Whitelisting Specific Domains

Goal

To configure network access such that only certain URLs are available to connected clients; domains not on the white list are blocked.

Setup

This article assumes that the only domains included on a user-defined white list are intended to be accessible.

For this setup, policy-based routes will be setup with two key rules:

  1. Allow traffic out to the internet based on listed domains
  2. Block all remaining outbound traffic

These two rules work together to restrict what destinations are reachable to client devices connected to the router.

 

NOTE: It is critical that the rules are applied in the exact order outlined above (and described in the sample configuration below) -- the allow rule must precede the deny rule.

This configuration requires firmware version 18.10.225.15 or higher.

Sample

The sample configuration below shows an Accelerated device that can only browse to digi.com. Policy-based routing can also leverage firewall zones, IP addresses or device interfaces to create rules depending on what's selected as the source/ destination type.

Sample Domain Whitelist aView Configuration

  1. Under Network > Routes > Policy-based routing click the Add button to create a new policy. This will house the list of allowed domains.
  2. Enter/ confirm the following information for the new policy:
    • Label: a simple description of the rule.
    • Interface: the WAN interface being leveraged for the rule's intended scope (e.g. "modem" for the cellular connection versus "WAN" for the Ethernet ISP ).
    • Exclusive: leave checked to ensure that this policy must be enforced for traffic that falls within its scope; if unchecked, traffic is allowed to route out of alternative interfaces *only* if one is available in the event that the interface specified in the policy go down.
    • IP version: leave as "any" unless otherwise required for network integration.
    • Protocol: leave as "any" unless otherwise required for network integration.
  3. Expand Network > Routes > Policy-based routing > Destination address.
  4. Set the Type to "Domain" and then expand the Domains menu object.
  5. Click the Add button and enter the URL intended to be white listed. Repeat as needed for additional domains.
  6. Under Network >Routes > Policy-based routing click the Add button once again to create a second policy. This will establish the deny rule for all non-listed domains.
  7. Enter/ confirm the following information for the new policy:
    • Label: a simple description of the rule.
    • Interface: select "Loopback" to prevent packets headed for any non-listed domain from reaching the internet.
    • Exclusive: leave checked to ensure that this policy must be enforced for traffic that falls within its scope; if unchecked, traffic is allowed to route out of alternative interfaces *only* if one is available in the event that the interface specified in the policy go down.
    • IP version: leave as "any" unless otherwise required for network integration.
    • Protocol: leave as "any" unless otherwise required for network integration.
  8. Expand the Source address entry under the policy created in step #7 and set the Type to "Interface."
  9. Select "LAN" from the Interface pulldown menu.
  10. Expand the Destination address and confirm that Type is set to "Zone" and Zone is set to "Any."
  11. Click Save to finalize the configuration changes.