Hi All,

I have been asked the following; can you apply rules to a 2830n v2 that will block all websites apart
from 2 specific sites?

I had previously blocked reception from surfing the net by putting an incorrect proxy in the browser.

However I am now told that the two reception staff actually need two sites which are vital to doing
their job.

I suspect that I would need the MAC address of the two machines concerned [although I could set
static IP's] and look at the filters.

If anyone has actually done anything like this would appreciate some pointers!

Or are there any online resources [tutorials / step by steps] that would help me?

Thanks!

You could add the 2 mac addresses or static IPs to a firewall filter policy that blocks all WAN>LAN Traffic for Services HTTP and HTTPS and the source as the 2 machines with the rule as "Block if no further match"
Underneath you then need to create an Allow (pass immediately) rule with the IP addresses of the websites that are allowed for those machines.
Draytek routers are IP based not application based firewalls so this sort of thing is quite messy.
Failing that you need to looking to proper Web filtering

sicon wrote: Failing that you need to looking to proper Web filtering

Can you make recommendations here?

So, the way I would do it is use the DNS filter:

Make IP objects for the PCs
Make two keyword objects for the sites to be allowed
Make a CSM - URL Content Filter Profile with those two sites set up with an action of Pass (=whitelist)
Make a DNS Filter Profile entry that uses that URL content filter profile

Make a Firewall - Filter Rule entry under #2 Default Data Filter:
Direction: WAN to LAN
Source IP: those two IP objects
Destination IP: Any
Service Type: Any
Action: Pass Immediately (because this links the CSM, not IP filtering so we just pass it here and link the CSM entries in the filter rule)
URL Content Filter: that profile
DNS Filter: that profile

Now with that rule set up, those two IPs will only be allowed to get DNS for those two sites, the router will just give its own IP and a block page for every other DNS lookup

Make sure that the PCs are using an internet DNS server or a DNS server other than the router, because of a weird limitation of how the DNS filtering etc works on the router - if they use the router's IP for DNS, it applies the settings from CSM - DNS Filter Profile - DNS Filter Local Setting instead of what the filter rule does

cpcnw wrote:

sicon wrote: Failing that you need to looking to proper Web filtering

Can you make recommendations here?

Barracuda Networks