In this article, I’m going to walk you through setting up a two-VLAN network with a Layer 3 switch(Cisco 3550). I am also going to setup WFilter NG Firewall as the gateway to routing for this VLANs.

Network Topology

As in the above network topology diagram:

1. There are two VLANs in the Cisco 3550 swith( Vlan2 – 192.168.2.0/24, and VLAN3 – 192.168.3.0/24).
2. WFilter NG Firewall is in subnet 192.168.1.0/24.
3. The uplink port of Cisco 3550 has IP address 192.168.1.5.

Configuring the Cisco switch

Commands to setup the Cisco 3550 switch:

Setup port VLAN

Switch#configure terminal

Switch(config)#interface fa0/12

Switch(config-if)#switchport mode trunk

Switch(config-if)#switchport access vlan 2

Switch(config-if)#end

Setup VLAN IP and subnet

Switch#configure terminal

Switch(config)#interface vlan 2

Switch(config-if)#ip address 192.168.2.1 255.255.255.0

Switch(config-if)#end

Setup the uplink port

Switch#configure terminal

Switch(config)#interface fa0/1

Switch(config-if)#no switchport

Switch(config-if)#ip address 192.168.1.5 255.255.255.0

Enable IP Routing

Switch#configure terminal

Switch(config)#ip routing

Switch(config)#end

Configuring WFilter NG Firewall

For WFilter NG Firewall to route VLANs traffic, you need to add VLAN subnets in “Routing” of WFilter NG Firewall.

Done.

IP conflict in local network is annoying. When it happens, it will cause intermittently connections, and it’s difficult for an IT administrator to locate the conflicted devices.

With WFilter, you can do much more.

First, you can block the conflicted IP address with a message. So the client might fix this issue by himself. As shown in below figure, you can send a message “Your ip address conflicts with our server, please correct it ASAP”. This message will show up when browsing http sites.

Also, you can run the “Network Health Checker” extension, which can test ip conflicts in your network. Please check the below screenshots:

Now you may talk to the person with “HuaWei” mobile to fix this issue.

Extension home page: “Network Health Checker”

Wiki page: Check network health of availability, IP conflict, ARP spoof and broadcast storm

A new protocol, IDM has been supported in WFilter NG Firewall for both enterprise license and free license.

Here is the protocol description: How to block IDM in network?

You can block IDM by setting IDM to “deny” in “App Control”.

 

Now IDM downloading won’t start anymore.

 

Both HTTP and HTTPS downloading can be blocked.

In google chrome, a new protocol named QUIZ, is implemented. The protocol description can be found at https://www.chromium.org/quic

It says QUIZ can improve website performance by 3%. However, because QUIZ is an UDP based encrypted protocol,  domains support QUIZ will not be blocked with WFilter’s web filter.

This issue happens in Chrome browser to Google sites only(including youtube). To make web filter working, you’re recommended to block QUIZ completely.

In pass-by deployment with WFilter Enterprise, you’re recommended to block udp ports “443 -65534″ in your firewall and router.

In WFilterROS, you can block QUIZ in the “app control” module.

Demonstrations of blocking youtube.

When QUIZ is not blocked, you can only see QUIZ traffic when visiting of youtube with chrome.

Block QUIZ in app control.

Now “QUIZ” connections are all blocked, and youtube can be blocked by WFilter.