This application note will describe how to configure a Vigor2760n router to restrict guest Wi-Fi users to only be able to access specified HTTP and HTTPS web sites. This is done by using a combination of the URL and DNS filter in the firewall rule.
It should be noted that for users of Android tablets and I-Pads additional keywords are required in the keyword objects used for the URL filter profile.
We have two VLANS configured in the Vigor2760n and have restricted guest Wi-Fi access through SSID2. We will need to apply the firewall rules to SSID 2 which uses IP subnet 192.168.2.0.
Step 1: Create Required LAN and Wi-Fi Networks
Ensure that VLANs and SSIDs are configured as shown below:
Step 2: Create keyword Objects
Go to Objects Setting >> Keyword Object, click on an Index number to edit.
- Enter profile Name
- In Contents, enter keyword of the website’s URL which you would like to pass.
For our example we need to use the keywords jw.org, akamaid and akamai since the required web sites needs to access these sites.
Note: Android and iOS devices will check Wi-Fi connectivity by sending a DNS query to connectivitycheck.gstatic.com and captive.apple.com so we will need to create an additional keyword objects: connectivitycheck.gstatic.com captive.apple.com. Otherwise there will be issues accessing the web sites.
Click OK to save.
Step 3: Create URL Filter
Create a URL Filter to pass websites of which URL contains the keyword:
Go to CSM > URL Content Filter Profile, click on a profile Index to edit.
- Enter Profile Name.
- Set Priority to Either: URL Access Control First
- Enable URL Access Control.
- Set URL Access Control Action to Pass.
- Click Edit and, in the pop-up window, select the Keyword Objects of the URL you would like to pass.
- Click OK to save the profile.
Step 3: Create DNS Filter profile
Go to CSM >> DNS Filter Profile, click on a profile number to edit,
- Enter Profile Name.
- Set UCF (URL Content Filter) to the profile created in Step 3 (URL_Allow)
- Click OK to save.
Step 4: Apply the URL Filter to Firewall Filter Rule
Go to Firewall >> Filter Setup >> Data Filter Set (Set 2), click on a Filter Rule Index to edit.
- Enable this Filter Rule
- Set Direction as “LAN/RT/VPN->WAN”
- For Source IP we specify the IP subnet for the guest Wi-Fi LAN (192.168.2.0 subnet)
- Set Filter Action to Pass Immediately.
- Set URL Content Filter to the profile created in Step 2 (URL_Allow)
- Set DNS Filter to the profile created in step 3 (DNS_allow).
- Click OK to apply.
Step 5: Testing
From a PC or tablet PC test connectivity from Guest Wi-Fi network.
You should see a block message similar to that shown below: