Deploy WFilter with a virtual openwrt gateway.

This deployment implements a gateway with openwrt running in a virtual machine. So you can run WFilter in the host computer to monitor client computers.

In case you don’t have a mirroring device, you can use this deployment instead. It’s also powerful and reliable.

1. Network Topology

The virtual openwrt gateway is connected to original gateway by a cable. It serves a new subnet to client devices.

2. Steps to build the openwrt virtual gateway.

The host PC runs a windows system and shall be connected with a wired network card.

1). Download and install VirtualBox

Download URL: https://www.virtualbox.org/wiki/Downloads

2). Download the pre-built openwrt vm.

Download URL: openwrt for wfilter

Uncompress it to a local directory, double click file “openwrt_1.vbox”

You need to modify the “network settings” of this vm, change “Adapter 1″ and “Adapter 2″ to the network card which is connected to your current gateway.

Now you can start the openwrt vm.

3). Launch openwrt web UI

The vm is assigned with a default ip address “192.168.151.1″, to access its web UI, you need to add a 192.168.151.100 ip address to your current adapter.

Now you can access openwrt web UI in your browser, from url http://192.168.151.1

Username is root, default password is: im1234

4). Configure Wan Interface

You can configure wan interface in “Network”->”Interfaces”->”BR”.

The default Wan ip address is “1.1.1.1″, you need to modify it according to your network settings.

Assign a valid ip address and the gateway ip address to the wan interface.

4). Configure Lan Interface

You don’t have to modify the lan interface settings, unless you want to change the default subnet “192.168.151.0″.

3. Disable DHCP in current gateway

The existing dhcp server(usually the gateway) shall be disabled.

4. Setup WFilter.

Now the virtual gateway is acting as a gateway and dhcp server in your network. Devices obtain ip addresses from this virtual gateway can be monitored in WFilter.

How to submit support file of WFilter?

Due to complicated settings and network topology, it’s not easy to describe a question of WFilter.

For us to understand your question easier, we recommend you to use the “support” feature of WFilter to submit your support request. The “support” feature will gather required settings and network packets samples for diagnose purpose. So we can locate the problem quickly.

It’s simple to submit a support request. In most case, you only need to describe your question and click “submit”. (Figure 1)

In case when your question is related to a certain behavior(for example, email sending is not recorded), we will need a packet dump of this behavior.

You need to check “Add packet dump file(s)”, and click “Restart Capturing” for WFilter to start packet capturing. (Figure 2)

The default packet dump captures packets of all client computers. To make it simple, you’re recommended to capture packets for the testing client computer only. (Figure 3)

We will reply you by email when we get your support request.

How to monitor and filter internet activities of PPPOE users?

PPPOE is widely used for user authentication and traffic accounting. However, it’s a little difficult to monitor and filter PPPOE clients’ internet usage and behavior.

In this example, we will demonstrate you to monitor and filter PPPOE clients with WFilter Free. Please notice that only non-encrypted and uncompressed PPPOE traffic can be supported. So the first step is to configure your PPPOE server for non-encryption and non-compression.

1. PPPOE server settings

Let’s take windows 2003 and RouteOS for examples.

1). 2003 Server Configuration

If you are using windows 2003 server as the PPPOE server, please follow below steps to configure:

In “Properties” of the “Routing and Remote Access”, disable “software compression” and “LCP” in the “PPP” tab.

Edit “remote access policy” for “no encryption” in “Edit Profile”. Notice: The default two policies shall all be modified.



2). ROS Configuration

If you are using routeOS as PPPOE server, please follow these steps to disable compression and encryption:

In “PPP” tab of “Profiles”, click “Protocols” and disable compression and encryption.

2. Monitor PPPOE clients in WFilter

2.1) Choose the internal adapter

Now WFilter is able to parse PPPOE traffic. In this example, we just install WFilter free in the windows 2003 PPPOE server.

You need to choose the internal adapter as the “monitoring adapter” in “System Settings”->”Monitoring Settings” of WFilter.


2.2). Setup client policy

Add a block policy to block web surfing.


