Category Archives: Settings

Settings of WFilter NG Firewall

IP mac history is now available in WFilter NG firewall.

In the last version of WFilter NG firewall(2017.09.01), we’ve added ip mac history for all network clients. With this feature, you will be able to:

  1. Query ip and mac address history of all network clients.
  2. Gateway and bridge deployment are supported. You can record ip-mac activities even in bridge mode.
  3. When “mac address detector” is enabled, you’re able to record ip-mac information in multi-subnet networks.

Below are some screenshots:

QQ截图20170901083529

QQ截图20170901083551

Maccd00.jpg

Software solutions to monitor internet usage in business networks.

To save internet bandwidth and raise productivity, administrators need to know bandwidth usage and internet activities in business networks. There are network firewall appliances with this ability, while in this post, I will introduce several software monitoring solutions.

monitor_usage

1. Passby monitoring on a mirroring port.

“Port mirror” is a feature of manageable switches or routers. With “port mirroring”, you can get a copy of packets from other ports. So you can setup a software program in the target port pc to monitor all network traffic. This is called as “passby monitoring”. The network diagram:

With WFilter internet content filter installed, you will be able to monitor bandwidth, internet activities and deploy internet access policies. Screenshots:

2. SNMP-based monitoring

Comparing to “port mirroring”, SNMP-based monitoring is easier to setup with less features. However, it’s also very convenient to monitor bandwidth with SNMP. Below are screenshots from PRTG.

Image result for PRTG

3. Linux network bridge

Network bridge is more powerful,  with the ability to monitor traffic, allocate bandwidth, filter internet activities… A network bridge shall be deployed between your router/firewall and switch.

Ros guide bridge.png

To setup a network bridge, you need a pc with two network cards(wired adapters only). I would recommend you to use WFilter NG firewall as the operation system. It’s a dedicated linux distribution for internet content filtering and firewall. Below are screenshots from WFilter NGF:

freelicense03

freelicense04

freelicense07

Wireless authentication solutions for business network.

Most business networks are now providing WiFi access for employees and customers. Since everyone can access WiFi network, unauthorized access will bring virus attack and intruders. So you need to pay more attention to your network security.

wifi_auth_solution01_en

Usually, you have below options:

  1. Set WiFi users in a separator VLAN, which shall only have limited access to enterprise resources. This is the first door to keep intruders out.
  2. Enable user authentication for WiFi users.
  3. Enable ip-mac binding for WiFi users.
  4. Record internet usage history for WiFi users, including IP, MAC, visited websites.

In this post, I will introduce the “Web Auth” feature of WFilter NG firewall. For WiFi clients, the most widely used authentication is “Web Authentication”(Portal Authentication). Clients won’t have internet access until authenticated in a web portal. For IOS and windows, the web portal will show up automatically.

1. User & Pass Authentication

When enabled, WiFi clients will be required for username and password.

Faq en webauth002.jpg

Various authentication method are supported, including “Local Auth”, “Email Auth”, “Ldap Auth” and “Radius Auth”.

  • If you have an existing ldap domain, you can authenticate with domain users.
  • Users also can authenticate with email accounts.
  • You also can define local users in WFilter for authentication.
  • Remote radius server is also supported.

You can set internet access policy, query history and reports based on usernames.

2. Third Party Auth

“Third party authentication” is designed for marketing purpose. You have “wechat WiFi” and “facebook WiFi” in default. When enabled, users shall checkin in your facebook page to access internet.


Download WFilter NG firewall now!

API overview of WFilter NGF.

WFilter NGF has a built-in API library for developers to manipulate the entire system or integrate WFilter features. With APIs, you’re able to:

  • 1. Get bandwidth history.
  • 2. Get online users, including ip, mac, account, live connections.
  • 3. Terminate user connections, kick off user…
  • 4. Add/remove user from virtual group to apply policies.
  • 5. Extend user expire date.

In this post, I will use an API example to demonstate the API library usage of WFilter NGF. The requirement is simple: “a API call to set access policy and bandwidth rate limit for an ip address”.

1. First, we need to setup WFilter NGF.

Because “access policy” and “bandwidth shaper” are separate modules in WFilter NGF,  we need to setup a virtual group with policies applied. In the API call, we only need to add IP addresses into the virtual group to apply the rules.

