locked
WFP with 2 NICs RRS feed

  • Question

  • Here's again a question about captive portal.
    If I have a gateway, Windows 7 computer with 2 NICs (1 for the LAN, 1 for the WAN) with a bridge or a NAT or a routing between the NICs.
    1. What is the highest level in the WFP stack where it is possible to block and redirect non identified connections coming from the LAN? transport?
    2. Is it possible to install the callout driver only for the LAN NIC? How to select the (non) affected NICs during driver installation?

    Thanks for your help.

    Monday, December 12, 2011 6:39 PM

Answers

  • If the packets are locally destined, then you can capture traffic at all layers.  If the traffic is transient (going from one NIC and out the other) then you can capture at the FWPM_LAYER_IP_FORWARD_V* in Vista+ and additionally at FWPM_LAYER_{INBOUND/ OUTBOUND}_MAC_FRAME_NATIVE and FWPM_LAYER_{INBOUND/ OUTBOUND}_MAC_FRAME_ETHERNET for Windows 8.

    The callouts are universal to the kernel, and whether they are invoked are determined by the filters added.  This means you can add filters that only affect the LAN interface and cause the callout to be invoked only for that traffic.

     

    Hope this helps,

     


    Dusty Harper [MSFT]
    Microsoft Corporation
    ------------------------------------------------------------
    This posting is provided "AS IS", with NO warranties and confers NO rights
    ------------------------------------------------------------

    Tuesday, December 13, 2011 12:44 AM
    Moderator

All replies

  • If the packets are locally destined, then you can capture traffic at all layers.  If the traffic is transient (going from one NIC and out the other) then you can capture at the FWPM_LAYER_IP_FORWARD_V* in Vista+ and additionally at FWPM_LAYER_{INBOUND/ OUTBOUND}_MAC_FRAME_NATIVE and FWPM_LAYER_{INBOUND/ OUTBOUND}_MAC_FRAME_ETHERNET for Windows 8.

    The callouts are universal to the kernel, and whether they are invoked are determined by the filters added.  This means you can add filters that only affect the LAN interface and cause the callout to be invoked only for that traffic.

     

    Hope this helps,

     


    Dusty Harper [MSFT]
    Microsoft Corporation
    ------------------------------------------------------------
    This posting is provided "AS IS", with NO warranties and confers NO rights
    ------------------------------------------------------------

    Tuesday, December 13, 2011 12:44 AM
    Moderator
  • Thanks for your answer. For transient traffic, would you recommend WFP over NDIS for a new design where XP/Vista compatibility is not required?
    Tuesday, December 13, 2011 10:25 AM
  • WFP would be the recommended solution.

     

    Hope this helps,

     


    Dusty Harper [MSFT]
    Microsoft Corporation
    ------------------------------------------------------------
    This posting is provided "AS IS", with NO warranties and confers NO rights
    ------------------------------------------------------------
    Tuesday, December 13, 2011 1:59 PM
    Moderator
  • What are the main tips, tricks and traps if I want to modify the traffic inspection sample from transport layer to the FWPM_LAYER_IP_FORWARD layer?
    • Edited by OlivierMSDN Thursday, February 9, 2012 4:29 PM
    Wednesday, February 8, 2012 9:29 PM
  • Offhand, you will need to change the layer, the filtering conditions, where the data offset is for when the packet is cloned (beginning of the IPHeader), how you inspect the packet (you will need to advance the buffer to get to the transport header, etc. ),and the injection function you call (FwpsInjectForwardAsync).

    Hope this helps,


    Dusty Harper [MSFT]
    Microsoft Corporation
    ------------------------------------------------------------
    This posting is provided "AS IS", with NO warranties and confers NO rights
    ------------------------------------------------------------

    Thursday, February 9, 2012 4:59 PM
    Moderator
  • Thanks.
    - Can I safely remove all the ALE related code in the sample?
    - Does the test in TLInspectCloneReinjectInbound about IPSec still relevant?
    - When you say "you will need to advance the buffer to get to the transport header", is it the line:
         packet->ipHeaderSize + packet->transportHeaderSize
        --> an additional header size must be added here?

    Thursday, February 9, 2012 9:37 PM
  • You could gut the ALE code.  Nothing special about IPsec is needed for the injection, however you do need to be aware of it's state if you are inspecting the IP payload.  at IPFORWARD, the packet offset is already at the IPHeader. 

    Hope this helps,


    Dusty Harper [MSFT]
    Microsoft Corporation
    ------------------------------------------------------------
    This posting is provided "AS IS", with NO warranties and confers NO rights
    ------------------------------------------------------------

    Saturday, February 11, 2012 7:57 PM
    Moderator