WFilter internet content filter software can monitor internet activities of network clients. However, the deployment requires you to setup port mirroring in your switch to mirror all internet packets to WFilter for monitoring. Below is a typical network diagram of WFilter deployment:
In many soho networks, there is no manageable switch for port mirroring. In this guide, I will demonstrate a light solution to setup port mirroring directly in your WiFi router. First, you need to get an openwrt/lede WiFi router(or you can reflash your router with openwrt/lede firmware)
Let’s check the network topology first:
The main router is a WiFi router(192.168.1.1) running openwrt system. A PC with WFilter installed is connected to this WiFi router using a cable, with IP address 192.168.1.2. Other network clients are all wireless. Packet port-mirroring is also installed in this openwrt system.
You need to enable port-mirroring service in openwrt to mirror network packets to the WFilter pc, syntax:
1) target: the target pc ip address, or interface
2) source_ports: wlan0(the wireless adapter)
Then you shall be able to monitor all clients internet activities in WFilter UI. Screenshots:
You also can setup internet filtering policies to block websites or applications.
Emails sent or received through a company email account are generally not considered private. As an internet filtering and monitoring software program, WFilter is able to monitor and archieve network emails.
This guide will demonstrate you how to track and monitor emails of network clients with WFilter NG firewall. Please note that we’re talking about emails sent/received via email clients, not web-based emails. Email clients in computer/laptop/smart phones can all be monitored.
1. Plain text pop3/smtp/imap can be directly recorded.
When WFilter NG firewall is deployed, plain text text pop3/smtp/imap can be directly archieved.
2. “SSL Inspection” shall be enabled to monitor SSL protected emails.
If email connections are “SSL enabled”, you need to enable “SSL Inspection” to decode and parse SSL protected emails.
SSL protected emails can also be recorded.
To filter websites of local network clients, you can have several options.
- First check the features of your internet router/gateway. If you have a powerful router/gateway, you can directly do monitoring/filtering in the router itself.
- You also can try pass-by filtering software solutions. For example, WFilter internet content filter, by setting up a mirroring port in your switch, you can get powerful internet monitoring and filtering with the WFilter program.
WFilter is a windows software program. You can install it in any windows pc, when the wfilter pc is connected to the mirroring port of your switch, you will be able to monitor/filter all network clients.
In WFilter, you can setup internet filtering(application control) and website filtering policies.
You also can block websites by categories, for examples, porn/malicius/streaming sites can all be blocked by one click.
Sometimes when blocking policies are deployed with WFilter, some applications or website might be blocked unexpectedly.
In this guide, I will demonstrator you how to check the blocking reason and add exceptions.
First, check the blocking events
In “Realtime bandwidth”, click bandwidth number of the blocked clients.
You will be able to see the “blocking events”. In “blocking events”, you will get the “blocking reason”, “protocol” and “content”. The “content” shows the domain/IP address being blocked.
Second, add sites to “exception” list
To whitelist the blocked sites/ip addresses, you can add an “exception” policy. Excepted targets won’t be blocked by any other policies.
Third, test and check
Now make some tests to make sure your sites not blocked. If still blocked, you need to redo 1-2 steps until success.
Some users might use tor browser to bypass the control of company firewall, and makes your firewall useless. In this topic, I will guide you to block tor browser traffic in your network with WFilter ICF(internet content filter).
1. Define tor browser protocol
New a “torbrowser” protocol in “System Settings”->”Protocols”.
New pattern, choose “TLS2″ type, “Offset” as “0″, “Pattype” as “Regular Expression”. Patterns: “\x01\x02\x02\x02\x03\x00\x0F\x00\x01\x01$”.
Save settings and apply the changes.
2. Deploy a tor blocking policy
Add a blocking policy, set “Torbrowser” to “Deny” in “applications”.
Apply this policy to certain client devices.
3. Test and checking
After above steps, the tor browser shall not be able to establish a tor network connection.
In “live connections” of WFilter, you can see “tor browser” being blocked.
In previous posts, we’ve discussed various method of Wi-Fi authentication, including “username & password authentication”, “wechat Wi-Fi” and “facebook Wi-Fi”…
SMS Wi-Fi requires clients to input a mobile phone number to receive an access code before visiting internet. So the internet provider can record clients phone numbers for marketing or security purpose.
In this post, I will guide you to enable SMS Wi-Fi authentication in WFilter NG firewall.
First, you need to setup a SMS service.
WFilter send SMS messages via web API, so you need to setup a SMS web service at first. The SMS web service can be in locale or internet.
In this practice, I setup an alibaba cloud account and downloaded the php SDK. The SDK is setup in a local web service. I also modified the SDK demo to get “phone” and “code” from web POST parameters.
