Category Archives: Deployment

Deployment of WFilter NG Firewall

WFilter deployment with gargoyle router.

1. Gargoyle Router Introduction

Gargoyle is an OpenWrt distribution which aims to be easy to use through a simplified Web interface. Gargoyle can extend your wireless router into a powerful Linux system. even if your router hardware does not support “port mirroring” function, you can also enable traffic mirroring by software mirroring.

This blog will guide you to install “port-mirroring” program in your Gargoyle router and deploy WFilter for internet monitoring and filtering. We assume you already has an Gargoyle router, if not, please check Gargoyle homepage to get the latest firmware.

2. Port-mirroring program

Port-mirroring is an open source project sponsored by IMFirewall Software, it is designed to mirror network traffic on linux systems.

2.1. Installation

For detailed installation guide, please check Port-mirroring open source packet mirroring. In this guide, let’s take linksys wrt54g router as an example.

Steps:

a). opkg update.

b). opkg install http://port-mirroring.googlecode.com/files/port-mirroring_1.3-1_12.09_brcm47xx.ipk

Because gargoyle is based on openwrt attitude adjustment 12.09 branch, we need to install the build for openwrt 12.09.

2.2. Configuration

You need to edit /etc/config/port-mirroring to set the mirroring target and mirrored source interfaces.

In this example, we choose “eth0″ wireless adapter as the mirrored source interface.

2.3. Start Port-mirroring

/etc/init.d/port-mirroring start

3. Check monitoring in WFilter

Now WFilter shall be able to monitor client computers.

How to deploy WFilter with tomato router?

The “–tee” option of iptables can mirror network packets to a target ip address. With this feature, you can deploy monitoring easily when you have an embed Linux router.

In this tutorial, we will guide you to deploy WFilter using a Tomato router(firmware version: v1.28).

1. Enable SSH login in Tomato

Enable “SSH Daemon” in “Administration” – “Admin Access”.

2. Login into your Tomato router.

Login into your Tomato router using any ssh client.

3. Enable the ipt_ROUTE module.

For “–tee” option to work, you need to enable the “ipt_ROUTE” module, which is not enabled by default.

4. Add the iptables rule for packet forwarding.

In this example, we forward packets to “192.168.1.100″.

5. List and verify iptables rules.

You can list your iptables rules to check whether this rule is successfully added.

6. Add startup script.

If you want this rule to exist after router rebooting, you need to add these two commands into the startup scripts in “Administration – Scripts”.

modprobe ipt_ROUTE

iptables -A PREROUTING -t mangle -j ROUTE –gw 192.168.1.100 –tee


7. Check your WFilter settings.

Please notice, “iptables” will not forward original mac addresses of packets. Therefore, you can not use “by mac address” monitoring mode of WFilter, use “by ip address” instead.

Done.

WFilter deployment with a network tap.

1. What is network tap?

Network tap is also a good way to monitor network traffic. Comparing to “port mirroring” switch, it has several advantages:

  1. Handy and flexible, requires no power supply.
  2. Once a network tap is in place, the network can be monitored without interfering with the network itself.
  3. Low cost, you even can dry it by yourself.

Guide to make a network tap can be found at below links:

  1. Throwing Star LAN Tap
  2. Building an Ethernet Tap
  3. Throwing Star LAN Tap
  4. Create a passive network tap for your home network

The disadvantages of network tap:

  1. Can not monitor gigabit networks. Requires “filterable tap”.
  2. The monitoring port does not allow outgoing traffic. Therefore you need three network cards in the monitoring computer, two for monitoring, another for communication.

This blog will guide you to deploy WFilter with “Throwing Star LAN Tap”.

2. Deploy the LAN Tap.

First, you need to attach three network cards in the monitoring computer.

In this example, this lan tap is connected between the router and first switch(J1 and J2). Monitoring ports J3 and J4 are connected to two adapters of the monitoring computer.

Actually it does not require ip address for the monitoring adapters. In this example, we assign “192.168.1.181″, “192.168.1.182″ to the two monitoring adapters(Assigning an ip address makes it easier for us to identify the adapter in WFilter). The third adapter is assigned with “192.168.2.189″.

3. Setup WFilter

Check the two monitoring adapters in “System Settings”->”Monitoring Settings”. The blocking adapter shall be choosed as the third adapter for sending blocking packets.

Now we’re able to monitor client computers. You will notice that one monitoring adapter only get incoming packets, while another adapter only get outgoing packets. This is how network tap is designed.


Client computers also can be blocked.

How to manage several WFilter servers from a central location?

When you need to manage several offices internet access, it will be helpful if you can do the management in a central location.

This tutorial will guide you to manage several WFilter servers within a same user interface.