1.1) New a “limited access” virtual group.

api01 api02

1.2) Setup policies to this group.

api03

2. Use php to call WFilter API.

Now, we’ve setup policies for the virtual group. To implement policies to an IP address, we only need to add this IP into this group.  We have a php SDK, you need to include the WFilterNGF.php to call the API functions.

api04

Isn’t it simple? You may check more details in WFilter API. If you have any suggestions or requirement, please feel free to contact us.

 

 

 

Three ways to block torrent traffic in your network.

Torrent downloading is annoying and can consume most of your bandwidth, so you might want to block torrent in your network. There are several ways to block torrent in your network. While in this post, I will introduce three solutions to block torrent(bittorrent, utorrent, qtorrent) with WFilter internet content filter and WFilter NG firewall.

Please be aware that “WFilter internet content filter(ICF)” and “WFilter NG firewall(NGF)” are total different products. WFilter ICF is a windows program, which is designed for pass-by deployment on a mirroring port. While WFilter NGF is a dedicated linux firewall system.

1. Block torrent with WFilter ICF

passby_router_topology.png

As you can see in the diagram, the WFilter internet content filter(ICF) shall be connected to a mirroring port in your router or switch. So it can analysis network packets and deploy internet access policies. Steps to block torrent with WFilter ICF:

blocktorrent01 blocktorrent02 blocktorrent03

2. Block torrent with WFilter NGF as a network bridge.

Network topology diagram:

Ros guide bridge.png

WFilter NGF acts as a network bridge, sitting between your router and switch. So it can filter internet traffic.

3. Block torrent with WFilter NGF as a network gateway.

Network topology diagram:

Ros guide gateway.png

In this topology, WFilter NGF acts as the gateway of your network to deploy internet access policies. Please be aware that you can install WFilter NGF in a virtual machine to act as a virtual gateway, here is a guide: Using a pre-built VMWare image of WFilter NG Firewall

You can setup “application control” policies to block torrent with below steps:

block_torrent1 block_torrent2 block_torrent3

 

When deployed and configured properly, both WFilter ICF and WFilter NGF can block torrent completely. All torrent clients will have zero uploading and downloading speed.

utorrent_4 block_torrent04[1][2] after.

 

WFilter ICF homepage: WFilter Internet Content Filter

WFilter NG homepage: WFilter NG firewall

WFilter videos: WFilter Videos

 

 

How to setup ip-mac binding in your switch?

For security purpose, you might want to bind ip address with MAC address for client devices. There are several IP-mac binding solutions, including ARP binding, port-based binding…

In this post, I will introduce the steps to setup port-based IP-MAC binding in your switch.

1. Cisco 2950

Syntax of cisco 2950 port-based IP-MAC binding.
Switch#config terminal
Switch(config)#Interface fastethernet 0/1
Switch(config-if)#switchport port-security mac-address xxxx.xxxx.xxxx ip-address 192.168.x.x

2. Huawei S5700

Syntax of Huawei S5700 port-based IP-MAC binding.
#interface GigabitEthernet 1/0/1
#user-bind mac-addr xxxx-xxxx-xxxx ip-addr 10.100.11.2

Other models have similar syntax. Port-based binding in switch is powerful, but it’s rather complicated to setup and maintaince, especially when you have a lot clients.

However, IP-MAC binding in gateway is easier to setup, also with powerful features, please check below screenshots in WFilter NG firewall.

3. WFilter NGF

ipbound01 ipbound02

When configured, DHCP clients will be assigned with static ip addresses; clients not matching the ip-mac binding relationship will be blocked.

A site to site ipsec vpn example.

With the “IPSec VPN” module in WFilter NGF, you can build a secure site-to-site VPN by a few clicks. In this post, I will demonstrate a typical usage of site to site ipsec vpn. Please check the diagram at first.

ipsecVPN

When successfully configure, A,B,C will have full access of each other. Please check below steps:

Suppose you have 3 networks:

  • Headquarter A, static public ip address, LAN subnet is 192.168.10.0/24.
  • Branch B, PPPoE internet access, LAN subnet is 192.168.30.0/24.
  • Branch C, PPPoE internet access, LAN subnet is 172.16.1.0/24.

Now let me guide you to build a virtual private network(VPN) for these three locations.

1 Settings for Headquarter A

  • Setup the IPSec tunnel

Ipsec center01.png

Ipsec center02.png

  • Enable forwarding of branches

Without this setting, branches can access headquarter, but no access between branches. Ipsec center03.png

2 Branch B

  • Setup the IPSec tunnel

Ipsec client01.png

  • Add a routing rule to branch C

Set branch C’s LAN subnet to “Destination”, set headquarter A’s public IP to “Gateway”. Without this routing rule, branch B can not access branch C.

