Monthly Archives: March 2013

WFilter deployment with a network tap.

1. What is network tap?

Network tap is also a good way to monitor network traffic. Comparing to “port mirroring” switch, it has several advantages:

  1. Handy and flexible, requires no power supply.
  2. Once a network tap is in place, the network can be monitored without interfering with the network itself.
  3. Low cost, you even can dry it by yourself.

Guide to make a network tap can be found at below links:

  1. Throwing Star LAN Tap
  2. Building an Ethernet Tap
  3. Throwing Star LAN Tap
  4. Create a passive network tap for your home network

The disadvantages of network tap:

  1. Can not monitor gigabit networks. Requires “filterable tap”.
  2. The monitoring port does not allow outgoing traffic. Therefore you need three network cards in the monitoring computer, two for monitoring, another for communication.

This blog will guide you to deploy WFilter with “Throwing Star LAN Tap”.

2. Deploy the LAN Tap.

First, you need to attach three network cards in the monitoring computer.

In this example, this lan tap is connected between the router and first switch(J1 and J2). Monitoring ports J3 and J4 are connected to two adapters of the monitoring computer.

Actually it does not require ip address for the monitoring adapters. In this example, we assign “192.168.1.181″, “192.168.1.182″ to the two monitoring adapters(Assigning an ip address makes it easier for us to identify the adapter in WFilter). The third adapter is assigned with “192.168.2.189″.

3. Setup WFilter

Check the two monitoring adapters in “System Settings”->”Monitoring Settings”. The blocking adapter shall be choosed as the third adapter for sending blocking packets.

Now we’re able to monitor client computers. You will notice that one monitoring adapter only get incoming packets, while another adapter only get outgoing packets. This is how network tap is designed.


Client computers also can be blocked.

WFilter deployment with openwrt router.

1. Openwrt Introduction

OpenWrt is a highly extensible GNU/Linux distribution for embedded devices. As a third party firmware, openwrt can extend your wireless router into a powerful Linux system. With openwrt, even if your router hardware does not support “port mirroring” function, you can also enable traffic mirroring by software mirroring.

This blog will guide you to install “port-mirroring” program in your openwrt router and deploy WFilter for internet monitoring and filtering. We assume you already has an openwrt router, if not, please check openwrt homepage to get the latest firmware.

2. Port-mirroring program

Port-mirroring is an open source project sponsored by IMFirewall Software, it is designed to mirror network traffic on linux systems.

2.1. Installation

For detailed installation guide, please check Port-mirroring open source packet mirroring. In this guide, let’s take linksys wrt54g router as an example (with openwrt backfire firmware). Steps:

a). Update openwrt package list.

b). Install the port-mirroring program

opkg install http://port-mirroring.googlecode.com/files/port-mirroring_1.2-1_backfire_brcm47xx.ipk.

2.2. Configuration

You need to edit /etc/config/port-mirroring to set the mirroring target and mirrored source interfaces.

In this example, we choose “wlan0″ wireless adapter as the mirrored source interface.

2.3. Start Port-mirroring

/etc/init.d/port-mirroring start

3. Check monitoring in WFilter

Now WFilter shall be able to monitor client computers.

How to block udp ports 1024-65534 in dd-wrt router?

This blog will guide you to block internet udp ports 1024-65534 in your dd-wrt router. This is required for WFilter p2p blocking in pass-by filtering mode.

Click “Add/Edit Service” in “Access Restrictions”



Add a port service with udp ports range 1024-65534

Enable blocking of this new service.

In “Blocked Services”, enable blocking of this new defined service.

Done. Now certain udp ports are blocked.

How to block udp ports 1024-65534 in openwrt router?

This blog will guide you to block internet udp ports 1024-65534 in your openwrt router. This is required for WFilter p2p blocking in pass-by filtering mode.

Click “Add Entry” in “Network”->Firewall”->”Traffic Control”

Define the blocking rule

The destination port shall be “1024-65534″.

Done, now you can check the blocking policy in iptables list.

How to block pps streaming movies in iphone and android?

WFilter can block online streaming traffic in your network, even for mobile devices. In this tutorial we will guide you to block pps streaming in iphone and android with WFilter 4.0.

Create a “block PPS” policy

Apply this policy to certain devices

Check blocking

PPS in android is now unavailable.

PPS in iphone becomes infinite loading.

Blocking events in WFilter.

How to deploy WFilter free with mikrotik routerOS(ROS)?

The “packet streaming” feature in RouterOS can send network packets to a network parser for analysis. In case when you don’t have a manageable switch, you can enable this feature for WFilter to monitor and filter network computers.

In this blog, I will demonstrate you to set up WFilter free for web filtering with RouterOS.

Enable Packet Streaming

In “Tools”->”Packet Sniffer”, choose the lan interface as the sniffer interface.

Set the WFilter server ip as the streaming server

Done, now you shall be able to monitor all network computers in WFilter Free or WFilter Enterprise.

Let’s add a blocking policy to check.

First, add a blocking level.

Block web surfing

Second, apply this blocking policy to target ip range.

Check blocking