Category Archives: Deployment

Deployment of WFilter NG Firewall

WFilter Pass-by deployment for multiple VLANs network.

WFilter Enterprise( WFilter internet content filter) supports monitoring and filtering of multiple VLANs clients from a central WFilter pc.

Below is the deployment diagram:wfilter-vlan

Please note:

  1. The WFilter pc shall have two network cards.
  2. NIC1 shall be connected to the mirroring port.
  3. NIC2 shall be connected to the management VLAN, which can communicate with other VLANs.
  4. The mirroring port shall be configure to monitor the uplink port. (Connected to the up-layer router or firewall)

In WFilter, you also need to setup the “mirroring adapter” and “blocking adapter” in “System Settings”->”Monitoring Settings”. The mirroring adapter shall be the adapter connected to the mirroring port, while the blocking adapter shall be connected to the management VLAN.

 

WFilter added “Email Notification” in the ISP module.

The ISP module of “WFilter NG firewall” designed for ISPs to manage users and bandwidth plans.

Beside “user web portal”, a recent update of “WFilter NG Firewall” added “Email Notification” feature. So users can get email notification of their bandwidth usage.

isp_emai_notification

As shown in the above diagram, you can set different email alert frequency for “valid users” and “cap exceeded users”, with different email contents.

This feature will be helpful for ISPs who prefer use email alert rather web portal.

WFilter email monitoring solutions for business networks.

Many users asked about email monitoring and recording features of WFilter. Actually, WFilter, including “WFilter Enterprise” and “WFilter NG firewall”, all are able to record SMTP, POP3, IMAP and web-based emails on network. However, there are some limitations of this feature.

This post will discuss WFilter’s email monitoring features and solutions.

1. Monitoring of email clients

An email client receives emails via POP/IMAP protocols, sends emails via SMTP protocol. In today, SSL encryption is widely used for email clients. There are two kinds of SSL encryption: “SSL Connection” and “STARTTLS”. With WFilter, you can:

  • Monitoring emails via plain SMTP/POP/IMAP.
  • Email attachments can also be recorded.

For SMTP/POP/IMAP over SSL, you have two solutions:

Solution 1: block SSL email connections to force email clients using plain email protocols.

block_ssl_mail_en

When blocking is applied, email clients need to be re-configured to disable SSL encryption.

block_ssl_mail_en2

Solution 2: Enable “SSL Email Inspection” with “WFilter NG Firewall”.

This feature can intercept SSL connections and record SSL emails. However, “STARTTLS” still can not be recorded, even “SSL Email Inspection” is enabled. Please check: SSL Email Inspection

2. Monitoring of Web Emails

Web email means receiving and sending emails within a web browser. Please note that web emails received can not be recorded, while http outgoing emails can be recorded by WFilter. Please note:

  1. Outgoing http web emails can be recorded.
  2. Https web emails can not be recorded.
  3. Not all http attachments can be recorded. It depends on the uploading protocol.
  4. For http web emails not recorded, you may contact us for a web email format upgrade.

 

Optimize bandwidth of your network with WFilter NG Firewall.

Sometimes you will come to the following solutions when your internet bandwidth is insufficient:

  1. Use more than one broadband connection.
  2. Block applications which consume much bandwidth. For example, you might use “WFilter Enterprise passby internet content filter windows software” to block downloading and online streaming.
  3. Limit the real-time bandwidth rate for clients. This can be done in your router of firewall.

However, these solutions have disadvantages:

  1. Without access control, using multiple broadband connections can not bring better experience. It because downloading and streaming can easily consume most of your bandwidth.
  2. “Application blocking” can save your bandwidth. However, users experience are impacted. Users will complain about no streaming or downloading.
  3. Rate limiting does not optimize your bandwidth. Users will still complain about slow internet speed.

WFilter NG Firewall brings total solutions for bandwidth optimization.

1. Powerful access control policy

With “Access Policy” modules, you can block p2p downloading, online streaming, streaming websites. Please check: Access Policy

2. Multi-WAN load balancing and routing

In case you have multiple broadband connections, WFilter NG Firewall’s “Multi-WAN” module can help you to:

  • Load balancing on multiple broadband connections.
  • Setup routing policies. For example, a). business servers are routed to a dedicated connection, b). video sites are routed to another connection.

