Readers will learn how to utilize the suspend feature that can be enabled from UNMS or manually on the EdgeRouter by using the command line.
NOTES & REQUIREMENTS:
Applicable to the latest EdgeOS firmware on all EdgeRouter models. Please see the Related Articles below for more information.
Devices and products used in this article:
Table of Contents
- Introduction & Network Diagram
- Suspending Clients from UNMS
- Suspending Clients Manually by Using the CLI
- Related Articles
The EdgeRouter suspend feature allows an administrator to (temporarily) suspend the network services of a client or customer. This feature identifies clients by their IP address and prevents them from accessing the internet or other networks, with the exception of some previously defined network services. The user can then be redirected to a specific web page (for example the UNMS controller), instructing them why their service was suspended. The suspend feature can be enabled from the Ubiquiti Network Management System (UNMS), which applies the configuration to the EdgeRouter that is defined as the Gateway router.
The example network below uses an ER-8-XG as the UNMS Gateway router which will be running the suspend feature. The client in the Client Site is connected to the EdgeRouter through a UFiber GPON network, consisting of an UF-OLT and a UF-Nano ONU. The client is utilizing the 203.0.113.1 IP address which will be suspended on the EdgeRouter. Afterwards, the client will only be able to access the UNMS Cloud portal, which will have further instructions as to why their service was suspended.
Example network where a Client Site (203.0.113.1) is connected to the Internet via a UFiber GPON network and an EdgeRouter Gateway.
Suspending Clients from UNMS
Suspending clients from UNMS is supported if the EdgeRouter is defined as a UNMS Gateway router. Another requirement is that the client that is being suspended connects through the Internet through the Gateway router. Follow the steps below to enable the suspend feature from UNMS:
GUI: Access the UNMS Controller Web Portal.
1. Navigate to the Settings and select the Network tab.
2. Edit the existing UNMS Gateway router or add a new gateway.
3. Enable the suspend feature and optionally add the allowed IP address(es).
Allow suspend: ON
Allow IP addresses: <optional>
NOTE: By default, suspended clients will be able to reach the UNMS server as an exception is created automatically. Other IP addresses that the client is allowed to connect to can optionally be added.
4. Save the changes.
5. Navigate to the Client Sites and edit the client site that needs to be suspended.
6. Enable the suspend feature by expanding the Traffic Shaping and Suspend section.
7. Save the changes.
The suspend configuration can be verified on the Gateway router by accessing the EdgeRouter through the command line. From UNMS:
1. Navigate to the Devices and select the EdgeRouter that is defined as the UNMS Gateway.
2. Select the Terminal tab to open up an SSH session to the device.
3. Log into the device with your credentials.
4. Run the following commands to display the suspend configuration:
ubnt@edgerouter# show service suspend
Suspending Clients Manually by Using the CLI
Configuring the Suspend feature manually from the EdgeRouter command line is supported starting from the v1.10.7 EdgeOS firmware release. Follow the steps below to configure the EdgeRouter to suspend the client that is using the 203.0.113.1 IP address:
CLI: Access the Command Line Interface. You can do this using the CLI button in the GUI or by using a program such as PuTTY.
1. Enter configuration mode.
2. Define the domain and IP address that the suspended client is allowed to connect to.
set service suspend allow-domain unmscloud.unmsapp.com
set service suspend allow-ip 198.51.100.1
3. Define the redirection URL.
set service suspend redirect url http://unmscloud.unmsapp.com/crm/suspension/
4. Specify the IP address of the client that should be suspended.
set service suspend user-ip 203.0.113.1
5. Commit the changes and save the configuration.
commit ; save
The EdgeRouter suspend feature is able to provide additional options, allowing you to redirect the client to a specific server that is using a custom port. There is also an option to forward traffic to a web proxy:
ubnt@edgerouter# set service suspend forward-to ? Possible completions: address IP address of the web proxy [REQUIRED] http-port HTTP port of the web proxy https-port HTTPS port of the web proxy 
ubnt@edgerouter# set service suspend redirect ? Possible completions: http-port HTTP port of the redirect server https-port HTTPS port of the redirect server url URL prefix of the captive portal (must end with '/') [REQUIRED]