EdgeRouter - Create a Firewall Rule using Deep Packet Inspection (DPI)


Overview


This guide will show users how to setup a firewall rule to block specific application categories such as Social Networking sites or specific sites like Facebook using the Deep Packet Inspection Engine in EdgeOS.

NOTES & REQUIREMENTS:
  • This article was written using an EdgeRouter 6P on firmware 1.10.8; and applies to the latest EdgeOS firmware on all EdgeRouter models.
  • More information about how the EdgeOS DPI engine works, see this article:EdgeMAX - Deep Packet Inspection Engine for EdgeRouter
  • Top-Site categories are no longer supported and will be removed as options in the configuration in future firmware.

Table of Contents


  1. GUI Steps: How to Create a Firewall Rule using DPI
  2. CLI Steps: How to Create a Firewall Rule using DPI
  3. Commands for Viewing Categories, Sites and Applications
  4. Related Articles

GUI Steps: How to Create a Firewall Rule using DPI


Back to Top

GUI: Access the Graphical User Interface (GUI).

1. Enable DPI. Navigate to Traffic Analysis > Operational Status and enable DPI. Take the following into consideration:

  • Enabled: Deep Packet Inspection Engine is actively analyzing traffic
  • Hosts Only: Traffic bandwidth is obtained without using DPI

2. Create Firewall Ruleset with Rules. It is possible to use the DPI engine to classify websites by categories such as Social-Network or Streaming-Media. You can add these classifications to firewall rules by following these steps:

NOTE: The following configuration is an example. Please use your own data that applies to your deployment.

2.1 Go to Firewall/NAT > Firewall Policies > Add Ruleset. Name the ruleset to your convenience and add a description that will make it easy to identify by any current or future admin. Select the default action you wish this ruleset to perform and click save.

Name: Drop_Sites
Description: Drop Sites based on DPI Application
Default Action: Accept

2.2 Go to Firewall/NAT > Firewall Policies > DropSites > Actions > Edit Ruleset > Add New Rule > Basic and make the appropriate selections. For this example, the Action selected will be Drop, and the protocol will be set to All protocols.

Description: Drop DPI Social_Network
Enable: Checked
Protocol: All Protocols

2.3 Go to Firewall/NAT > Firewall Policies > DropSites > Actions > Edit Ruleset > Add New Rule > Advanced and select what application this should apply to. In this example Social-Network is selected.

Application: Social-Network

3.  Configure Custom Category. A specific site can be blocked by creating a custom category and applying it to the ruleset. For example:

3.1 Go to Traffic Analysis > Add Category to create a new category. Name it and add the Apps that will make part of this custom category. Only one category or custom category can be applied to each rule.

Category: Drop_FB
Apps: Facebook

4. Apply Ruleset to LAN Interface.

4.1 Go to Firewall/NAT > Firewall Policies > DropSites > Actions > Interfaces and select the interface and the direction in which it will apply. You may add more interfaces at this time.

Interface: eth1
Direction: in

CLI Steps: How to Create a Firewall Rule using DPI


Back to Top

CLI: Access the command line interface (CLI). You can do this using the CLI button in the GUI or by using a program such as PuTTY.

1. Enable DPI.

set system traffic-analysis dpi enable
set system traffic-analysis export enable

2. Create Firewall Ruleset with Rules.

set firewall name DROP_SITES default-action accept
set firewall name DROP_SITES rule 10 application category Social-Network
set firewall name DROP_SITES rule 10 action drop

3.  Configure Custom Category.

set system traffic-analysis custom-category DROP_FB name Facebook
commit
set firewall name DROP_SITES default-action accept
set firewall name DROP_SITES rule 10 application custom-category DROP_FB
set firewall name DROP_SITES rule 10 action drop
commit

4. Apply Ruleset to Interface

set interfaces ethernet eth1 firewall in name DROP_SITES
commit; save; exit

Commands for Viewing Categories, Sites and Applications


Back to Top

To view currently available application categories:

set firewall name DropSites rule 10 application category ?

Type in the command above and hit tab consecutively to see available options. Output could be something like this:

Business
Bypass-Proxies-and-Tunnels
File-Transfer
Games
Instant-Messaging
Mail-and-Collaboration
P2P
Remote-Access-Terminals
Security-Update
Social-Network
Stock-Market
Streaming-Media
Voice-over-IP
Web
Web-IM

To view all sites listed under a category:

ubnt@ubnt $ /usr/sbin/ubnt-dpi-util show-cat-apps Streaming-Media
Applications in category [Streaming-Media]
========================
56.com
6.cn
adnstream
adobe-flash
afreecatv
airplay
amazon-instant-video
amazon-prime-music
apple-music
....

To view which category a specific site is categorized under:

ubnt@ubnt$ /usr/sbin/ubnt-dpi-util search-app amazon

Output will be something similar to this:

 Applications Category
amazon
amazon-cloudfront
amazon-instant-video
amazon-prime-music
Web
Web
Streaming-Media
Streaming-Media

To view all application categories from the CLI:

In configuration mode type:

set firewall name DropSites rule 10 application category ?

Related Articles


Back to Top

EdgeRouter - Beginners Guide to EdgeRouter

Intro to Networking - How to Establish a Connection Using SSH

EdgeRouter - Deep Packet Inspection Engine for EdgeRouter


We're sorry to hear that!