EdgeRouter - How to Create a Firewall Rule Using DPI


Overview


Readers will learn how to use the Deep Packet Inspection (DPI) engine to block specific websites based on categories or applications.

NOTES & REQUIREMENTS:
Applicable to the latest EdgeOS firmware on all EdgeRouter models. Please see the Related Articles below for more information.
 
Device used in this article:

Creating a Firewall Rule using DPI


Back to Top

ATTENTION: The Top-Site categories are no longer supported and will be removed as options in a future firmware release.

There are several different Deep Packet Inspection (DPI) application categories built-in to EdgeOS that can be matched on using firewall policies. Examples are the Streaming-Media and Social-Network categories which each has its own list of apps (websites). You can choose to block the entire category and thus all apps contained within, or create a custom category that includes several websites.

topology.png

Using DPI firewall policies that prevents hosts on the LAN from accessing certain websites.


Follow the steps below to create a firewall rule using DPI:

GUI: Access the EdgeRouter Web UI.

1. Enable the DPI feature by navigating to the Traffic Analysis tab.

Traffic Analysis > Operational Status > Enable

2. Navigate to the Firewall/NAT tab to create a new firewall policy.

3. In this example, the Social-Network category is blocked using a custom firewall policy.

Firewall/NAT > Firewall Policies > Add Ruleset

Name: DPI
Default Action: Accept

4. Add a new rule to the newly created firewall policy.

Firewall/NAT > Firewall Policies > DPI > Actions > Edit Ruleset > + Add New Rule

Description: Drop Social-Network
Enable: Checked
Protocol: All Protocols
Advanced > Application: Social-Network

6. Attach the firewall policy to the eth1 LAN interface in the inbound/in direction.

Firewall/NAT > Firewall Policies > DPI > Actions > Interfaces

Interface: eth1
Direction: in

It is also possible to match on a custom category. In order to do this, first create the custom category in the Traffic Analysis > Add Category section. It is only possible to match on built-in applications however. Use the commands below to view all the apps that are included under a certain category or to search for a specific website (app) name:

sudo /usr/sbin/ubnt-dpi-util show-cat-apps <category-name>
sudo /usr/sbin/ubnt-dpi-util search-app <website-name>

 The above configuration can also be set using the CLI:

CLI: Access the Command Line Interface. You can do this using the CLI button in the GUI or by using a program such as PuTTY.
configure

set system traffic-analysis dpi enable
set system traffic-analysis export enable

set firewall name DPI default-action accept
set firewall name DPI rule 10 application category Social-Network
set firewall name DPI rule 10 action drop

set interfaces ethernet eth1 firewall in name DPI

commit; save

Related Articles


Back to Top

EdgeRouter - Beginners Guide to EdgeRouter

EdgeRouter - Deep Packet Inspection Engine

Intro to Networking - How to Establish a Connection Using SSH


We're sorry to hear that!