Apply this policy to PPPOE clients’ ip ranges


2.3). Check Blocking

PPPOE clients get blocked.

Blocking events in WFilter.

How to block torrent downloading with WFilter free?

From version 1.0.171, WFilter free is able to block bittorrent traffic on network. In this guide, I will demonstrate you to block torrent downloading with WFilter free edition.

1. New a “block torrent” policy

2. Define ip ranges to be blocked.

Apply the “block torrent” policy to client ip ranges.

3. Check “Blocking Logs” .

Check WFilter’s blocking history logs, you will be able to see events of torrent blocked.

4. Check bittorrent program.

Bittorrent download speed will be zero when blocked.

Wifi network monitoring solutions

Since most wireless network cards do not support “promiscuous mode”, it becomes complicated to deploy internet monitoring and filtering in a wifi network.

In this blog, I will list three common solutions for wifi network monitoring.

1. Port mirroring

Some wireless router can support “port mirroring” feature. If your router support this feature, you can enable the mirroring port and connect the WFilter computer to the mirroring port. The WFilter computer shall have a wired network card can be connected to the mirroring port by a cable.

This cisco article provides a good guide: Configuration of Port Mirroring on WRVS4400N Wireless-N Gigabit Security Router

2. Deploy WFilter in an upper layer device

In case you have an upper layer device with “port mirroring” feature, you can deploy WFilter in the upper layer. Check this solution: WFilter deployment in a wireless network

3. Configure the WFilter PC as internet gateway.

This solution is helpful when you only have ONE wireless router in your network, it’s rather simple for WFilter deployment. This solution rather helps when you don’t have a port mirroring switch or router.

Check this solution at here: A simple deployment of WFilter with wireless router

4. Turn your PC into a Wi-Fi HotSpot to deploy WFilter

You can turn your windows PC into a wifi hotspot, so clients connected to this wifi hotspot can be monitored by WFilter.

Check this solution at here: Turn your PC into a Wi-Fi HotSpot to deploy WFilter

5. Reflash your router into an embeded linux system.

If none of above solutions works for you, you can choose to reflash your router into openwrt/ddwrt/tomato/gargoyle firmware. These firmware allows you to install software port-mirroring solutions.

Here is a guide: WFilter deployment with openwrt router.

 

 

WFilter deployment with gargoyle router.

1. Gargoyle Router Introduction

Gargoyle is an OpenWrt distribution which aims to be easy to use through a simplified Web interface. Gargoyle can extend your wireless router into a powerful Linux system. even if your router hardware does not support “port mirroring” function, you can also enable traffic mirroring by software mirroring.

This blog will guide you to install “port-mirroring” program in your Gargoyle router and deploy WFilter for internet monitoring and filtering. We assume you already has an Gargoyle router, if not, please check Gargoyle homepage to get the latest firmware.

2. Port-mirroring program

Port-mirroring is an open source project sponsored by IMFirewall Software, it is designed to mirror network traffic on linux systems.

2.1. Installation

For detailed installation guide, please check Port-mirroring open source packet mirroring. In this guide, let’s take linksys wrt54g router as an example.

Steps:

a). opkg update.

b). opkg install http://port-mirroring.googlecode.com/files/port-mirroring_1.3-1_12.09_brcm47xx.ipk

Because gargoyle is based on openwrt attitude adjustment 12.09 branch, we need to install the build for openwrt 12.09.

2.2. Configuration

You need to edit /etc/config/port-mirroring to set the mirroring target and mirrored source interfaces.

In this example, we choose “eth0″ wireless adapter as the mirrored source interface.

2.3. Start Port-mirroring

/etc/init.d/port-mirroring start

3. Check monitoring in WFilter

Now WFilter shall be able to monitor client computers.

How to deploy WFilter with tomato router?

The “–tee” option of iptables can mirror network packets to a target ip address. With this feature, you can deploy monitoring easily when you have an embed Linux router.

In this tutorial, we will guide you to deploy WFilter using a Tomato router(firmware version: v1.28).

1. Enable SSH login in Tomato

Enable “SSH Daemon” in “Administration” – “Admin Access”.

