding” feature in WFilter NG firewall. For IP-MAC binding in “WFilter internet content filter”, please check: “WFilter IP-MAC binding solution“.

1. IP-MAC Binding List

You can define the IP-MAC binding list in “Modules”->”Access Policy”->”IP-MAC Binding”. When listed, these devices will always be assigned with static IP addresses when using dynamic IP address.


2. Settings

Below options are available in the “IP-MAC binding” module:
1. For unlisted IP addresses, you can choose “Allow all”, “Block all” or “Block below IP ranges”.
2. For unlisted MAC addresses(devices), you can configure whether to assign IP address or not.


3. Multi-subnet IP-MAC binding solution

Your network is multi-subnet? No worry. With “MAC address detector”, WFilter NGF is able to retrieve MAC addresses from your core switch. So you can bind IP address with MAC address, even in a multi-subnet network.


A guide of “IP-MAC binding” in WFilter NGF can be found at: IP-MAC binding.

How to detect ip conflicted devices in your network with WFilter?

IP conflict in local network can be annoying. When ip conflicts happens, it will cause connection issues. And it’s rather difficult for an IT administrator to locate the conflicted devices.

With WFilter, life is easier.

First, you can block the conflicted devices with a message. As shown in below figure, you can send a message “Your ip address conflicts with our server, please correct it ASAP”. This message will show up when browsing http sites. So the client can fix this issue by himself.


Second, you can run the “Network Health Checker” extension, which can test ip conflicts in your network. The screenshots:


Conflicted devices will be detected, with its mac address and manufacturer.

In this example, now you may talk to the person with “HuaWei” mobile to correct the conflict issue.

Extension home page: “Network Health Checker”

Wiki page: Check network health of availability, IP conflict, ARP spoof and broadcast storm

What’s the difference between Pass-by filtering and Pass-through filtering?

Filtering technologies are divided into two types: Pass-through (sever plug-in based) and Pass-by (standalone-based).


A Pass-by filter usually monitors and filters network traffic with the help of port mirroring while a Pass-through filter monitors and filters network traffic on a gateway or bridge.


The differences between Pass-by filtering and Pass-through filtering: Advantages of Pass-by filtering:


1. Pass-by filtering is easier to be deployed. You only need to setup a mirroring port in your switch without the need to change your network topology. However, since pass-through filtering needs to be installed in the gateway or bridge, usually you need to change your network topology to deploy a pass-through filtering product.


2. Pass-by filtering product, such as WFilter Enterprise, only deals with copies of network packets, without any delay of the original packets. Even a pass-by filtering product stops working, your internet connection stays alive.


However, because a Pass-through product “stops and checks” network packets, it is unavoidable to make slight delay to your internet access. And, when a pass-through filtering product stops working, you will lose your internet connection.


Disadvantages of Pass-by filtering:


1. Port mirroring is required for pass-by filtering, you can not monitor or filter your network without a manageable switch.


2. A pass-by filtering product sends RST packets to terminate TCP connections, however, UDP traffic can not be blocked by pass-by filtering. Usually, you also need to block certain UDP ports in your router for completely blocking.


3. Traffic shaping and QoS is unavailable in pass-by filtering, since it only deals with copies of network packets.

For more information about WFilter technical details, please check: WFilter Inside Technologies.