This document is intended to assist a field engineer with configuring a Series 3 CradlePoint router with multiple content filtering instances for different VLANs.
Enabling multiple content filtering instances allows the CradlePoint to filter unencrypted content based on IP addresses or URLs only, on each VLAN independently. For the ability to do board category based content filtering, please consult the following articles:
Rule Priority – used to determine the order rules are evaluated. Higher priority rules (bigger numbers) are evaluated first and the first one to match has its assigned action taken. Exceptions to existing rules can be created by adding another rule with a higher priority. For example if access to maps.google.com is desired, but google.com is blocked with a priority of 50. The addition of an allow rule for maps.google.com with a priority of 51 or greater will allow access.
One of the following CradlePoint Models: AER 2100, MBR1400v2, MBR1400, IBR600, IBR650, CBR400 & CB450
5.0.0 (4.3.2 for CBR400 & 450) or later
These directions will assist you with configuring multiple content filtering on separate VLANs
The content filtering examples in this document assume that your VLANs are configured as shown.
The IP networks in the examples are as follows:
Management 192.168.0.0/24 (VLAN1)
PC 192.168.5.0/24 (VLAN5)
Red_VLAN 192.168.50.0/24 (VLAN50)
Green_VLAN 192.168.60.0/24 (VLAN60)
These directions demonstrate how each IP network may be configured with its own content filtering settings to allow or prevent access to designated URLs or IP addresses.
- Verify that your VLANs have been configured (click here for our article on setting up VLANs), and any WAN/LAN Affinity rules have been configured (click here for our article on setting up WAN Affinity).
- If not already connected, log into the CradlePoint’s Administrative Pages (click here for instructions on accessing the Administrative Pages).
- Click on Network Settings > Content Filtering.
- The “Default Filter Settings” are configured by default to allow access to all URLs and IP addresses.
- Under “Network WebFilter Rules”, click Add to create a new rule.
- In the “Domain / URL Filter Rule Editor” page, set the “Assigned Network” to the LAN you would like the rule to apply.
- In the “Domain/URL/IP” field, type the URL or IP Address that you would like to create a rule for.
- Set the “Filter Action” to “Block” or “Allow”, depending on the purpose of your rule.
- Set the “Rule Priority” to a value between 1 & 100. Rules with a higher priority take precedence over rules with lower priority.
- This example shows how to create a rule on the “Red_VLAN” to block all traffic intended for the URLwww.examplexxxwebsite.com.
- Click Submit to add the new rule. You will now see the new rule in the “Network WebFilter Rules” section for the network the rule is assigned.
- The default behavior for each network filter is to “Allow Access” to all URLs. To change the default behavior for a network, go to “Default Network Settings”, select the network, click Edit, and change the “Default Action” to Block Access.
- This example shows how to change the default behavior of Green_VLAN to “Block Access”.
- Note that the “Default Action” is now displayed as “Block Access” for Green_VLAN. This change prevents access to any URLs that are not specifically allowed in a “Network WebFilter Rule”.
- Repeat steps 6, 7, & 8 for each rule.
Rules may be configured to block or to allow IP addresses or URLs for each network.
This example will allow Green_VLAN access to the URL “maps.google.com”.
This example will block all access to the subnet 22.214.171.124/8 for the “Workstations” network:
This example uses a higher rule priority to allow all access to the subnet 126.96.36.199/16 for the “Workstations” network:
After making the changes shown in the examples above, the “Network WebFilter Rules” page should look like this: