Category Archives: Content Filter

How to monitor and filter internet activities of PPPOE users?

PPPOE is widely used for user authentication and traffic accounting. However, it’s a little difficult to monitor and filter PPPOE clients’ internet usage and behavior.

In this example, we will demonstrate you to monitor and filter PPPOE clients with WFilter Free. Please notice that only non-encrypted and uncompressed PPPOE traffic can be supported. So the first step is to configure your PPPOE server for non-encryption and non-compression.

1. PPPOE server settings

Let’s take windows 2003 and RouteOS for examples.

1). 2003 Server Configuration

If you are using windows 2003 server as the PPPOE server, please follow below steps to configure:

In “Properties” of the “Routing and Remote Access”, disable “software compression” and “LCP” in the “PPP” tab.

Edit “remote access policy” for “no encryption” in “Edit Profile”. Notice: The default two policies shall all be modified.

2). ROS Configuration

If you are using routeOS as PPPOE server, please follow these steps to disable compression and encryption:

In “PPP” tab of “Profiles”, click “Protocols” and disable compression and encryption.

2. Monitor PPPOE clients in WFilter

2.1) Choose the internal adapter

Now WFilter is able to parse PPPOE traffic. In this example, we just install WFilter free in the windows 2003 PPPOE server.

You need to choose the internal adapter as the “monitoring adapter” in “System Settings”->”Monitoring Settings” of WFilter.

2.2). Setup client policy

Add a block policy to block web surfing.

Apply this policy to PPPOE clients’ ip ranges

2.3). Check Blocking

PPPOE clients get blocked.

Blocking events in WFilter.

WFilter deployment with gargoyle router.

1. Gargoyle Router Introduction

Gargoyle is an OpenWrt distribution which aims to be easy to use through a simplified Web interface. Gargoyle can extend your wireless router into a powerful Linux system. even if your router hardware does not support “port mirroring” function, you can also enable traffic mirroring by software mirroring.

This blog will guide you to install “port-mirroring” program in your Gargoyle router and deploy WFilter for internet monitoring and filtering. We assume you already has an Gargoyle router, if not, please check Gargoyle homepage to get the latest firmware.

2. Port-mirroring program

Port-mirroring is an open source project sponsored by IMFirewall Software, it is designed to mirror network traffic on linux systems.

2.1. Installation

For detailed installation guide, please check Port-mirroring open source packet mirroring. In this guide, let’s take linksys wrt54g router as an example.


a). opkg update.

b). opkg install

Because gargoyle is based on openwrt attitude adjustment 12.09 branch, we need to install the build for openwrt 12.09.

2.2. Configuration

You need to edit /etc/config/port-mirroring to set the mirroring target and mirrored source interfaces.

In this example, we choose “eth0″ wireless adapter as the mirrored source interface.

2.3. Start Port-mirroring

/etc/init.d/port-mirroring start

3. Check monitoring in WFilter

Now WFilter shall be able to monitor client computers.

How to deploy WFilter with tomato router?

The “–tee” option of iptables can mirror network packets to a target ip address. With this feature, you can deploy monitoring easily when you have an embed Linux router.

In this tutorial, we will guide you to deploy WFilter using a Tomato router(firmware version: v1.28).

1. Enable SSH login in Tomato

Enable “SSH Daemon” in “Administration” – “Admin Access”.

2. Login into your Tomato router.

Login into your Tomato router using any ssh client.

3. Enable the ipt_ROUTE module.

For “–tee” option to work, you need to enable the “ipt_ROUTE” module, which is not enabled by default.

4. Add the iptables rule for packet forwarding.

In this example, we forward packets to “″.

5. List and verify iptables rules.

You can list your iptables rules to check whether this rule is successfully added.

6. Add startup script.

If you want this rule to exist after router rebooting, you need to add these two commands into the startup scripts in “Administration – Scripts”.

modprobe ipt_ROUTE

iptables -A PREROUTING -t mangle -j ROUTE –gw –tee

7. Check your WFilter settings.

Please notice, “iptables” will not forward original mac addresses of packets. Therefore, you can not use “by mac address” monitoring mode of WFilter, use “by ip address” instead.