Second, enable SMS authentication in WFilter.
In “Web Auth”, you need to choose “SMS” auth type. The “SMS API URL” is configured as the local SDK demo URL.
When a client want to visit internet, a web portal will appear. The client needs to input a correct phone number to receive the access code.
In WFilter account login history, you will be able to see the ip address, mac address and phone number of Wi-Fi clients.
Clients internet activities will also be recorded.
More details about “web authentication” can be found at here: http://wiki.wfilterngf.com/Webauth
In the last version of WFilter NG firewall(2017.09.01), we’ve added ip mac history for all network clients. With this feature, you will be able to:
- Query ip and mac address history of all network clients.
- Gateway and bridge deployment are supported. You can record ip-mac activities even in bridge mode.
- When “mac address detector” is enabled, you’re able to record ip-mac information in multi-subnet networks.
Below are some screenshots:
To save internet bandwidth and raise productivity, administrators need to know bandwidth usage and internet activities in business networks. There are network firewall appliances with this ability, while in this post, I will introduce several software monitoring solutions.
1. Passby monitoring on a mirroring port.
“Port mirror” is a feature of manageable switches or routers. With “port mirroring”, you can get a copy of packets from other ports. So you can setup a software program in the target port pc to monitor all network traffic. This is called as “passby monitoring”. The network diagram:
With WFilter internet content filter installed, you will be able to monitor bandwidth, internet activities and deploy internet access policies. Screenshots:
2. SNMP-based monitoring
Comparing to “port mirroring”, SNMP-based monitoring is easier to setup with less features. However, it’s also very convenient to monitor bandwidth with SNMP. Below are screenshots from PRTG.
3. Linux network bridge
Network bridge is more powerful, with the ability to monitor traffic, allocate bandwidth, filter internet activities… A network bridge shall be deployed between your router/firewall and switch.
To setup a network bridge, you need a pc with two network cards(wired adapters only). I would recommend you to use WFilter NG firewall as the operation system. It’s a dedicated linux distribution for internet content filtering and firewall. Below are screenshots from WFilter NGF:
Most business networks are now providing WiFi access for employees and customers. Since everyone can access WiFi network, unauthorized access will bring virus attack and intruders. So you need to pay more attention to your network security.
Usually, you have below options:
- Set WiFi users in a separator VLAN, which shall only have limited access to enterprise resources. This is the first door to keep intruders out.
- Enable user authentication for WiFi users.
- Enable ip-mac binding for WiFi users.
- Record internet usage history for WiFi users, including IP, MAC, visited websites.
In this post, I will introduce the “Web Auth” feature of WFilter NG firewall. For WiFi clients, the most widely used authentication is “Web Authentication”(Portal Authentication). Clients won’t have internet access until authenticated in a web portal. For IOS and windows, the web portal will show up automatically.
1. User & Pass Authentication
When enabled, WiFi clients will be required for username and password.
Various authentication method are supported, including “Local Auth”, “Email Auth”, “Ldap Auth” and “Radius Auth”.
- If you have an existing ldap domain, you can authenticate with domain users.
- Users also can authenticate with email accounts.
- You also can define local users in WFilter for authentication.
- Remote radius server is also supported.
You can set internet access policy, query history and reports based on usernames.
2. Third Party Auth
“Third party authentication” is designed for marketing purpose. You have “wechat WiFi” and “facebook WiFi” in default. When enabled, users shall checkin in your facebook page to access internet.
Download WFilter NG firewall now!
WFilter NGF has a built-in API library for developers to manipulate the entire system or integrate WFilter features. With APIs, you’re able to:
- 1. Get bandwidth history.
- 2. Get online users, including ip, mac, account, live connections.
- 3. Terminate user connections, kick off user…
- 4. Add/remove user from virtual group to apply policies.
- 5. Extend user expire date.
In this post, I will use an API example to demonstate the API library usage of WFilter NGF. The requirement is simple: “a API call to set access policy and bandwidth rate limit for an ip address”.
1. First, we need to setup WFilter NGF.
Because “access policy” and “bandwidth shaper” are separate modules in WFilter NGF, we need to setup a virtual group with policies applied. In the API call, we only need to add IP addresses into the virtual group to apply the rules.
1.1) New a “limited access” virtual group.
1.2) Setup policies to this group.
2. Use php to call WFilter API.
Now, we’ve setup policies for the virtual group. To implement policies to an IP address, we only need to add this IP into this group. We have a php SDK, you need to include the WFilterNGF.php to call the API functions.
Isn’t it simple? You may check more details in WFilter API. If you have any suggestions or requirement, please feel free to contact us.