EdgeRouter - Suspension
Overview
Readers will learn how to utilize the Suspension feature that can be enabled from UNMS or manually on the EdgeRouter by using the command line.
Table of Contents
- Introduction & Network Diagram
- Suspending Clients from UNMS
- Suspending Clients Manually by Using the CLI
- Related Articles
Introduction
The EdgeRouter Suspension feature allows an administrator to (temporarily) suspend the network services of a client or customer. This feature identifies clients by their IP address and prevents them from accessing the internet or other networks, with the exception of some previously defined network services. The user can then be redirected to a specific web page (for example the UNMS controller), instructing them why their service was suspended. The Suspension feature can be enabled from the Ubiquiti Network Management System (UNMS), which applies the configuration to the EdgeRouter that is defined as the UNMS Gateway router.
The example network below uses an ER-8-XG as the UNMS Gateway router which will be running the Suspension feature. The client in the Client Site is connected to the EdgeRouter through a UFiber GPON network, consisting of an UF-OLT-4 and a UF-Instant ONU. The client is utilizing the 203.0.113.1 IP address which will be suspended on the EdgeRouter. Afterwards, the client will only be able to access the UNMS Cloud portal, which will have further instructions as to why their service was suspended.
Example network where a Client Site (203.0.113.1) is connected to the Internet via a UFiber GPON network and an EdgeRouter Gateway.
Suspending Clients from UNMS
Suspending clients from UNMS is supported if the EdgeRouter is defined as a UNMS Gateway router. Another requirement is that the client that is being suspended connects through the Internet through the Gateway router. Follow the steps below to enable the Suspension feature from UNMS:
1. Navigate to the Settings section and select the Network tab.
2. Edit the existing UNMS Gateway router or add a new gateway.
3. Enable the Suspension feature and optionally add the allowed IP address(es).
Allow suspend: ON
Allow IP addresses: <optional>
4. Save the changes.
5. For existing clients, navigate to the Client Sites section and select the service plan that is listed in the CRM Service column.
6. The service plan for the client will show Active by default. Change the option from to to suspend the client.
7. Provide a reason for the suspension and confirm.
The suspend configuration can be verified on the Gateway router by accessing the EdgeRouter through the command line. From UNMS:
1. Navigate to the Devices and select the EdgeRouter that is defined as the UNMS Gateway.
2. Select the Terminal tab to open up an SSH session to the device.
3. Log into the device with your credentials.
4. Run the following commands to display the suspend configuration:
ubnt@EdgeRouter:~$ configure
[edit]
ubnt@EdgeRouter# show service suspend
allow-domain unmscloud.unmsapp.com allow-ip 198.51.100.1 redirect { url http://unmscloud.unmsapp.com/crm/suspension/ }
Suspending Clients Manually by Using the CLI
Follow the steps below to configure the EdgeRouter to suspend the client that is using the 203.0.113.1 IP address:
1. Enter configuration mode.
configure
2. Define the domain and IP address that the suspended client is allowed to connect to.
set service suspend allow-domain unmscloud.unmsapp.com
set service suspend allow-ip 198.51.100.1
3. Define the redirection URL.
set service suspend redirect url http://unmscloud.unmsapp.com/crm/suspension/
4. Specify the IP address of the client that should be suspended.
set service suspend user-ip 203.0.113.1
5. Commit the changes and save the configuration.
commit ; save
The EdgeRouter suspend feature is able to provide additional options, allowing you to redirect the client to a specific server that is using a custom port. There is also an option to forward traffic to a web proxy:
[edit]
ubnt@EdgeRouter# set service suspend forward-to ? Possible completions: address IP address of the web proxy [REQUIRED] http-port HTTP port of the web proxy https-port HTTPS port of the web proxy [edit]
ubnt@EdgeRouter# set service suspend redirect ? Possible completions: http-port HTTP port of the redirect server https-port HTTPS port of the redirect server url URL prefix of the captive portal (must end with '/') [REQUIRED]
Related Articles
UNMS v1 - Suspension and Traffic Shaping