2. Login into your Tomato router.

Login into your Tomato router using any ssh client.

3. Enable the ipt_ROUTE module.

For “–tee” option to work, you need to enable the “ipt_ROUTE” module, which is not enabled by default.

4. Add the iptables rule for packet forwarding.

In this example, we forward packets to “192.168.1.100″.

5. List and verify iptables rules.

You can list your iptables rules to check whether this rule is successfully added.

6. Add startup script.

If you want this rule to exist after router rebooting, you need to add these two commands into the startup scripts in “Administration – Scripts”.

modprobe ipt_ROUTE

iptables -A PREROUTING -t mangle -j ROUTE –gw 192.168.1.100 –tee


7. Check your WFilter settings.

Please notice, “iptables” will not forward original mac addresses of packets. Therefore, you can not use “by mac address” monitoring mode of WFilter, use “by ip address” instead.

Done.

WFilter deployment with a network tap.

1. What is network tap?

Network tap is also a good way to monitor network traffic. Comparing to “port mirroring” switch, it has several advantages:

  1. Handy and flexible, requires no power supply.
  2. Once a network tap is in place, the network can be monitored without interfering with the network itself.
  3. Low cost, you even can dry it by yourself.

Guide to make a network tap can be found at below links:

  1. Throwing Star LAN Tap
  2. Building an Ethernet Tap
  3. Throwing Star LAN Tap
  4. Create a passive network tap for your home network

The disadvantages of network tap:

  1. Can not monitor gigabit networks. Requires “filterable tap”.
  2. The monitoring port does not allow outgoing traffic. Therefore you need three network cards in the monitoring computer, two for monitoring, another for communication.

This blog will guide you to deploy WFilter with “Throwing Star LAN Tap”.

2. Deploy the LAN Tap.

First, you need to attach three network cards in the monitoring computer.

In this example, this lan tap is connected between the router and first switch(J1 and J2). Monitoring ports J3 and J4 are connected to two adapters of the monitoring computer.

Actually it does not require ip address for the monitoring adapters. In this example, we assign “192.168.1.181″, “192.168.1.182″ to the two monitoring adapters(Assigning an ip address makes it easier for us to identify the adapter in WFilter). The third adapter is assigned with “192.168.2.189″.

3. Setup WFilter

Check the two monitoring adapters in “System Settings”->”Monitoring Settings”. The blocking adapter shall be choosed as the third adapter for sending blocking packets.

Now we’re able to monitor client computers. You will notice that one monitoring adapter only get incoming packets, while another adapter only get outgoing packets. This is how network tap is designed.


Client computers also can be blocked.

WFilter deployment with openwrt router.

1. Openwrt Introduction

OpenWrt is a highly extensible GNU/Linux distribution for embedded devices. As a third party firmware, openwrt can extend your wireless router into a powerful Linux system. With openwrt, even if your router hardware does not support “port mirroring” function, you can also enable traffic mirroring by software mirroring.

This blog will guide you to install “port-mirroring” program in your openwrt router and deploy WFilter for internet monitoring and filtering. We assume you already has an openwrt router, if not, please check openwrt homepage to get the latest firmware.

2. Port-mirroring program

Port-mirroring is an open source project sponsored by IMFirewall Software, it is designed to mirror network traffic on linux systems.

2.1. Installation

For detailed installation guide, please check Port-mirroring open source packet mirroring. In this guide, let’s take linksys wrt54g router as an example (with openwrt backfire firmware). Steps:

a). Update openwrt package list.

b). Install the port-mirroring program

opkg install http://port-mirroring.googlecode.com/files/port-mirroring_1.2-1_backfire_brcm47xx.ipk.

2.2. Configuration

You need to edit /etc/config/port-mirroring to set the mirroring target and mirrored source interfaces.

In this example, we choose “wlan0″ wireless adapter as the mirrored source interface.

2.3. Start Port-mirroring

/etc/init.d/port-mirroring start

3. Check monitoring in WFilter

Now WFilter shall be able to monitor client computers.