Category Archives: How to filter internet access

How to whitelist websites in WFilter?

In WFilter NG firewall, whitelist a website is very simple. You simply need to put the domain in the allowed list of “web filter”. Screenshot as below:


However, real world webpages can be complicated. For example, webpage A also includes resources from website B. So webpage A can not display correctly unless website B is also whitelisted.

To find out the domains of website B, you have to solutions:

Solution one: check the blocking events in WFilter.



In “realtime bandwidth”, click the bandwidth number of the testing client. You will be able to check the “blocking events”. All recent blocked domains/IP will be listed. So, you can find out the external domains.

Solution two: check network activites in browser.

By press F12, you will be able to check network activites of your browser. So you know which resources/urls are not loaded.


With the above two solutions, you can find the extra domains to be whitelisted. You need to add these domains to the allowed list in web filter.


Web filtering software solution for network.

To filter websites of local network clients, you can have several options.

  1. First check the features of your internet router/gateway. If you have a powerful router/gateway, you can directly do monitoring/filtering in the router itself.
  2. You also can try pass-by filtering software solutions. For example, WFilter internet content filter, by setting up a mirroring port in your switch, you can get powerful internet monitoring and filtering with the WFilter program.

Network diagram:

WFilter is a windows software program. You can install it in any windows pc, when the wfilter pc is connected to the mirroring port of your switch, you will be able to monitor/filter all network clients.

In WFilter, you can setup internet filtering(application control) and website filtering policies.



You also can block websites by categories, for examples, porn/malicius/streaming sites can all be blocked by one click.


How to block facebook videos streaming with WFilter NG firewall?

Sometimes, you might want to block facebook video streaming to save your bandwidth. There is predefined protocol named “facebook videos” in WFilter, which can help you to block facebook video by a few clicks. Here is the protocol description: facebook videos protocol and ports.

In another post, I’ve demonstrated how to block facebook videos with WFilter Enterprise. In this post, I will guide you to block facebook videos with “WFilter NG firewall”, which is a linux NG firewall designed for business networks.

1. New a block facebook policy in “App Control”.blockfb_video01

2. Set “facebook videos” to “Deny” in “streaming”.

3. That’s all. Now facebook videos will be blocked.
blockfb_video1 blockfb_video2

Please note, because short/small videos come from a same source as images, so blocking of facebook video does not short video cuts. Only medium or large size videos can be blocked.

How to block hotspot shield VPN in network with WFilter NG firewall?

Hotspot shield is a popular VPN service, with free version available.  When launched, it will try to connect a lot TLS sites for traffic relaying. If you do packet sniffer with wireshark, you will see  traffic  from famous sites like “,…”. But in fact, it’s hotspot vpn traffic in the camouflage of normal TLS.

Anyway, our team has worked out a protocol pattern to block Hotspot shield traffic completely in your network. WFilter identifies Hotspot via signature matching, so no matter in which transfer type or client version, all Hotspot traffic can be blocked. Here is a protocol description of hotspot shield VPN: protocol and port range of Hotspot shield.

Below are the steps with WFilter NG firewall:

1. New a “block hotspot” app control policy.


2. Set “Hotspot shield” to “Deny”.block_hotspot_02

3. That’s all. Now hotspot shield will never be able to connect.


4. The blocking event in WFilter NG firewall.


Please note: all WFilter products can support blocking of hotspot shield, including WFilter NG firewall and WFilter Enterprise.

TradeManager Black & white list is now supported in WFilter 4.1

The following example will show you how to use TradeManger black list.

1. New a blocking level named “trademanager”

2. Configure the black list

Notice: you should add “aliint” before your account, and save the configuration.

3. Apply the blocking level

4. Check blocking of TradeManager

5. Check real-time block

As you can see in the above example, TradeManager accounts in the black list will not be able to login.

WFilter 4.1 version is coming.

Finally, WFilter 4.1 version is coming to the beta testing after two years of development. Now let me show you the exciting new features in this new version.

1. More deployment solutions

More deployment solutions are added, especially for wifi networks. We also added solutions to monitor by mac address in multiple segments networks. In WFilter 4.0 version, only “by ip address” mode is supported, the new version will retrieve mac address information from your core switch via SNMP.

2. More monitored content

Added support for ip protocols and ip fragment. For web monitoring, WFilter new version will record browser type(userAgent) as well.

3. Faster UI speed

We adopted fastcgi technology in the new 4.1 version, which makes great improvement on UI loading speed. Monitoring performance is also improved.

4. New UI design

Added “common” menu for you to define common used menus, so you can open a page within one click.

We also re-designed the “online computers” page.

5. New “Protocols” system

With this “protocols” system, you can download and share protocols within a few clicks. You will never have the pain to configure new protocols any more.

6. New “Plugins” system

We integrated a set of tools for network monitoring and management, which is still growing. You can get plugins for network discovery, wfilter management and other related features.

7. New “web content push” feature

This feature enables you to push web content without a real blocking. You can define time interval, web push triggers for this content to appear regular in client computers.

8. More flexible policy settings

With the last version, it’s easier to assign policy for new detected devices, and set default OU policy for new detected AD users.

New version downloading URL: WFilter 4.1

Please notice: WFilter 4.1 version is still in beta testing, and some features are not fully tested. This version is only for preview and testing purpose. So if you already have a stable WFilter 4.0 running, it’s not wise to replace it with this beta version.

How to monitor and filter internet activities of PPPOE users?