1. Edit WFilter servers

Step1: In WFilter’s dashboard, click “Edit” to define remote servers.

Step2: add servers.

Please notice:

  1. Remote server’s admin password is required.
  2. The remote WFilter server shall be configured as “Allow Remote Access” in “System Settings”->”Remote Access Control”.
  3. If you’re connecting the remote server from internet, you need to forward tcp port 9090 to the WFilter server in the remote network router.
  4. If the remote network don’t have a fixed internet ip address, you also can access the remote server by dynamic domain name.

2. Switch WFilter servers in the dashboard.

Now you can switch WFilter servers in the dashboard. All the data will be retrieved from remote servers. So you can manage different WFilter servers in a central location.



  

WFilter deployment with RouterOS’s port streaming feature.

Installed on a personal computer or server computer, RouterOS turns the computer into a network router, implementing features such as firewall rules, virtual private network (VPN) server and client, bandwidth shaping and quality of service, wireless access point functions and other commonly used features for routing and interconnecting networks.

To implement internet monitoring and more powerful internet filtering features with your RouterOS, you can enable RouterOS’s “port streaming” feature to mirror all internet packets to WFilter for monitoring and filtering.

This tutorial will guide you to configure RouterOS to work together with WFilter.

Enable Packet Streaming

Enable Packet Streaming in “Tools”->”Packet Sniffer”, choose the lan interface as the sniffer interface.

Set the WFilter server ip as the streaming server

Set the WFilter server ip address as the streaming server

Done, now you’re able to monitor all network computers in WFilter.

More information, please check “WFilter Enterprise”.

Other related links:

How to block UDP ports in RRAS windows server 2003?
How to block internet downloading?
How to monitor internet usage on company network?
Internet monitoring software for business
How to filter web surfing?
How to block websites and restrict internet access?
How to block HTTPS websites on my network?

How to check whether a switch supports port mirroring?

To monitor internet activities of all computers in your network, the WFilter computer shall be connected to a mirroring port of your switch, or install WFilter into a gateway computer.

Some inexperienced users might don’t know whether a switch can support port mirroring. Hence we list how to check whether port mirroring is supported by your switch.

First, check the features list of your switch.

“Port mirroring” is also called as “port SPAN”, “port monitoring”. A port mirroring switch is usually called “a manageable switch” or “managed switch”.
If you can find certain keywords in your switch features list or manual, “port mirroring” is supported.

Example 1: description of cisco 2950.


Example 2: feature list of NETGEAR GS108T.

Second, check switch Web UI to find mirroring options.

Most manageable switches provide you a web UI or console interface for you to change it settings. If you can find “port mirroring” or “port monitoring” options in its Web UI, certainly port mirroring is supported.

Example 1: Web UI of dlink 3226.

Example 2: Web UI of netgear GS748AT.

For more information, please check: Why WFilter can only monitor itself? How to monitor other computers in network?

How to add a logo image into WFilter blocking page?

WFilter blocking denial page presents a blocking message to blocked users when a web page is blocked. Sometimes, you may want to add your logo image into WFilter blocking denial page.

This tutorial will guide you to add a logo image with “WFilter Enterprise 3.3″.

1. It is simple to add your logo when you have a website with this image. As you can see in below figures, just click “Add image” and input your logo url when editing a denial page.

2. However, if you don’t have an available website, you need to upload your image file to WFilter “image” directory for WFilter to find it. Please follow below steps:
1). Copy your image file to “www/image” directory of WFilter.
2). Click “Add image” in certain denial page, please notice you need to input full url address of your logo here. For example, if the IP address of WFilter computer is “192.168.1.20″, you need to input “http://192.168.1.20:9090/image/yourlogo” here. Do not use “http://localhost:9090/image/yourlogo”.

Webpage being blocked:

3. If you’re familiar with HTML code, you also can edit the
denial page source manually in “config/Denypage” directory of WFilter.

More information, please check “WFilter Enterprise”.
Other related links:
How to block internet downloading?
How to monitor internet usage on company network?
Internet monitoring software for business
How to filter web surfing?
How to block websites and restrict internet access?

What’s the difference between Pass-by filtering and Pass-through filtering?

Filtering technologies are divided into two types: Pass-through (sever plug-in based) and Pass-by (standalone-based).

 

A Pass-by filter usually monitors and filters network traffic with the help of port mirroring while a Pass-through filter monitors and filters network traffic on a gateway or bridge.

 

The differences between Pass-by filtering and Pass-through filtering: Advantages of Pass-by filtering:

 

1. Pass-by filtering is easier to be deployed. You only need to setup a mirroring port in your switch without the need to change your network topology. However, since pass-through filtering needs to be installed in the gateway or bridge, usually you need to change your network topology to deploy a pass-through filtering product.

