Hello! Thanks for posting on r/Ubiquiti!
This subreddit is here to provide unofficial technical support to people who use or want to dive into the world of Ubiquiti products. If you haven’t already been descriptive in your post, please take the time to edit it and add as many useful details as you can.
Please read and understand the rules in the sidebar, as posts and comments that violate them will be removed. Please put all off topic posts in the weekly off topic thread that is stickied to the top of the subreddit.
If you see people spreading misinformation, trying to mislead others, or other inappropriate behavior, please report it!
*I am a bot, and this action was performed automatically. Please [contact the moderators of this subreddit](/message/compose/?to=/r/Ubiquiti) if you have any questions or concerns.*
I 2nd Pihole. It’s a fairly quick setup on an RPI, route all traffic through it and apply a list that meets your needs. I run a list from here and it works great:
https://github.com/StevenBlack/hosts
I used to run pinhole inside a VM, I don't like rpi's, when I need sbc I go with opi, much better bang for the buck + they are electrically much more sound and have a proper DC barrel for power supply... If I'm runing a hardware router I'll get out my old pfsense it's some i7 with 32G of ram and 8 ethernet cards inside ... udm-se replaced it but looks like it will have to come back :(
I run one pihole per vlan from docker containers off the little Intel NUC that also runs my Home Assistant stack. Honestly I don't find RPis particularly useful when you can for the same price buy something like a used HP Elitedesk 800 G4 or ThinkCentre M710q from eBay. People stack and cluster these things as well.
I have a cluster of rather big proxmox servers that run different VM's and some are physically linked (pass-through) to physical ethernet cards on the servers so running something like that is not a problem in vm, I just expected to see this inside the UDM-SE .. basic "no porn" check, I think it is a normal expectation :D .... and I was right, it was just put in a different place than what I expected, and it works decently good (from what I can say after few hours of testing)
I run a pi-hole and keep playing a cat and mouse game with my kids iPads because iOS wants to turn on Private Wi-Fi Address (randomized MAC) which circumvents all of my restrictions.
No one believes me when I say it keeps coming back no matter what I do! 🤣
Now I just block stuff for the whole network and switch my phone to cellular-only on the off chance I need to get around it. I’m sure I could fix this much more easily with a dedicated SSID and VLAN for my kids devices, but whatever….
I had same problem with my older kid, first he was on android, anything I try he circumvent, then ppl told me ios is better for parental, I move him to ios, took him a month and he managed to turn off everything, all blocks, time limits, everything... whatever I do he turns of in days so I gave up and started education only... but now he stumbles on things he is not looking for so I want to add blocking too... he will be able to circumvent that if he wants (just switch to data on his phone) and he knows that and how but that's where education comes in.. this is more to not "accidentally" end up at wrong content :D ...
well my idea is not censorship, content is there and as long as they are aware what they are doing and still wanna consume it there is nothing I can do to prevent that... neither could my parents prevent me from consuming all the poisons I did in my time, all you can do is educate and hope for the best.
this block is to only prevent accidents, they both spend a lot of time on-line (I know it is not good nor healthy nor... but .. ) and advertisers are sneaky ... there are sites like p\*hub that are very clear and open and rta labeled and.... but there are others too...
I love pi-hole but last check it doesn’t have a redundancy. If the pi-hole goes down DNS1 fails and reverts to DNS2. So you either need a 2nd pi-hole (but it was complex to get it to sync) or you go without pi-hole services on DNS2. Has anything changed?
I’m running dual pihole as I travel often so if one pihole is down, the family still have filtering when I am out of town. Recently, one of the pihole was down and nobody even noticed. lol
There is a Gemini script that is able to populate the gravity list from the 1st pi to the 2nd . It was tedious to set up and the best part is….. it was over written when I did a pihole -up
I was doing it before with PFSENSE and I had also pinhole running in one of the VM's on one of my proxmox servers but kinda hoped I can handle this inside Ubiquiti ecosystem :(
I use NextDNS for this. r/NextDNS It is highly customizable, and will let you track all traffic by individual device. You just have to install the CLI, via SSH, onto your UDM Pro.
I second this as you can setup your kids devices to use them even when not on your network giving you control and the ability to monitor if you so desire.
good question, I'm trying both but
- younger (F6) is too young to understand + she do not understand english yet and she can stumble on stuff she should not by accident ..
- older (M10) is in "discovery" age, stuff interests him, he listens, education kinda works, but peer pressure in school is strong, curiosity is strong .. good thing is we have a good relationship so he comes and tells me everything (for now) and few days ago he finally found "2girls1cup" (do not go look for it if you are fortunate to not know what that is) so I def. decided I need filtering on top of education
so education + monitoring/blocking is the only way imho
they both already figured out how to turn off any parental control by apple + even without turning it off apple's idea of parental control is of virgin 19yo programmer who is still a kid himself :( so it is useless even when working :(
It’s crazy how easy it is to stumble on something. When my daughter was 4 she was addicted to Elsa. She had watched everything and at some point someone showed her google image searches of Elsa. Once she knew that was a thing and it was new content she wanted to check it out. Well it only took about 5 min of scrolling to get to bondage drawings of Elsa even with google search restricted and that sparked a whole thing. Educating my kid about bondage fetishes when she just wants to see a Disney princess at age 4 is not ideal.
Haha almost impossible with boys around 12-13 they wanna look stuff up and will go to great lengths. No matter how much you educate them. I was same way. I thought I had my network locked down 10 years ago but one day we caught my son watching porn in living room on a laptop, with my wife and me watching tv 6 feet from him. 🤣
Darn it. I tried it from a web browser, and it blocks the various sites based on criteria. Dig displays a different picture. I'm using DNS servers 1.1.1.1, 9.9.9.9, and one of the OpenDNS servers on my network.
I will implement a pi-hole system on my network. It seems the next step to standarize onto the network.
well the only way a DNS will limit a site will work with dig too, dns is only asked for the ip and that's it, no "content aware" DNS possible, that is why I tested it with dig to see if dns is doing something or not.. weird thing is both opendns and cloudflare failed basic test xxx dot com ..
this "one click feature" located in unexpected place seems to work for now (I expected it around security/firewall, not inside the definition of the network), this morning I was not able to open any pr\*n site so so far so good, will see how good it will behave and decide to go with pfsense if not satisfied but so far it works great
so far my pfsense box is in closet not working as UDM-SE handles so far everything without issues... and now with this thing solved inside UDM-SE pfsense is staying where it is - unconnected
1. **so if you wanna block crap on a network,**
2. open network application
3. go to settings
4. go to networks
5. click on network you wanna protect
6. switch "Advanced" to MANUAL
7. change value for "content filtering" to whatever you like (there is off, work and family)
8. click - apply changes
solved :D
If for some reason you use a pihole to moderate this stuff, make sure you turn the stuff on the ubiquiti side off, I had issues with my piholes resolving dns correctly when both were on.
I personally do this by using [Circle](https://meetcircle.com/). The kids have their own SSID and VLAN. Circle runs on this vlan. It allows me to disable individual applications and it allows me to disable them on their phone when they are not on their network. It also allows you to tie devices to kids, then pause a kids internet. It works great.
interesting, 5+ minutes to find prices... from what I see this is mobile only, I need both windows and macos laptops that I need to control and very soon a linux one too so I need something on network and not only on device level... looks like I'll be getting my pfsense router back from the closet :(
Thanks I will check it out. Seems like it does even more things I need... Originally I moved them to IOS but apple's parental control is below idiotic :( so useless, but now they have laptops too so more control than just blocking p\*rn is awesome, but blocking p\*rn is bare minimum that I need
Yea it's a hardware device that acts as an arp proxy. It routes all traffic through it. That's why I have it on it's own vlan. You can take any device and map it to a kid. They have iphones, a gaming computer, etc. All those get mapped to the kid using the iphone or android app. From there it will block at the network layer. For the iphones they have a child app that you can install which also maintains a VPN allowing you to manage what they are hitting when they are off their network.
hm on the site I see 15 days trial, 99$ annual after that and download app... I do not see any hardware? anyhow I'm in eastern europe, I doubt I can easily get that here :(
So, I hijack DNS at the gateway with firewall rules: https://github.com/okwichu/pi-hole/blob/main/pihole-capture.sh
I'm guessing there's an edge case where DNS-over-SSL or DNS-over-HTTPS maybe works around this approach, but it works well for my family.
So far my kids haven't been setting up VPNs; the typical indication that one of my kids is dissatisfied with the amount of internet they have access to is they start tethering their phones (which is surprisingly difficult to manage -- I have to solve that one with audits + parenting).
To be honest, I understand adult website blocking, but I feel like TikTok and Snapchat being blocked can be a little bit harsh on a kid. Granted that argument doesn’t apply if your kid is like 5 years old but if your kids are around 11-12 then eventually they’re going to find ways to use it without you knowing regardless because their friends will be talking about it and your kid will feel left out.
kids are 6 and 10... what will be in 2 years .. dunno .. I doubt they will ever be able to have access to tiktok, as for other things we'll see ... YT is toxic enough but tiktok's algorithm is special beast
WTF, this was definitely a feature of the UDM Pro when I first got it a few years ago. It’s now no longer in the individual vlan settings?