For more details, please check: Muti-WAN

3. Bandwidth priority

With the “Priority” module, traffic with higher priority goes first. For example, you can set business servers traffic to the highest priority. So even the network is extremly busy, servers bandwidth won’t be influenced.

When installed, there are default rules: email > web > p2p and streaming. You also can customize your own rules.

For more details, please check: bandwidth priority

4. Bandwidth shaper

This module is for you to set bandwidth rate for clients. You can set the rate to ip ranges, user group or department.

Each group have a “maximum bandwidth rate” and “minimum bandwidth rate”. The minimum rate ensures the clients to have this bandwidth rate even the line is busy.

For more details, please check: bandwidth shaper
Try WFilter NG Firewall now: WFilter NG Firewall

WFilter 4.1 version is coming.

Finally, WFilter 4.1 version is coming to the beta testing after two years of development. Now let me show you the exciting new features in this new version.

1. More deployment solutions

More deployment solutions are added, especially for wifi networks. We also added solutions to monitor by mac address in multiple segments networks. In WFilter 4.0 version, only “by ip address” mode is supported, the new version will retrieve mac address information from your core switch via SNMP.

2. More monitored content

Added support for ip protocols and ip fragment. For web monitoring, WFilter new version will record browser type(userAgent) as well.

3. Faster UI speed

We adopted fastcgi technology in the new 4.1 version, which makes great improvement on UI loading speed. Monitoring performance is also improved.

4. New UI design

Added “common” menu for you to define common used menus, so you can open a page within one click.

We also re-designed the “online computers” page.


5. New “Protocols” system

With this “protocols” system, you can download and share protocols within a few clicks. You will never have the pain to configure new protocols any more.

6. New “Plugins” system

We integrated a set of tools for network monitoring and management, which is still growing. You can get plugins for network discovery, wfilter management and other related features.

7. New “web content push” feature

This feature enables you to push web content without a real blocking. You can define time interval, web push triggers for this content to appear regular in client computers.

8. More flexible policy settings

With the last version, it’s easier to assign policy for new detected devices, and set default OU policy for new detected AD users.

New version downloading URL: WFilter 4.1

Please notice: WFilter 4.1 version is still in beta testing, and some features are not fully tested. This version is only for preview and testing purpose. So if you already have a stable WFilter 4.0 running, it’s not wise to replace it with this beta version.

Wifi network monitoring solutions

Since most wireless network cards do not support “promiscuous mode”, it becomes complicated to deploy internet monitoring and filtering in a wifi network.

In this blog, I will list three common solutions for wifi network monitoring.

1. Port mirroring

Some wireless router can support “port mirroring” feature. If your router support this feature, you can enable the mirroring port and connect the WFilter computer to the mirroring port. The WFilter computer shall have a wired network card can be connected to the mirroring port by a cable.

This cisco article provides a good guide: Configuration of Port Mirroring on WRVS4400N Wireless-N Gigabit Security Router

2. Deploy WFilter in an upper layer device

In case you have an upper layer device with “port mirroring” feature, you can deploy WFilter in the upper layer. Check this solution: WFilter deployment in a wireless network

3. Configure the WFilter PC as internet gateway.

This solution is helpful when you only have ONE wireless router in your network, it’s rather simple for WFilter deployment. This solution rather helps when you don’t have a port mirroring switch or router.

Check this solution at here: A simple deployment of WFilter with wireless router

4. Turn your PC into a Wi-Fi HotSpot to deploy WFilter

You can turn your windows PC into a wifi hotspot, so clients connected to this wifi hotspot can be monitored by WFilter.

Check this solution at here: Turn your PC into a Wi-Fi HotSpot to deploy WFilter

5. Reflash your router into an embeded linux system.

If none of above solutions works for you, you can choose to reflash your router into openwrt/ddwrt/tomato/gargoyle firmware. These firmware allows you to install software port-mirroring solutions.

Here is a guide: WFilter deployment with openwrt router.

 

 

WFilter deployment with gargoyle router.

1. Gargoyle Router Introduction

Gargoyle is an OpenWrt distribution which aims to be easy to use through a simplified Web interface. Gargoyle can extend your wireless router into a powerful Linux system. even if your router hardware does not support “port mirroring” function, you can also enable traffic mirroring by software mirroring.

