Operating Modes

nFW can operate in different modes in order to fit in some common network scenarios.

Spoofing Mode

The spoofing mode is the easist way to connect the nFW to an existing network. It is plug-and-play, meaning that once this mode is activated, no additional network configuration will be needed. For this reason, this is the mode enabled by default in nFW.

A common scenario is an home network where the router provides internet connectivity via WiFi. By connecting the nFW device to one of the available ethernet ports, nFW will force all the connected devices to follow the confiured policies. This works fine with most internet routers, but there are some exceptions including (but not limited to):

  • Use of IPv6 that is incompatible with spoofing that is a IPv4-only technology
  • Asymmetrical routing, i.e. you use local gateway X to send packets out of your LAN, and gateway Y to receive packets for LAN hosts
  • Port forwarding, i.e. you have a local host that is visible to the Internet via a port-forwarding rule configured on your gateway. For instance you map port 3000 of your gateway to port 80 of local host X.
  • Internet gateway that constantly sends ARP packets to all hosts to figure out if they are alive

In the unlikely event of an unsupported network configuration as one listed above, please refer to the DHCP Server Mode described below.

DHCP Server Mode

The DHCP server mode works in a similar way as the spoofing mode does and has similar application contexts. This mode requires some manual setup and knowledge of the home network.

Warning

Before proceeding with this mode, it’s necessary to disable the DHCP server integrated into the home router. The steps to do this vary from router to router, but they all involve connecting to the router administration page (usually at http://192.168.1.1), entering the DHCP Server settings and disabling it. Some routers, however, do not allow this, so this mode cannot be used.

Here are the required fields in order to set up DHCP server mode correctly.

nFW DHCP Server Mode
  • Host IP Address: the nFW device IP address
  • The Netmask
  • Router IP Address: the IP address of the internet router
  • DHCP Lower/Upper IP Address: the range of IP addresses which nFW will assign to the devices which connect to the network

Note

The router IP and the nFW host IP must be outside of the DHCP range.

In the picture above, the nFW device (IP 192.168.1.8) will assign IP addresses in the range 192.168.1.100-200 to client devices and will forward the traffic to the internet router at 192.168.1.1 .

Warning

In this mode, nFW can be circumvented by devices which know the real router IP address and use a static IP to connect to it.

Transparent Bridge Mode

This mode requires two network interfaces and a network topology which separates the internet gateway from the access point or switch where the clients are connected. In this topology, nFW can sit between the two devices so that all the traffic from and to internet must physically pass through it. In such environments, this mode is more suitable than the spoofing mode, provided that at least two network interfaces are available on the device.

This mode does not require specific network configuration, as the device will get the IP address dynamically.

nFW Transparent Bridge Mode

The LAN and WAN interfaces must be configured properly.

  • The LAN is the interface which faces the client devices
  • The WAN is the interface which faces the internet