How to deploy WFilter free with mikrotik routerOS(ROS)?

The “packet streaming” feature in RouterOS can send network packets to a network parser for analysis. In case when you don’t have a manageable switch, you can enable this feature for WFilter to monitor and filter network computers.

In this blog, I will demonstrate you to set up WFilter free for web filtering with RouterOS.

Enable Packet Streaming

In “Tools”->”Packet Sniffer”, choose the lan interface as the sniffer interface.

Set the WFilter server ip as the streaming server

Done, now you shall be able to monitor all network computers in WFilter Free or WFilter Enterprise.

Let’s add a blocking policy to check.

First, add a blocking level.

Block web surfing

Second, apply this blocking policy to target ip range.

Check blocking

How to deploy WFilter in a VMware ESXi server?

VMware ESX and ESXi server are widely used in business networks. This document will guide you to deploy WFilter in a ESXi server to filter internet traffic of virtual systems.

In a VMware ESXi server, WFilter can work both in “Pass-by” and “Pass-through” modes. For more details about these two modes, please check: WFilter deployment modes

It is simple for WFilter to work in “Pass-by” mode in a VMware ESXi server. You simply need to install WFilter in a VMWare virtual computer and allow “Promiscuous mode” of the virtual switch. However, because WFilter can not filter UDP traffic in pass-by mode, you also need to configure udp blocking in an up-layer router/firewall. Please check: How to block certain UDP ports in router/firewall?

In this tutorial, we will introduce you to deploy WFilter in pass-through mode in a VMware ESXi server.

Deploy WFilter in pass-through mode in a VMware ESXi server.

To deploy WFilter in pass-through mode on a VMware ESXi server, following conditions are required:

  1. A virtual computer with two adapters to install WFilter.
  2. At least two virtual switches.
  3. The two adapters shall be connected to different virtual switches.

As in below figure, the wfilter server “94-wfilter-server” is connected between “vSwitch0″ and “vSwitch1″. In this topology, all virtual computers in vSwitch1 will be monitored and filtered by the WFilter server “94-wfilter-server”.

Step 1, create a new virtual switch

As in below figure, a new virtual switch with no physical adapter is created.

Step 2, connect the two adapters to different virtual switches

To bridge the virtual switches, two adapters of the WFilter server shall be connected to different virtual switches.

Step 3, allow “Promiscuous mode” of virtual switches

The virtual switches connected to the wfilter server shall be configured to accept “Promiscuous Mode”.

Now, you also need to bridge the two adapters inside the WFilter server. And the WFilter program shall be configured to work in “Pass-through mode”. Please check this document for more details: Deploy WFilter in a windows network bridge.

How to whitelist yahoo mail and hotmail websites in WFilter?

How to whitelist yahoo email and hotmail websites?

Sometimes you might want to block all websites with exception. In that case, you can enable WFilter’s “website whitelist” to do this.

However, websites can be complicated with differenet images/ad/files hosts. It will require you to whitelist several domains for a webpage to be properly loaded. For example, is also requiried for images in yahoo email.

In this topic, I will demonstrate you to identify the required domains for a website.

First, add the domain into the exception list

Second, make a visit and check real-time blocking of WFilter.

Make a visit to this website and check “real-time blocking” or “Current Activity” in WFilter, you will see several blocking events. These domains are also required for this webpage.

Add more domains into the exception list

Add more blocked domains into the exception list until the website can be properly loaded.

In this example, for hotmail and yahoo mail to work, you need to add below list:






How to set a redirect denial page in WFilter?

Sometimes you might want to redirect blocked websites to a new URL. To do this, you need to edit WFilter denial page in source mode.

This tutorial will guide you to configure a redirect denial page in WFilter.

First, edit a blocking level

Edit a blocking level and new a denial page. Please don’t forget to list your new URL in the exception list.

Second, edit the denial page in source mode.

A javascript code is required:


Third, uncheck “view source” and click “Save” to save the settings.

Please notice, click “save” after unchecking “view source”.

Done, now all blocked web request will be redirected to the new url.

More information, please check “WFilter Enterprise”.

