OpenWrt Reference
Netify and OpenWrt
Though Netify is able to run on any flavor of Linux and xBSD, this document provides hands-on details on a working proof-of-concept with Netify and OpenWrt. We will walk through some of the concepts and provide some examples showcasing DPI/Layer 7 features:
- Shaping the BitTorrent protocol with QoS
- Implementing a MultiWAN routing policy for stream media applications
- Blocking Facebook traffic using DPI metadata
- Enabling Netify network intelligence
to read the Network Policies Overview!

Installation
OpenWrt Environment
The following reference guide was tested using OpenWrt 19.07 configured as a NAT gateway. In addition, one of the examples at the end of this guide shows how to route Zoom traffic out a preferred WAN in a multiWAN (mwan3) environment.
Netify and FWA
This working proof-of-concept uses two separate daemons (see adjacent table) to accomplish the target features listed above.
Service | Name | Description |
---|---|---|
netifyd | Netify DPI Engine | This daemon consumes network traffic and generates DPI metadata. No firewalling, no marking, no QoS... just DPI and network metadata. |
netify-fwa | Netify Firewall Agent | This daemon consumes the netifyd metadata and provides Layer 7 glue for firewall/QoS engines. |
Netifyd Install
To install and configure netifyd on OpenWrt 19.07, run:
opkg update
opkg install netifyd
The default netifyd version in 19.07 is quite old, so an upgrade to the snapshot version is required for this walkthrough: See the OpenWrt upgrade guide for details.
Netify FWA Install
The Netify Firewall Agent (Netify FWA) is architecture-independent Python, so you can install it on any OpenWrt system. Please keep in mind, this software is typically customized to meet the specifications of a custom product solution. However, the vanilla version is the place to start! To install:
opkg update
opkg install ipset python3-urllib python3-openssl python3-codecs python3-ctypes
wget http://download.netify.ai/netify/openwrt/19.07/noarch/netify-fwa-1.2.5.tar.gz
tar -C / -xzvf netify-fwa-1.2.5.tar.gz
Configuration
Network Configuration
The examples in this document use an OpenWrt system configured as a NAT gateway. Both netifyd and netify-fwa need to know which interfaces are internal LANs and which interfaces are upstream WANs. The current versions of netifyd and netify-fwa in OpenWrt 19.07 automatically configure:
- br-lan as the internal LAN interface
- results returned from "uci get network.wan.ifname" as the WAN interface
If you are using a different network setup, please send us a quick message from our contact page for information on how to override the automatic detection.
Netify FWA Rules
Now it’s time to configure example rules for demonstrating the three different rule types in Netify FWA. Keep in mind, the vanilla software can be customized to take any kind of action and enforce any kind of network policies, these are just the default types available in the vanilla install.
The Netify FWA rules are configured in the /etc/netify-fwa/netify-fwa.json file. The adjacent rules are used in the examples provided later in this document:
Example: /etc/netify-fwa/netify-fwa.json
{
"version": "1.0",
"rules": [
{
"type": "ipset",
"application_category": "streaming-media"
},
{
"type": "mark",
"protocol": "bittorrent",
"mark": 3
},
{
"type": "block",
"application": "netify.facebook"
}
]
}
Quick translation:
- Rule #1 - ipset: All streaming media detections (Netflix, YouTube, Hulu, etc.) are maintained in an IP set
- Rule #2 - mark: All BitTorrent traffic is marked with the specified mark
- Rule #3 - block: All Facebook traffic is blocked
You can find more detailed information about Netify FWA here. For quick reference, you can find the tags (e.g. netify.youtube in the example configuration) used in the detection rules here:
Running
Now that everything is configured, it’s time to start up netifyd and netify-fwa. Use the following table for details:
Service | Start/Stop | Debug Mode |
---|---|---|
Netifyd |
service netifyd start service netifyd enable |
service netifyd stop netifyd --internal br-lan --external eth1 -d |
Netify FWA |
service netify-fwa start service netify-fwa enable |
service netify-fwa stop netify-fwa -d |
For netifyd debug mode, change the --internal and --external flags to meet your needs. You can specify multiple interfaces, e.g. netifyd --internal br-lan --external eth1 --external eth2 -d
Examples
Blocking: Facebook
The example configuration file specified a block rule for Facebook traffic (see adjacent).
If you use the ipset command line tool, you should see two Facebook-related IP set lists
(NFA4_APP_FACEBOOK and NFA6_APP_FACEBOOK) when netify-fwa
is running - one for IPv4 and the other for IPv6.
