EdgeRouter - How to Create a Firewall Rule Using DPI


Readers will learn how to use the Deep Packet Inspection (DPI) engine to block specific websites based on categories or applications.

Applicable to the latest EdgeOS firmware on all EdgeRouter models. Please see the Related Articles below for more information.
Device used in this article:

Creating a Firewall Rule using DPI

Back to Top

ATTENTION:The Top-Site categories are no longer supported and will be removed as options in a future firmware release. However, the apps (sites) previously associated with these categories are still available and can be grouped under another category. You can use the sudo /usr/sbin/ubnt-dpi-util search-app command at the bottom of this article to search for a specific app and block it.

There are several different Deep Packet Inspection (DPI) application categories built-in to EdgeOS that can be matched on using firewall policies. Examples are the Streaming-Media and Social-Network categories which each has its own list of apps (websites). You can choose to block the entire category and thus all apps contained within, or create a custom category that includes several websites.


Using DPI firewall policies that prevents hosts on the LAN from accessing certain websites.

Follow the steps below to create a firewall rule using DPI:

GUI: Access the EdgeRouter Web UI.

1. Enable the DPI feature by navigating to the Traffic Analysis tab.

Traffic Analysis > Operational Status > Enable

2. Navigate to the Firewall/NAT tab to create a new firewall policy.

3. In this example, the Social-Network category is blocked using a custom firewall policy.

Firewall/NAT > Firewall Policies > Add Ruleset

Name: DPI
Default Action: Accept

4. Add a new rule to the newly created firewall policy.

Firewall/NAT > Firewall Policies > DPI > Actions > Edit Ruleset > + Add New Rule

Description: Drop Social-Network
Enable: Checked
Protocol: All Protocols
Advanced > Application: Social-Network

6. Attach the firewall policy to the eth1 LAN interface in the inbound/in direction.

Firewall/NAT > Firewall Policies > DPI > Actions > Interfaces

Interface: eth1
Direction: in

It is also possible to match on a custom category. In order to do this, first create the custom category in the Traffic Analysis > Add Category section. It is only possible to match on built-in applications however. Use the commands below to view all the apps that are included under a certain category or to search for a specific website (app) name:

sudo /usr/sbin/ubnt-dpi-util show-cat-apps <category-name>
sudo /usr/sbin/ubnt-dpi-util search-app <website-name>

 The above configuration can also be set using the CLI:

CLI: Access the Command Line Interface.You can do this using the CLI button in the GUI or by using a program such as PuTTY.

set system traffic-analysis dpi enable
set system traffic-analysis export enable

set firewall name DPI default-action accept
set firewall name DPI rule 10 application category Social-Network
set firewall name DPI rule 10 action drop

set interfaces ethernet eth1 firewall in name DPI

commit; save

Related Articles

Back to Top

EdgeRouter - Beginners Guide to EdgeRouter

EdgeRouter - Deep Packet Inspection Engine

EdgeRouter - How to Create a WAN Firewall Rule

EdgeRouter - How to Create a Guest\LAN Firewall Rule

Intro to Networking - How to Establish a Connection Using SSH

Was this article helpful?
49 out of 106 found this helpful