Block category of sites (gaming) at certain times on a Ubiquity USG

I’m writing this as a reminder to myself, but it might also help others since it took me quite some time to figure out all the bits and pieces. It uses DPI (Deep Packet Inspection) to classify network traffic and therefor doesn’t work for everything. For example, it didn’t block Minecraft.

How to

Open a terminal and ssh to controller with username and password that you find under USG Settings -> Site

ssh <username>@192.168.1.1

Enter configuration mode

<username>@ubnt:~$ configure

Save the configuration file

<username>@ubnt:~$ save file

Open another terminal and SFTP to controller

sftp <username>@192.168.1.1

Download file

sftp > get /config file

Open file in text editor which can save with unix line endings, for example Notepad++.

Add

name DPI {
    default-action accept
    rule 10 {
        action drop
        application {
            category Games
        }
        time {
            starttime 09:00:00
            stoptime 14:59:59
            weekdays Mon,Tue,Wed,Thu,Fri
        }
    }
}

(mine is in between “name AUTHORIZED_GUESTS” and “name GUEST_IN”)

Upload the configuration file with SFTP

sftp> put file

It gets uploaded to /home/<username>/

In the first terminal, where you are in configuration mode, load your new file

<username>@ubnt:~$ load /home/<username>/file

Try out the settings by committing the change. Committing means that your config is applied until next reboot.

<username>@ubnt:~$ commit

If it works as intended, save the changes.

<username>@ubnt:~$ save

Resources

To view category for a site

<username>@ubnt:~$ sudo /usr/sbin/ubnt-dpi-util search-app amazon

I followed this guide first to create the rule for blocking according to DPI, then downloaded the config, added the time specifications and then uploaded and applied the modified config.
https://help.ui.com/hc/en-us/articles/218732788-EdgeRouter-Create-a-Firewall-Rule-using-Deep-Packet-Inspection-DPI-

Here is where I found someone adding times
https://community.ui.com/questions/Firewall-source-Mac-address-fails-on-commit/f416b90d-8f71-4c43-8fdc-7afcc92889b8#answer/de3f0b91-9d97-4d48-9d30-95bb03510be0

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s