In “pass-by” filtering mode(WFilter works on a mirroring port), WFilter sends RST packets to block TCP connections. However, if outgoing traffic is limited on the blocking adapter, blocking feature of WFilter might not be working.
The default settings of WFilter use a same adapter for monitoring and blocking. However, it will not work if a following condition is met.
- The monitoring switch does not allow outgoing traffic on the mirroring port. You can check this by “ping” other computers in the monitoring computer. This problem can be solved by changing switch settings(if supported) or adding a separated blocking adapter. Cisco switches have a parameter “ingress” to enable outgoing traffic on the mirroring port.
- The monitoring adapter is too busy of receiving mirrored packets. We recommend you to use another NIC for blocking when you have 50+ computers. To check this issue, you can run “System Settings”->”Check Settings” to perform a checking on the blocking adapter.
Steps to add a blocking adapter
1. Add a physical network card and connect this NIC to a normal port in your switch. If you have multiple VLANs, the blocking adapter shall be in a VLAN which can reach other VLANs.
2. Assign an available ip address and gateway settings to the new NIC.
3. If WFilter does not detect the new card in “System Settings”->”Monitoring Settings”, please click “Start”->”IMFirewall WFilter”->”Tools”->”Restart WFilter Service” to reload the adapters list.
4. Choose the new network card as the “blocking adapter” in “System Settings”->”Monitoring Settings”->”Monitoring Device Settings”.
5. Run “System Settings”->”Check Settings” to check.
6. Sometimes windows can not choose the correct network card for communicate, in that case, please check this topic to set “Metric”: Blocking adapter doesn’t work when using two network cards
Further readings: