From Wiki of WFilter NG Firewall
Jump to: navigation, search


1 Introduction

WFilter NGF supports three types of deployment: gateway, network bridge and passby deployment, please check: Features comparison of different deployment:

  • In gateway deployment, all features are available, including VLAN, port forwarding, VPN... which are not available in bridge mode.
  • A network bridge can be deployed transparently with no changes to your existing network. Most features are available in bridge mode.
  • In passby deployment, the NGF system listens internet traffic on a mirroring port in your switch.

2 Gateway Deployment

Gateway deployment: WFilter NG Firewall acts as the gateway for local nework. Usually, your current gateway shall be replaced with WFilter NG Firewall. Network diagram:

Ros guide gateway.png

2.1 WAN

Interface gateway01.png

Interface gateway02.png

  • Protocol: PPPoE, DHCP, static IP.
  • Peer DNS: Use the dynamic assigned DNS server in PPPoE and DHCP protocols. If disabled, use the DNS servers configured in "DNS" instead.
  • MAC Clone: Modify the MAC address of this WAN interface.
  • VLAN ID: Enable 802.1q VLAN in this WAN interface.

2.2 LAN

Interface gateway05.png

Interface gateway03.png

Interface gateway04.png

  • You can have different subnet in every LAN interface. Or all LAN interfaces share a same subnet.
  • Each LAN interface can have a DHCP service.
  • When IP-MAC Binding is enabled, clients will always be assigned with the bound IP via DHCP service.

2.2.1 DHCP Options

  • In default, DHCP gateway and dns server are all configured as WFilter's lan ip address.
  • In case you need to modify the default DHCP options, the syntax is "DHCP code,Value"(one option per line). For examples:
    • 3, gateway)
    • 6, dns server)

3 Bridge Deployment

Bridge Deployment: Build network bridge(s) on certain interfaces. With bridge deployment, you can transparently deploy WFilter, without changing current network topology. Network diagram:

Ros guide bridge.png

3.1 Settings

Interface bridge01.png

  • Each bridge has one LAN interface and one WAN interface.
  • You can build multiple bridges if needed.
  • You can setup a management interface to access web UI.

Interface bridge02.png

  • Management Interface:
    • The management interface is for web UI access, web authentication UI access...
    • IP, Mask: IP, Mask of the management interface.
    • Gateway: Gateway of the mangement interface. WFilter needs a gateway to access interface to get updates.
    • Subnet(s): local subnets to be managed. Syntax:, one subnet per line. "-" starts a subnet exception, for example: "-".

Interface bridge03.png

You can build new bridges from "undefined interfaces". For new bridges, you only need to configure LAN & WAN interfaces.

4 Passby Deployment

Passby Deployment: the NGF system listens internet traffic on a mirroring port in your switch. You need to setup a mirroring port(SPAN port) in your switch.

Ros guide passby.png

  • Observ Port

The observ port shall be connected to a mirroring port in your core switch to listen internet traffic.

  • Mangement Port

The management port is for NGF system to access network. It's also used for sending RST packets to block clients TCP connections. The management port VLAN shall be able to reach other clients VLANs.

Personal tools