Ubiquiti USG advice

[Rickster]

Hi all, i would like to get one of these as an addon for our unfi POE switch, basically i would like to block sites in real time that are linked to a MAC address, eg: block 00:FF:BE:04:EE from facebook.com and with a press of a button i can allow or block them.


There will be a list of 45 clients that i would need to block and allow these sites to, is the USG capable of this?


Thanks.

 

[DrJohnZoidberg]

No, not currently at least.

A better option might be to just use a DNS filtering service, like OpenDNS, then set that as your DHCP provided DNS server and block any other DNS on your firewall.

 

[sajunky]

In the other aproach you would create VLAN for these 45 clients with simple firewall rule of blocking Facebook for all.

How you create VLAN, it depends on your LAN hardware. For wired clients you would need to put them all on the managed switch (not Unifi switches - there are dumb ones). For WiFi users it is easy if you use Ubiquiti AP's just put them on the guest network and use VLAN. Unifi switch will pass-through VLAN ID's to the USG.

Now the biggest work is waiting for you on the USG. In addition to blocking Facebook for the VLAN group, you have to create firewall rules which allow to link VLAN's at the router, so each devices can see each other as it were on the single LAN (I think it is what you want).

 

[Sinbad]

You don't need a guest network to have separate vlans for separate SSIDs

 

[sajunky]

You don't need a guest network to have separate vlans for separate SSIDs

You are right, I forgotten as I had wired clients in my mind. For WiFi SSID I think you can also do blocking at the AP.

 

[Sinbad]

Incidentally the unifi switches can do vlans per port.

 

[Rickster]

Im not too technical when it comes to layer 3 stuff, so all 45 clients are Wireless and connecting to the Unifi AP's.

We have 2 AP's that have the same SSID and are on different channels.

Remember, some clients that are connected to this SSID need facebook access, we would only want to block specific computers.

 

[Sinbad]

You can, with a usg, do filtering based on dpi and apply those policies to groups of clients

 

[sajunky]

Im not too technical when it comes to layer 3 stuff, so all 45 clients are Wireless and connecting to the Unifi AP's.

We have 2 AP's that have the same SSID and are on different channels.

Remember, some clients that are connected to this SSID need facebook access, we would only want to block specific computers.

In that case I would create a new SSID for clients with restriction and block access for Facebook on the UAP for this SSID for all. Do not create VLAN's, both SSID's will be on the same LAN, so you don't need to do any changes on the router.

I remember it can be done on UAP, but I don't have access to UAP at the moment, so I can be wrong.

 

[DrJohnZoidberg]

You can, with a usg, do filtering based on dpi and apply those policies to groups of clients

Ah yes, you can to a point. I probably should have checked the controller software before commenting earlier, derp.

So [MENTION=202971]Rickster[/MENTION], you can restrict categories but I'm not sure if you can restrict to a site level. I don't use a USG so I'm not sure but looking inside the controller software I can see these options:

 

[Rickster]

I dont think ours has DPI if im not mistaken.

 

[DrJohnZoidberg]

I dont think ours has DPI if im not mistaken.

The APs don't, but if you bought a USG it would. I can't see a way to restrict specific devices, only an entire network although I could be missing some stuff seeing as I don't have a USG connected.

 

[access]

a firewall rule on lan in to block traffic to ip addresses on the internet, or as sinbad said