EdgeRouter - How to Create a Firewall Rule Using DPI
Overview
Readers will learn how to use the Deep Packet Inspection (DPI) engine to block specific websites based on categories or applications.
Creating a Firewall Rule using DPI
There are several different Deep Packet Inspection (DPI) application categories built-in to EdgeOS that can be matched on using firewall policies. Examples are the Streaming-Media and Social-Network categories which each has its own list of apps (websites). You can choose to block the entire category and thus all apps contained within, or create a custom category that includes several websites.
Using DPI firewall policies that prevents hosts on the LAN from accessing certain websites.
Follow the steps below to create a firewall rule using DPI:
1. Enable the DPI feature by navigating to the Traffic Analysis tab.
Traffic Analysis > Operational Status > Enable
2. Navigate to the Firewall/NAT tab to create a new firewall policy.
3. In this example, the Social-Network category is blocked using a custom firewall policy.
Firewall/NAT > Firewall Policies > Add Ruleset
Name: DPI
Default Action: Accept
4. Add a new rule to the newly created firewall policy.
Firewall/NAT > Firewall Policies > DPI > Actions > Edit Ruleset > + Add New Rule
Description: Drop Social-Network
Enable: Checked
Protocol: All Protocols
Advanced > Application: Social-Network
6. Attach the firewall policy to the eth1 LAN interface in the inbound/in direction.
Firewall/NAT > Firewall Policies > DPI > Actions > Interfaces
Interface: eth1
Direction: in
It is also possible to match on a custom category. In order to do this, first create the custom category in the Traffic Analysis > Add Category section. It is only possible to match on built-in applications however. Use the commands below to view all the apps that are included under a certain category or to search for a specific website (app) name:
sudo /usr/sbin/ubnt-dpi-util show-cat-apps <category-name>
sudo /usr/sbin/ubnt-dpi-util search-app <website-name>
The above configuration can also be set using the CLI:
configure
set system traffic-analysis dpi enable
set system traffic-analysis export enable
set firewall name DPI default-action accept
set firewall name DPI rule 10 application category Social-Network
set firewall name DPI rule 10 action drop
set interfaces ethernet eth1 firewall in name DPI
commit; save
Related Articles
EdgeRouter - Beginners Guide to EdgeRouter
EdgeRouter - Deep Packet Inspection Engine
EdgeRouter - How to Create a WAN Firewall Rule
EdgeRouter - How to Create a Guest\LAN Firewall Rule
Intro to Networking - How to Establish a Connection Using SSH