You can use a web browser or a mobile app to test Facebook DPI blocking. You will see IP/port information similar to
the adjacent example when traffic is flowing through the OpenWrt system. You may also see some Facebook traffic pass through
before getting blocked. There are some tricks to speed up the reaction time - please feel free to
contact us for details!
# Configuration block from /etc/netify-fwa/netify-fwa.json
{
"type": "block",
"application": "netify.facebook"
}
# ipset list
...
Name: NFA4_APP_FACEBOOK
Type: hash:ip,port,ip
Revision: 5
Header: family inet hashsize 1024 maxelem 65536 timeout 1200
Size in memory: 352
References: 2
Number of entries: 2
Members:
45.57.90.1,tcp:443,192.168.1.169 timeout 1195
54.160.93.182,tcp:443,192.168.1.169 timeout 1195
...
Name: NFA6_APP_FACEBOOK
Type: hash:ip,port,ip
...
IP Sets: MultiWAN Routing
The example configuration file specified a block rule for Facebook traffic (see adjacent). If you use the ipset command line tool, you should see two Facebook-related IP set lists (NFA4_APP_FACEBOOK and NFA6_APP_FACEBOOK) when netify-fwa is running - one for IPv4 and the other for IPv6.
You can use a web browser or a mobile app to test Facebook DPI blocking. You will see IP/port information similar to the adjacent example when traffic is flowing through the OpenWrt system. You may also see some Facebook traffic pass through before getting blocked. There are some tricks to speed up the reaction time - please feel free to contact us for details!
# Configuration block from /etc/netify-fwa/netify-fwa.json
{
"type": "block",
"application": "netify.facebook"
}
# ipset list
...
Name: NFA4_APP_FACEBOOK
Type: hash:ip,port,ip
Revision: 5
Header: family inet hashsize 1024 maxelem 65536 timeout 1200
Size in memory: 352
References: 2
Number of entries: 2
Members:
45.57.90.1,tcp:443,192.168.1.169 timeout 1195
54.160.93.182,tcp:443,192.168.1.169 timeout 1195
...
Name: NFA6_APP_FACEBOOK
Type: hash:ip,port,ip
...
OpenWrt multiwan (mwan3) supports the use of IP sets to set routing policies. You can find the mwan3 documentation on the OpenWrt web site - multiWAN on OpenWrt
First, the streaming media application category is configured in the Netify FWA configuration file (/etc/netify-fwa/netify-fwa.json) as shown in the adjacent configuration block.
Next, you can use the mwan3 web-based interface to configure a rule to send all applications in Netify’s media streaming category (Netflix, YouTube, Hulu, etc.) out the second WAN interface (wanb_only). The adjacent configuration block from /etc/config/mwan3 is what it looks like under the hood.
In order to be compatible with OpenWrt's mwan, the IP set will only contain a list of server IP addresses instead of the full 3-part identifier: Client IP - Server IP - Server Port. This behavior can be customized and modified in the OpenWrt driver for Netify FWA.
# Configuration block from /etc/netify-fwa/netify-fwa.json
{
"type": "ipset",
"application_category": "streaming-media"
}
# Configuration block from /etc/config/mwan3
config rule ‘media_streaming’
option proto 'all'
option sticky '1'
option timeout '300'
option ipset 'NFA4_APPCAT_STREAMING_MEDIA'
option use_policy 'wanb_only'
Marks: QoS Engine
Coming Soon.
Network Intelligence: Netify
The last example is a plug for our own solution - Netify Informatics!
There's a 7-day free trial, so go ahead and give it a try. To enable the service:
netifyd --enable-sink
service netifyd restart
netifyd -p
The last command provides the Agent UUID - you will need that ID to provision the system
here.
You can read about the Features and
Benefits on this web site.
Sample Feature: Device Discovery
Netify Informatics automatically identifies and inventories devices on the network
The last example is a plug for our own solution - Netify Informatics! There's a 7-day free trial, so go ahead and give it a try. To enable the service:
netifyd --enable-sink
service netifyd restart
netifyd -p
The last command provides the Agent UUID - you will need that ID to provision the system here. You can read about the Features and Benefits on this web site.
Netify Informatics automatically identifies and inventories devices on the network

Netify Agent
Getting Started
Integration
Netify Tools
Netify DPI Alternatives
Integration and Custom Solutions
Do you have any questions about integration, APIs or custom development?
Contact Us