This blog will guide you to install “port-mirroring” program in your Gargoyle router and deploy WFilter for internet monitoring and filtering. We assume you already has an Gargoyle router, if not, please check Gargoyle homepage to get the latest firmware.

2. Port-mirroring program

Port-mirroring is an open source project sponsored by IMFirewall Software, it is designed to mirror network traffic on linux systems.

2.1. Installation

For detailed installation guide, please check Port-mirroring open source packet mirroring. In this guide, let’s take linksys wrt54g router as an example.

Steps:

a). opkg update.

b). opkg install http://port-mirroring.googlecode.com/files/port-mirroring_1.3-1_12.09_brcm47xx.ipk

Because gargoyle is based on openwrt attitude adjustment 12.09 branch, we need to install the build for openwrt 12.09.

2.2. Configuration

You need to edit /etc/config/port-mirroring to set the mirroring target and mirrored source interfaces.

In this example, we choose “eth0″ wireless adapter as the mirrored source interface.

2.3. Start Port-mirroring

/etc/init.d/port-mirroring start

3. Check monitoring in WFilter

Now WFilter shall be able to monitor client computers.

How to deploy WFilter with tomato router?

The “–tee” option of iptables can mirror network packets to a target ip address. With this feature, you can deploy monitoring easily when you have an embed Linux router.

In this tutorial, we will guide you to deploy WFilter using a Tomato router(firmware version: v1.28).

1. Enable SSH login in Tomato

Enable “SSH Daemon” in “Administration” – “Admin Access”.

2. Login into your Tomato router.

Login into your Tomato router using any ssh client.

3. Enable the ipt_ROUTE module.

For “–tee” option to work, you need to enable the “ipt_ROUTE” module, which is not enabled by default.

4. Add the iptables rule for packet forwarding.

In this example, we forward packets to “192.168.1.100″.

5. List and verify iptables rules.

You can list your iptables rules to check whether this rule is successfully added.

6. Add startup script.

If you want this rule to exist after router rebooting, you need to add these two commands into the startup scripts in “Administration – Scripts”.

modprobe ipt_ROUTE

iptables -A PREROUTING -t mangle -j ROUTE –gw 192.168.1.100 –tee


7. Check your WFilter settings.

Please notice, “iptables” will not forward original mac addresses of packets. Therefore, you can not use “by mac address” monitoring mode of WFilter, use “by ip address” instead.

Done.

WFilter deployment with a network tap.

1. What is network tap?

Network tap is also a good way to monitor network traffic. Comparing to “port mirroring” switch, it has several advantages:

  1. Handy and flexible, requires no power supply.
  2. Once a network tap is in place, the network can be monitored without interfering with the network itself.
  3. Low cost, you even can dry it by yourself.

Guide to make a network tap can be found at below links:

  1. Throwing Star LAN Tap
  2. Building an Ethernet Tap
  3. Throwing Star LAN Tap
  4. Create a passive network tap for your home network

The disadvantages of network tap:

  1. Can not monitor gigabit networks. Requires “filterable tap”.
  2. The monitoring port does not allow outgoing traffic. Therefore you need three network cards in the monitoring computer, two for monitoring, another for communication.

This blog will guide you to deploy WFilter with “Throwing Star LAN Tap”.

2. Deploy the LAN Tap.

First, you need to attach three network cards in the monitoring computer.

In this example, this lan tap is connected between the router and first switch(J1 and J2). Monitoring ports J3 and J4 are connected to two adapters of the monitoring computer.

Actually it does not require ip address for the monitoring adapters. In this example, we assign “192.168.1.181″, “192.168.1.182″ to the two monitoring adapters(Assigning an ip address makes it easier for us to identify the adapter in WFilter). The third adapter is assigned with “192.168.2.189″.

3. Setup WFilter

Check the two monitoring adapters in “System Settings”->”Monitoring Settings”. The blocking adapter shall be choosed as the third adapter for sending blocking packets.

Now we’re able to monitor client computers. You will notice that one monitoring adapter only get incoming packets, while another adapter only get outgoing packets. This is how network tap is designed.


Client computers also can be blocked.