Block a single website using Unifi Security Gateway?

[mraikes]

Seems like this should be simple, but I'm just not figuring it out.

I'm accessing a Unifi Security Gateway (with two ubiquiti APs connected to it), and I need to block a single website (both http & https). This is for guest wifi access where a certain customer survey website must be blocked because there is a heavy penalty for each and every customer survey that originates from "our" ip address.

This is the first time I've worked with Unifi or Ubiquiti and I'm just not finding it very easy to do.

Can someone familiar with these devices tell me in relatively basic steps how to block a website? Is it even possible?

 

[fencepost]

Assuming it's hosted with a single IP and doesn't float around, could you grab that IP and kill all connections from the guest network to 80 or 443 on that IP? I don't know how fine-grained the firewall configuration options are on the Unifi systems.

A second option, assuming there's a single static IP is that there's probably a second static IP available that's the carrier gateway itself. You may be able to tweak things so that the "guest" traffic goes out that separate IP.

Finally, I'd suggest asking support at the survey company to add a feature allowing your client to block access to filling the survey from the client's IP. This would avoid the problem with blocking, namely that the website would simply appear to not work at all for anyone using it from inside the office. The survey company could have a message along the lines of "Thanks for your enthusiasm! To ensure that we get good survey results we don't allow people still at our customer's offices to fill out surveys. Please come back to and fill out the survey after you've left our customer's offices."

 

[mraikes]

Those are good suggestions. The first one is the closest to what I was thinking of, but by URL rather than IP. It's basically what I've been failing to figure out how to do.

The second option won't work because multiple surveys from the same IP (regardless of whose) throws the same red flag and penalties.

The third suggestion would really be the best, simplest and most reasonable . . . but the vendor won't cooperate in that way. Wouldn't it be nice if we could just say "Here's our public IPs, please block or disregard them." But nope.

 

[fencepost]

Hm. In the days before CDNs were so easy it would have been simple. Not sure it'd be quite so simple anymore, if they're through Cloudfront or the like.

This thread may be relevant: https://community.ubnt.com/t5/UniFi-Routing-Switching/Unifi-USG-Content-Filtering/td-p/1441755 - it starts out in 2015 but was still active as of last month.

 

[GTP]

Does the Unifi support blocking by "host" rules? You should be able to block specific IP's as well as IP ranges.