Series 3: What is the best way to configure a CradlePoint router with multiple content filter instances?

QUICK LINKS:


OVERVIEW:

This document is intended to assist a field engineer with configuring a Series 3 CradlePoint router with multiple content filtering instances for different VLANs.

Enabling multiple content filtering instances allows the CradlePoint to filter unencrypted content based on IP addresses or URLs only, on each VLAN independently.  For the ability to do board category based content filtering, please consult the following articles:

Series 3: How to Configure OpenDNS Content Filtering

ZScaler Cloud Based Content Filtering and Security


TERMS:

Rule Priority – used to determine the order rules are evaluated.  Higher priority rules (bigger numbers) are evaluated first and the first one to match has its assigned action taken.  Exceptions to existing rules can be created by adding another rule with a higher priority.  For example if access to maps.google.com is desired, but google.com is blocked with a priority of 50.  The addition of an allow rule for maps.google.com with a priority of 51 or greater will allow access.


SYSTEM REQUIREMENTS:

One of the following CradlePoint Models: AER 2100, MBR1400v2, MBR1400, IBR600, IBR650, CBR400 & CB450


FIRMWARE VERSION:

5.0.0 (4.3.2 for CBR400 & 450) or later

User-added image



CONFIGURATION:

These directions will assist you with configuring multiple content filtering on separate VLANs

The content filtering examples in this document assume that your VLANs are configured as shown.

The IP networks in the examples are as follows:

Management  192.168.0.0/24  (VLAN1)

PC  192.168.5.0/24  (VLAN5)

Red_VLAN  192.168.50.0/24  (VLAN50)

Green_VLAN  192.168.60.0/24  (VLAN60)

These directions demonstrate how each IP network may be configured with its own content filtering settings to allow or prevent access to designated URLs or IP addresses.

  1. Verify that your VLANs have been configured (click here for our article on setting up VLANs), and any WAN/LAN Affinity rules have been configured (click here for our article on setting up WAN Affinity).
  2. If not already connected, log into the CradlePoint’s Administrative Pages (click here for instructions on accessing the Administrative Pages).                                                                                                                                     User-added image
  3. Click on Network Settings > Content Filtering.                                                          User-added image
  4. The “Default Filter Settings” are configured by default to allow access to all URLs and IP addresses. User-added image
  5. Under “Network WebFilter Rules”, click Add to create a new rule.
  6. In the “Domain / URL Filter Rule Editor” page, set the “Assigned Network” to the LAN you would like the rule to apply.
  7. In the “Domain/URL/IP” field, type the URL or IP Address that you would like to create a rule for.
  8. Set the “Filter Action” to “Block” or “Allow”, depending on the purpose of your rule.
  9. Set the “Rule Priority” to a value between 1 & 100.  Rules with a higher priority take precedence over rules with lower priority. User-added image
    • This example shows how to create a rule on the “Red_VLAN” to block all traffic intended for the URLwww.examplexxxwebsite.com.
  10. Click Submit to add the new rule.  You will now see the new rule in the “Network WebFilter Rules” section for the network the rule is assigned.                                                                                                                              User-added image
  11. The default behavior for each network filter is to “Allow Access” to all URLs.  To change the default behavior for a network, go to “Default Network Settings”, select the network, click Edit, and change the “Default Action” to Block Access.
    • This example shows how to change the default behavior of Green_VLAN to “Block Access”. User-added image User-added image
    • Note that the “Default Action” is now displayed as “Block Access” for Green_VLAN.  This change prevents access to any URLs that are not specifically allowed in a “Network WebFilter Rule”. User-added image
  12. Repeat steps 6, 7, & 8 for each rule.

Rules may be configured to block or to allow IP addresses or URLs for each network.

This example will allow Green_VLAN access to the URL “maps.google.com”.     User-added image

This example will block all access to the subnet 166.0.0.0/8 for the “Workstations” network: User-added image

This example uses a higher rule priority to allow all access to the subnet 166.148.0.0/16 for the “Workstations” network: User-added image

After making the changes shown in the examples above, the “Network WebFilter Rules” page should look like this: User-added image

 


Category: Cradlepoint Series 3

← FAQs