Other related links:

How to block UDP ports in RRAS windows server 2003?
How to block internet downloading?
How to monitor internet usage on company network?
Internet monitoring software for business
How to filter web surfing?
How to block websites and restrict internet access?
How to block HTTPS websites on my network?

Modify ESET personal firewall settings to make WFilter work.

All internet packets are required for WFilter to parse network activities. However, the ESET personal firewall blocks non-local computer network packets by default. Therefore, when the ESET personal firewall is enabled, WFilter can not monitor itself computer because other computer’s network packets are all blocked by ESET.

To make WFilter work with ESET personal firewall, you need to adjust the firewall settings.

The following example demonstrates how to configure ESET Smart Security 5.0:

1. Click “Setup” -> “Network” in ESET.

2. The filtering mode shall be “interactive filtering mode”.

3. Click “Configure rules and zones…” to set the rules.

In “Toggle detailed view of all rules” view, click “new” to creat a new rule.

The new rule is set to allow all TCP&UDP traffic. All other rules shall be disabled.

  1. Direction: Both
  2. Action: Allow
  3. Protocol: TCP & UDP
  4. Profile: For every

4. In “Advanced Personal firewall setup…”

Uncheck “Check TCP connection status” in “Packet inspection” section of “IDS and advanced options”.

Now your WFilter shall be able to work.

More information of disable ESET firewall, please check:

WFilter 4.0 is coming.

WFilter 4.0 version will be released soon after nearly two years development.

The new version made a lot improvement and optimization of current features. Also a series of new features are added, such as “WFilter Dashboard”, “Central Management of WFilter servers”, “WFilter Local Account”, “Multi-adapter Monitoring”, and several new alert types. Below is a brief introduction to these new features:

1. WFilter Dashboard

WFilter Dashboard allow you to check the monitoring status, log storage status, system warnings from a central dashboard.

2. WFilter Servers Management

This feature enables you to manage several WFilter servers from a central localtion.

3. Default IP Policy

The “Default IP Policy” feature enables you to set different policies to different ip ranges, when a new computer found it’s default ip policy will be applied.

4. Search of Network Computers

You can use the “Search Computers” feature to search computers in your network. It’s more convenient than the passive computer finding in the old version.

5. More Alert Types

More alert types are added: disk space alert, new computer alert, ip address changing alert…

6. More Powerful Account Monitoring

WFilter’s “account monitoring” feature can integrate WFilter with your active directory. So you can deploy monitoring based on user accounts. The new version added “WFilter local accounts” feature. When you don’t have an available active directory, you also can use “WFilter local account” feature to monitor/filter by user accounts.

6.1 Integrate Active Directory

6.2 WFilter local account

7. Multi-adapters Monitoring

WFilter 4.0 can support monitoring on multiple adapters to support complicated networkings.

How to deploy internet monitoring and filtering in RRAS windows gateway?

Routing and Remote Access is a network service in Microsoft Windows Server 2008, Windows Server 2003, and Windows 2000 Server that can provides Network address translator (NAT) for connecting a private network to the Internet. An example network topology is as below:

Since all internet traffic goes through the RRAS server, it’s very simple for you to monitor and filter internet activities: “just install WFilter in this server.”

The RRAS server has two adapters: the internal NIC and external NIC, you shall be able to see two adapters in the “monitoring adapter settings” of “System Settings”->”Monitoring Settings”.

We recommend you to choose the internal NIC as the monitoring and blocking adapter, because you will be able to monitor, block and report on individual network computers.

However, if you choose the external NIC as the monitoring and blocking adapter, WFilter will treat the whole network as one computer, because the RRAS server will translate all subnet ip addresses to its public ip address.

We have noticed that some users prefer to monitor on the internal NIC to save license number, because you only need ONE 1-user license to monitor the public ip address. However, we recommend you not to do it, because this is not WFilter designed to work, and there might have an over-blocking issue for some p2p protocols.


More information, please check “WFilter Enterprise”.

Other related links:

How to block UDP ports in RRAS windows server 2003?
How to block internet downloading?
How to monitor internet usage on company network?
Internet monitoring software for business
How to filter web surfing?
How to block websites and restrict internet access?
How to block HTTPS websites on my network?