Ipsec client02.png

3 Branch C

  • Setup the IPSec tunnel

Ipsec client03.png

  • Add a routing rule to branch B

Set branch B’s LAN subnet to “Destination”, set headquarter A’s public IP to “Gateway”. Without this routing rule, branch C can not access branch B.

Ipsec client04.png

By above steps, A,B,C are now in a virtual private network. If you don’t want access between B and C, there is no need to add the firewall and routing rules.

Powerful networking diagnose tool sets for IT professionals.

toolsethome
As a network professional, when things go wrong in your network, the right tools are required to minimize network downtime.
In this post, I will reveal you the extension system in WFilter, a powerful tool sets for networking issues.

At a first galance

toolset01

All WFilter systems have an “extension” library, which contains a powerful free tool sets for IT administrators. Most extensions are free. Even supported in WFilter free, a freeware for network internet filtering and monitoring.

Now let’s see what we can do with WFilter extensions:

1. Scan client devices in network

With “network scan” extension, you can get a complete list of network clients, including IP, MAC, manufactor and open ports…
toolset02

2. Discover and scan DHCP services in network

The “Network DHCP discover plugin” of WFilter can scan DHCP services in your network by a single click. It will list all dhcp servers ip addresses, MAC addresses and MAC manufactures.

3. Detect NAT sharing services in network

Detect illegal NAT sharing in network.

4. Check network health of availability, IP conflict, ARP spoof and broadcast storm

This extension can:

  1. check availability and ping performance of dns servers.
  2. check availability and ping performance of internet sites.
  3. check availability and ping performance of local network hosts.
  4. check whether there is ip conflict in local network.
  5. check whether there is arp spoof running in local network.
  6. check whether there is broadcast storm in local network.

5. Scan proxy servers in network

6. Graph ping performance of multiple hosts

With this plugin, you can get ping performance and graph reports for multiple hosts in a period of time.

A complete extesions list can be found at here: WFilter extensions. And more will come. The most important thing is that most extension are free, supported in “WFilter internet content filter(commercial)”, “WFilter NG firewall” and “WFilter Free”.

Isn’t it exicting? Download WFilter Now!

How to bind ip address with mac address in network?

IP and MAC address binding is usually configured in network switch or router(gateway). An effective IP-MAC binding solution needs to:
1. Be able to integrate with the DHCP server to assign static IPs to clients.
2. Have option to block or allow internet for un-bound devices.
3. Be able to do IP-MAC binding in multi-subnet networks.

In this post, I will demonstrate the “IP-MAC binding” feature in WFilter NG firewall. For IP-MAC binding in “WFilter internet content filter”, please check: “WFilter IP-MAC binding solution“.

1. IP-MAC Binding List

You can define the IP-MAC binding list in “Modules”->”Access Policy”->”IP-MAC Binding”. When listed, these devices will always be assigned with static IP addresses when using dynamic IP address.

ipbound01

2. Settings

Below options are available in the “IP-MAC binding” module:
1. For unlisted IP addresses, you can choose “Allow all”, “Block all” or “Block below IP ranges”.
2. For unlisted MAC addresses(devices), you can configure whether to assign IP address or not.

ipbound02

3. Multi-subnet IP-MAC binding solution

Your network is multi-subnet? No worry. With “MAC address detector”, WFilter NGF is able to retrieve MAC addresses from your core switch. So you can bind IP address with MAC address, even in a multi-subnet network.

Maccd00.jpg

A guide of “IP-MAC binding” in WFilter NGF can be found at: IP-MAC binding.

WFilter ICF vs. proxy-based internet filtering solutions

Proxy-based internet filtering solution requires you to setup a proxy server, either transparent or non-transparent, then you can setup policies to filter web access. There are a lot open source or free products. This solution has below advantages and disadvantages.

Advantages:

  1. Free or open source.
  2. Can filter websites.

Disadvantages:

  1. Most are linux-based. You need a linux pc to setup the proxy.
  2. No support.
  3. Less features. Only for domain filtering.
  4. Add network latency.

Comparison

Proxy-based internet filtering solution is similar to the “website black list” in your router/firewall. If you only need to block some sites, it’s an option.

With WFilter ICF, you will get:

  1. Enterprise-level internet monitoring and filtering features.
  2. Dedicated support.
  3. No influence to network performance.
  4. Easier to be deployed.