ER8411 and new DPI Functionality - Unclear on how this is configured for block vs QOS
I have the DPI enabled on an ER8411 and setup a rule, filter and assigned networks to the "restrictions" list. I have a question: When setting up the rule there is only an option of "qos" or leaving that box blank (which then shows as 'disabled'). If I do not check the qos box does that mean "block"? I don't want qos, I want to block those sites/applications - I did set a time frame to cover all day every day and I use that. The documentation is a little fuzzy on how this actually works.
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
Thanks for posting in our business forum.
Would be clear if you can offer a picture of the config.
- Copy Link
- Report Inappropriate Content
Here is the rules management page configuration (NOTE: QoS is NOT enabled, which I HOPE means block)
Here is the application filter setup:
Here is the main DPI configuration (which is limited to about 10 networks and is not nearly enough, I have 25 very small networks based on PPSK):
Is this a proper setup to block the "torrents" I defined above? I assume this just blocks the websites associated with each application and isn't looking deep to the torrent packets like IPS/IDS could do.
Thanks!
- Copy Link
- Report Inappropriate Content
Thanks for posting in our business forum.
OrangeStreet wrote
Here is the rules management page configuration (NOTE: QoS is NOT enabled, which I HOPE means block)
Here is the application filter setup:
Here is the main DPI configuration (which is limited to about 10 networks and is not nearly enough, I have 25 very small networks based on PPSK):
Literal meaning. QoS is QoS. It does not mean block.
Have you tried to use VLAN Type = Multiple?
OrangeStreet wrote
Is this a proper setup to block the "torrents" I defined above? I assume this just blocks the websites associated with each application and isn't looking deep to the torrent packets like IPS/IDS could do.
Thanks!
IPS+DPI = the full block we can offer for you. If you say that there are sessions that are missed by the router, at least you should provide some further details to prove that.
How long have you been using the IPS+DPI to filter the P2P?
You said someone reached you about the copyright, did it happen before enabling the DPI+IPS or after? Wireshark, any luck in finding out this session or locating what LAN?
- Copy Link
- Report Inappropriate Content
Thank you very much for being patient with me, I don't mean to be difficult :) - I'm simply trying to understand how to properly configure the system (via Omada controller) as the instructions are not clear to me. Is there documentation that thoroughly explains how DPI is supposed to be setup and works other than the very limited help details in the controller? I'm happy to research via documentation myself and figure it out but I need help - I like to know how something is supposed to work and not fumble around trying x,y,z on a live network.
If I am understanding you correctly my setup with DPI will not block since IPS is not currently available for the ER8411 but should be coming in the future. This leaves enabling QoS and throttling it down to nearly nothing as a potential option for now. Correct or no?
Your question: How long have you been using the IPS+DPI to filter the P2P?
Answer: IPS is not available for me and I have been using DPI for less than a week after the DCMA notice arrived. Since I setup DPI I have not seen anything in the application analytics logs to indicate that P2P has been used so wireshark won't help.
Here is a screenshot of the HELP file in the controller, can you explain what "block" means in this context - this is the DPI help information:
Regarding the vlan type=multiple:
I don't believe VLAN type=multiple will work for me. I want each VLAN to have it's own DHCP range where I can restrict the number of available IPs to a small number (5 in my case) so I can limit the number of devices any single apartment uses - this also keeps them from sharing their PPSK password and allowing other residents to have free wireless since I charge for that. In addition using unique DHCP ranges per VLAN lets me easily see which apartment has connections as I number the VLAN to match the apartment number (Apartment 25 uses DHCP 10.125.10.X where the second octet reflects the apartment number. This makes it easy to identify things. All of that being said restricting this to such a small number doesn't allow me to apply application control across all of my networks/vlans.
- Copy Link
- Report Inappropriate Content
Thanks for posting in our business forum.
OrangeStreet wrote
Thank you very much for being patient with me, I don't mean to be difficult :) - I'm simply trying to understand how to properly configure the system (via Omada controller) as the instructions are not clear to me. Is there documentation that thoroughly explains how DPI is supposed to be setup and works other than the very limited help details in the controller? I'm happy to research via documentation myself and figure it out but I need help - I like to know how something is supposed to work and not fumble around trying x,y,z on a live network.
Controller V5.13 User Guide has not been released yet. So, there is no config guide for DPI. But based on your settings, it seems to be correct.
OrangeStreet wrote
If I am understanding you correctly my setup with DPI will not block since IPS is not currently available for the ER8411 but should be coming in the future. This leaves enabling QoS and throttling it down to nearly nothing as a potential option for now. Correct or no?
IPS+DPI would altogether offer the overall protection we have. Now, you only have DPI, so it is limited to DPI protection. There are two separate databases for the two features.
QoS is not ideal for blocking that. It is not pattern recognition. Not very ideal for such a P2P block. But if you can set up QoS to identify the P2P, and give very small portion of speed to throttle it down to a little speed, this might be a workaround.
I have not set up P2P on my test computer. Since the test computer belongs to the company and it is installed with the anti-virus, the last time I downloaded P2P software it seemed to kill (or maybe uninstall it) when it finished the installation.
So, my environment might be hard to replicate the P2P. However, I have confirmed with the senior engineer that the two features released DPI and IPS would effectively work. The database is synced when its firmware is released.
OrangeStreet wrote
Answer: IPS is not available for me and I have been using DPI for less than a week after the DCMA notice arrived. Since I setup DPI I have not seen anything in the application analytics logs to indicate that P2P has been used so wireshark won't help.
Here is a screenshot of the HELP file in the controller, can you explain what "block" means in this context - this is the DPI help information:
Regarding the vlan type=multiple:
I don't believe VLAN type=multiple will work for me. I want each VLAN to have it's own DHCP range where I can restrict the number of available IPs to a small number (5 in my case) so I can limit the number of devices any single apartment uses - this also keeps them from sharing their PPSK password and allowing other residents to have free wireless since I charge for that. In addition using unique DHCP ranges per VLAN lets me easily see which apartment has connections as I number the VLAN to match the apartment number (Apartment 25 uses DHCP 10.125.10.X where the second octet reflects the apartment number. This makes it easy to identify things. All of that being said restricting this to such a small number doesn't allow me to apply application control across all of my networks/vlans.
If it fits the rules, the system identifies it, it should be blocked. If this cannot be fixed now, I'd suggest you add an extra firewall to offer another layer of protection. Like I explained above, it is based on the database. It is not synced with our server and the database is locally stored on your system. We cannot guarantee 100% protection from any type of P2P. Even with the IPS, it is also established on the database. We still cannot guarantee anything linked to P2P would be correctly identified.
After consulting this with the team, we'd recommend you add an extra firewall which might have an online server to sync and update its rules timely. In this case, I feel like this is a mouse and cat game, when there is a block, there will be a way to work around it.
BTW, you can take a look at the DPI Statistics and see if there is any block. Statistics > Application Analytics
- Copy Link
- Report Inappropriate Content
Thanks for posting in our business forum.
The test team member informed me that the IPS is ETA to be available Jan 2024. (Sorry that I cannot guarantee this. This is internal information and the dev may advance or delay this.)
Dev said that both DPI and IPS can enable P2P to block this and would be effective. For the DPI, you should set a block list of identified P2P apps.
- Copy Link
- Report Inappropriate Content
Information
Helpful: 0
Views: 861
Replies: 6
Voters 0
No one has voted for it yet.