PPPOE is widely used for user authentication and traffic accounting. However, it’s a little difficult to monitor and filter PPPOE clients’ internet usage and behavior.

In this example, we will demonstrate you to monitor and filter PPPOE clients with WFilter Free. Please notice that only non-encrypted and uncompressed PPPOE traffic can be supported. So the first step is to configure your PPPOE server for non-encryption and non-compression.

1. PPPOE server settings

Let’s take windows 2003 and RouteOS for examples.

1). 2003 Server Configuration

If you are using windows 2003 server as the PPPOE server, please follow below steps to configure:

In “Properties” of the “Routing and Remote Access”, disable “software compression” and “LCP” in the “PPP” tab.

Edit “remote access policy” for “no encryption” in “Edit Profile”. Notice: The default two policies shall all be modified.

2). ROS Configuration

If you are using routeOS as PPPOE server, please follow these steps to disable compression and encryption:

In “PPP” tab of “Profiles”, click “Protocols” and disable compression and encryption.

2. Monitor PPPOE clients in WFilter

2.1) Choose the internal adapter

Now WFilter is able to parse PPPOE traffic. In this example, we just install WFilter free in the windows 2003 PPPOE server.

You need to choose the internal adapter as the “monitoring adapter” in “System Settings”->”Monitoring Settings” of WFilter.

2.2). Setup client policy

Add a block policy to block web surfing.

Apply this policy to PPPOE clients’ ip ranges

2.3). Check Blocking

PPPOE clients get blocked.

Blocking events in WFilter.

WFilter deployment with a network tap.

1. What is network tap?

Network tap is also a good way to monitor network traffic. Comparing to “port mirroring” switch, it has several advantages:

  1. Handy and flexible, requires no power supply.
  2. Once a network tap is in place, the network can be monitored without interfering with the network itself.
  3. Low cost, you even can dry it by yourself.

Guide to make a network tap can be found at below links:

  1. Throwing Star LAN Tap
  2. Building an Ethernet Tap
  3. Throwing Star LAN Tap
  4. Create a passive network tap for your home network

The disadvantages of network tap:

  1. Can not monitor gigabit networks. Requires “filterable tap”.
  2. The monitoring port does not allow outgoing traffic. Therefore you need three network cards in the monitoring computer, two for monitoring, another for communication.

This blog will guide you to deploy WFilter with “Throwing Star LAN Tap”.

2. Deploy the LAN Tap.

First, you need to attach three network cards in the monitoring computer.

In this example, this lan tap is connected between the router and first switch(J1 and J2). Monitoring ports J3 and J4 are connected to two adapters of the monitoring computer.

Actually it does not require ip address for the monitoring adapters. In this example, we assign “″, “″ to the two monitoring adapters(Assigning an ip address makes it easier for us to identify the adapter in WFilter). The third adapter is assigned with “″.

3. Setup WFilter

Check the two monitoring adapters in “System Settings”->”Monitoring Settings”. The blocking adapter shall be choosed as the third adapter for sending blocking packets.

Now we’re able to monitor client computers. You will notice that one monitoring adapter only get incoming packets, while another adapter only get outgoing packets. This is how network tap is designed.

Client computers also can be blocked.

How to block stock market trading programs in network?

Employees can spend hours on reading market data and online stock trading. To keep productivity, it is necessary to block online trading traffic during working hours.

This tutorial will guide you to block “Nest trader” and “(IIFL) Trader Terminal” traffic in your network.

Since WFilter does not have these two protocols supported in default, you need to add customize protocols in “System Settings”->”Customize Protocols”.

1. Block IIFL trade terminal

1). Add a new protocol named “IIFL Trader”, choose a protocol type.

2). Add a new pattern, choose pattern “Type” as “TLS”. Set pattern content as “swaraj\.indiainfoline\.com”.

3). Check “Block IIFL Trader” in your blocking policy.

4). Now IIFL trader can be blocked.

2. Block “Nest trader”

1). Add a new protocol named “Nest Trader”, choose a protocol type.

2). Add a new pattern, choose pattern “Type” as “TCP SEND”. Set pattern content as “^\x00\x00\x00\x13\x52\x55\x00\x0f\x6c\x69\x63\x65\x6e\x73\x65\x5f\x63\x68\x65\x63\x6b\x65\x72″.

3). Check “Block Nest Trader” in your blocking policy.

4). Done. Now Nest trader will also be blocked.

Does port mirroring influence my network speed?

For pass-by monitoring and filtering, you need to setup a mirroring port in your switch. When port mirroring feature is enabled, the switch will replicate data from other ports onto a single port for monitoring purpose. Since the original packets will not be hold or delayed, port mirroring does not affect your network speed theoretically.

However, inproper port mirroring settings will cause heavy load in your switch and even cause packet loss.

So please consider the following points when configuring a mirroring port:

  1. Do not mirror multiple ports to one port until necessary.
  2. If it is required to mirror multiple ports, please make sure the total mirrored ports throughput will not exceeds the mirroring port throughput limit.
  3. For WFilter, mirroring the internet port is enough. Usually, only the router/firewall port needs to be mirrored.
  4. If your switch does not allow outgoing traffic on the mirroring port, or you’re using WFilter to filter internet access for more than 50 computers, it is recommended to use two network adapters: one is for monitoring only, another one is for filtering.

How to check whether port mirroring settings are correct?
How to check whether a switch supports port mirroring?
Why a port mirroring switch is required to monitor my network?