Netify - OpenWrt Reference Platform

Netify and OpenWrt

Though Netify is able to run on any flavor of Linux and xBSD, this document provides hands-on details on a working proof-of-concept with Netify and OpenWrt. We will walk through some of the concepts and provide some examples showcasing DPI/Layer 7 features:

Shaping the BitTorrent protocol with QoS
Implementing a MultiWAN routing policy for stream media applications
Blocking Facebook traffic using DPI metadata
Enabling Netify network intelligence

Before getting started, please take 5 minutes
to read the Network Policies Overview!

Installation

OpenWrt Environment

The following reference guide was tested using OpenWrt 19.07 configured as a NAT gateway. In addition, one of the examples at the end of this guide shows how to route Zoom traffic out a preferred WAN in a multiWAN (mwan3) environment.

Netify and FWA

This working proof-of-concept uses two separate daemons (see adjacent table) to accomplish the target features listed above.

Service	Name	Description
netifyd	Netify DPI Engine	This daemon consumes network traffic and generates DPI metadata. No firewalling, no marking, no QoS... just DPI and network metadata.
netify-fwa	Netify Firewall Agent	This daemon consumes the netifyd metadata and provides Layer 7 glue for firewall/QoS engines.

To keep the free on-system version of the Netify Agent open source, cloud-based heuristics are not included. However, the cloud-enhanced version of the Netify Agent can be configured to maintain IP sets and connection marking directly. This reduces the overhead and latency involved with using the Netify Firewall Agent. Contact us for details.

Netifyd Install

To install and configure netifyd on OpenWrt 19.07, run:

opkg update
opkg install netifyd

The netifyd version in OpenWrt 19.07.6 and earlier is quite old, so a netifyd package upgrade is required for those older OpenWrt installs. See the OpenWrt netifyd upgrade guide for details.

Netify FWA Install

The Netify Firewall Agent (Netify FWA) is architecture-independent Python, so you can install it on any OpenWrt system. Please keep in mind, this software is typically customized to meet the specifications of a custom product solution. However, the vanilla version is the place to start! To install:

opkg update
wget http://download.netify.ai/netify/openwrt/19.07/noarch/netify-fwa-1.2.5-2.ipk
opkg install netify-fwa-1.2.5-2.ipk

Configuration

Network Configuration

The examples in this document use an OpenWrt system configured as a NAT gateway. Both netifyd and netify-fwa need to know which interfaces are internal LANs and which interfaces are upstream WANs. The current versions of netifyd and netify-fwa in OpenWrt 19.07 automatically configure:

results returned from "uci get network.lan.ifname" as the LAN interface
results returned from "uci get network.wan.ifname" as the WAN interface

If you are using a different network setup, please send us a quick message from our contact page for information on how to override the automatic detection.

Netify FWA Rules

Now it’s time to configure example rules for demonstrating the three different rule types in Netify FWA. Keep in mind, the vanilla software can be customized to take any kind of action and enforce any kind of network policies, these are just the default types available in the vanilla install.

The Netify FWA rules are configured in the /etc/netify-fwa/netify-fwa.json file. The adjacent rules are used in the examples provided later in this document:

Example: /etc/netify-fwa/netify-fwa.json

{
  "version": "1.0",
  "rules": [
    {
        "type": "ipset",
        "application_category": "streaming-media"
    },
    {
        "type": "mark",
        "protocol": "bittorrent",
        "mark": 3
    },
    {
        "type": "block",
        "application": "netify.facebook"
    }
  ]
}

Quick translation:

Rule #1 - ipset: All streaming media detections (Netflix, YouTube, Hulu, etc.) are maintained in an IP set
Rule #2 - mark: All BitTorrent traffic is marked with the specified mark
Rule #3 - block: All Facebook traffic is blocked

You can find more detailed information about Netify FWA here. For quick reference, you can find the tags (e.g. netify.youtube in the example configuration) used in the detection rules here:

Running

Now that everything is configured, it’s time to start up netifyd and netify-fwa. Use the following table for details:

Service	Start/Stop	Debug Mode
Netifyd	service netifyd start service netifyd enable	service netifyd stop netifyd --internal br-lan --external eth1 -d
Netify FWA	service netify-fwa start service netify-fwa enable	service netify-fwa stop netify-fwa -d

For netifyd debug mode, change the --internal and --external flags to meet your needs. You can specify multiple interfaces, e.g. netifyd --internal br-lan --external eth1 --external eth2 -d

Examples

Blocking: Facebook

The example configuration file specified a block rule for Facebook traffic (see adjacent). If you use the ipset command line tool, you should see two Facebook-related IP set lists (NFA4_APP_FACEBOOK and NFA6_APP_FACEBOOK) when netify-fwa is running - one for IPv4 and the other for IPv6.

You can use a web browser or a mobile app to test Facebook DPI blocking. You will see IP/port information similar to the adjacent example when traffic is flowing through the OpenWrt system. You may also see some Facebook traffic pass through before getting blocked. There are some tricks to speed up the reaction time - please feel free to contact us for details!

# Configuration block from /etc/netify-fwa/netify-fwa.json
{
  "type": "block",
  "application": "netify.facebook"
}

# ipset list
...
Name: NFA4_APP_FACEBOOK
Type: hash:ip,port,ip
Revision: 5
Header: family inet hashsize 1024 maxelem 65536 timeout 1200
Size in memory: 352
References: 2
Number of entries: 2
Members:
45.57.90.1,tcp:443,192.168.1.169 timeout 1195
54.160.93.182,tcp:443,192.168.1.169 timeout 1195

...
Name: NFA6_APP_FACEBOOK
Type: hash:ip,port,ip
...

IP Sets: MultiWAN Routing

OpenWrt multiwan (mwan3) supports the use of IP sets to set routing policies. You can find the mwan3 documentation on the OpenWrt web site - multiWAN on OpenWrt

First, the streaming media application category is configured in the Netify FWA configuration file (/etc/netify-fwa/netify-fwa.json) as shown in the adjacent configuration block.

Next, you can use the mwan3 web-based interface to configure a rule to send all applications in Netify’s media streaming category (Netflix, YouTube, Hulu, etc.) out the second WAN interface (wanb_only). The adjacent configuration block from /etc/config/mwan3 is what it looks like under the hood.

In order to be compatible with OpenWrt's mwan, the IP set will only contain a list of server IP addresses instead of the full 3-part identifier: Client IP - Server IP - Server Port. This behavior can be customized and modified in the OpenWrt driver for Netify FWA.

# Configuration block from /etc/netify-fwa/netify-fwa.json
{
  "type": "ipset",
  "application_category": "streaming-media"
}

# Configuration block from /etc/config/mwan3

config rule ‘media_streaming’
    option proto 'all'
    option sticky '1'
    option timeout '300'
    option ipset 'NFA4_APPCAT_STREAMING_MEDIA'
    option use_policy 'wanb_only'

ProTip: in the mwan3 web interface, make sure your custom policies are at the top of the list!

Marks: QoS Engine

Coming Soon.

Network Intelligence: Netify

The last example is a plug for our own solution - Netify Informatics! There's a 7-day free trial, so go ahead and give it a try. To enable the service:

netifyd --enable-sink
service netifyd restart
netifyd -p

The last command provides the Agent UUID - you will need that ID to provision the system here. You can read about the Features and Benefits on this web site.

Sample Feature: Device Discovery

Netify Informatics automatically identifies and inventories devices on the network

OpenWrt Integration

Integration and Custom Solutions

Do you have any questions about integration, APIs or custom development?

OpenWrt Reference