 

2. Pass-by filtering product, such as WFilter Enterprise, only deals with copies of network packets, without any delay of the original packets. Even a pass-by filtering product stops working, your internet connection stays alive.

 

However, because a Pass-through product “stops and checks” network packets, it is unavoidable to make slight delay to your internet access. And, when a pass-through filtering product stops working, you will lose your internet connection.

 

Disadvantages of Pass-by filtering:

 

1. Port mirroring is required for pass-by filtering, you can not monitor or filter your network without a manageable switch.

 

2. A pass-by filtering product sends RST packets to terminate TCP connections, however, UDP traffic can not be blocked by pass-by filtering. Usually, you also need to block certain UDP ports in your router for completely blocking.

 

3. Traffic shaping and QoS is unavailable in pass-by filtering, since it only deals with copies of network packets.

For more information about WFilter technical details, please check: WFilter Inside Technologies.

Internet monitoring software for business

  Unmanaged internet access is harmful to your business.
  Without proper internet monitoring and filtering, you may suffer from:
  1. Lower productivity. Your employees might take hours for web surfing, chatting and watching videos.
  2. Slow internet speed. P2P programs or IPTV programs can easily consume most of your bandwidth. So normal business will not have enough available bandwidth.
  3. Unmanaged downloading will bring virus, worms and spyware, which is harmful to your network.
  4. Leaking of business documents and materials.

  Therefore, it is important for you to monitor and manage employees internet activity. This guide will introduce you several aspects of deployment and usage of internet monitoring and filtering software. Please be aware that I am only going to talk about internet access monitoring, which does not include screen monitoring, USB forbiding and keystroke recording. The latter requires you to install a client agent in every computer. And internet monitoring only needs to be installed near the internet entrance.

How to deploy internet monitoring software?

  Though internet monitoring only needs to be installed near internet entrance, it is quite different for different network topologies.
  For “Router<->Switch<->Computers” networks, you need to setup a mirroring port in the switch to enable monitoring. If you are using ISA or wingate proxy server, you can do monitoring right in the proxy server.

How to monitor internet bandwidth?

  Upon properly deployed, you can easily monitor internet bandwidth and activities using internet monitoring software.
  Below let me take “WFilter Enterprise” as an example:
 
  Use WFilter’s “Active Connections” feature, you can have a clear view of all connections in your network.

Connections of a particular computer, you can kill established connections if you want.

For more details about “monitor internet bandwidth”, please refer to: How to monitor internet bandwidth?

How to monitor internet usage?

In “Online computers” of WFilter, click the numbers under each title to view detailed records.

How to block downloading?

To save bandwidth, inproper downloading shall be blocked. The below figure shows blocking of large size files and blocking by video files.

Blocking of video files.

For more details, please refer to “How to block downloading?”.

How to monitor internet usage on company network?

  Internet can be a benefit to business when used properly, but internet
is often abused by employees and poses significant liability and
security risks. In today’s internet, P2P programs and IPTV applications can easily consume most of your bandwidth.
  Therefore, monitoring of internet activity and monitoring of bandwidth usage is important to keep your business efficient.
  Below I list several aspects to monitor internet usage on company network.

How to monitor internet usage?

  You can not monitor other computers internet usage in a network unless you have access to their network traffic.
  There have two ways to see other computers internet traffic:
  1. Configure a span port(port mirroring) in your switch.
  2. Do monitoring in the gateway or proxy.

  If you already setup a computer as the gateway or proxy server, you just need to install internet monitoring software in the server to do monitoring. 
  Since many networks are using a router as the gateway, using a port mirroring switch is a good choice. Port mirroring allows you to setup a port in the switch to receive packets of other ports. Setting up a mirror port does no change to your network topology, and it will not affect your network speed.  A broadcasted hub can also help you to do monitoring, however, broadcasted hubs can only work in 10M bit mode, and it is not so stable. Therefore I recommend you not to use a broadcasted hub to do monitoring.
  Read this example for details to setup port mirroring: Deploy internet monitoring using a port mirror switch .

How to monitor internet connections?

  Once you’ve setup the span port, you can easily monitor internet connections using internet monitor software.
  Here we take “WFilter Enterprise” as an example:

Monitor all computers internet connections

   Use WFilter’s “Active Connections” feature, you can have a clear view of all connections in your network.

Monitor a computer’s internet connections

Connections of a particular computer, you can kill established connections if you want.

How to monitor internet activity?

  
In “Online computers”, click the numbers under each title to view detailed records.

Browsing history:

Other related links:
How to monitor internet bandwidth?
Internet blocking