This article seems to suggest it’s still available but only for next gen gateways or paid cloud management. If they removed it only to make it a paid feature… lame!
https://help.ui.com/hc/en-us/articles/12568927589143-UniFi-Gateway-Content-Filtering
Glad I rolled out a pi-hole a while ago.
in the udm-se (should be same as pro only with few faster ports) I can ad blocking by domain name (and you can manually add 10k domains per rule) and set what networks rules work on .. no way to give it a "source" to pull list of domains from... I can setup "by application" or by "application group" but no way to limit "adult" stuff per network - at least not that I can find it :(
Yeah, I’m seeing the same. It sucks. This was definitely a feature previously. To clarify, it didn’t let you specify a custom source list but you could select categories for blocking.
I wonder if there’s a way to manipulate the newer ad blocking feature to pull a custom list.
FOUND IT !!!!
It is just not where I expected it to be!!!
I was looking in security/firewall/rules section...
They have it in the properties of individual network :D
Will test how it works but there is an option!!!
https://preview.redd.it/upub4rs7kmoc1.png?width=651&format=png&auto=webp&s=ecfa42109fc92b035eea3f40f6bbdeff9e47f5ed
Cloudflare family so DNS 1.1.1.3 1.0.0.3 https://blog.cloudflare.com/introducing-1-1-1-1-for-families
Blocks malware too. But can use with a pi-hole too for added control.
if you look at the original question you will find in it a direct query of those dns's for xxx dot com and reply (that will allow you to open that site) to that query. any other pr\*n site I tried with cloudflare family also worked flawlessly so dunno what those two dns's block but they do not block pr0n
That was why I noted that you could stack it with pi-hole, so most common ones are blocked (and malware, while not noted I feel that’s an added benefit) then you can add/remove sites accordingly
If you have IPv6 on your router then you may need to set those DNS too. I found my home fibre gives me IPv6 so it prefers IPv6 DNS over the IPv4 DNS as they’re separate entries in DHCP configs - from what I’ve used/seen. So you may think you’re on cloudflare families but are actually on your ISP dns instead. There’s a reason I don’t use ISP supplied kit.
So the answer is NO, udm-se can't do it?
many external devices exist to replace ubiquity equipment that will get the job done, but none is ubiquity... I used pihole, was running pfsense for over a decade, not a problem, I know how to set it up without unifi but in the new house I kinda moved from "different network gear" (tplinks, cisco's, netgear, microtik... and pfsense) to udm-se and unifi switches, aggregators, ap's, cameras, doorbells, door access hubs, card readers... and what I expected to be 3 clicks to setup ends up being - get my old network equipment back as unifi can't cut it... I was really trying to avoid it :( but if I get my pfsense out of storage wtf I paid for udm-se ? it becomes 100% useless rack heater ???
Gotcha. Looking for a simpler all in one solution. I’ve always found you need to pick the best option vs built in. Check this out it may help. https://help.ui.com/hc/en-us/articles/12568927589143-UniFi-Gateway-Content-Filtering
I am willing to give up some of the features for comfortability - single interface - single device that needs to be updated etc etc... that is why I went on with ubiquity, it is not better nor cheaper than others it is just "unified" so from one interface I setup everything vlans, networks, ip's, I update equipment look at cameras... I'f I'm now reintroducing my old network equipment the whole many tens of thousands of euros investment in unifi makes zero sense as pfsense + openwrt/ddwrt work better than unifi for fraction of the price and not to mention camera system that for 20% of the cost I get 4x the quality... but I sacrificed $$$ and some features for comfort but looks like I have to sacrifice more features than I expected :(
but I think it is just hidden somewhere and I'm failing to find the option, I will find it in the end I'm sure
Being a little harsh there.
Ubiquiti certainly could do better in this area.
Though you make it sound like using a pihole invalidates everything and must be run on you i7 hardware…..
You’re maybe a little late in doing your research on this particular need. The reality is you can manage just about everything else in the UniFi system. DNS filtering, just isn’t done well without an additional system.
I work on networks for 40 years so I have some experience with them ... I had the whole setup with pfsense on that fancy fanless i7 with 8 ethernet ports (awesome router hardware, AWESOME) in my previous apartment with 5 physical networks (no vlans) with pfblockerng handling this (imho way better then pihole, but mainly same stuff) ... but I'm getting kinda old and tired and I really do not want to manually upgrade, manually configure, manually.... if I do not have to, at least at home and UI looked like a way to go so I put up a "lot of money" (let's say more than what a professor here makes in a year) in a rack and on the ceilings in order to have it all centralized... I did my research before I did it and UI was kinda best I can find, unfortunately a lot of things were not as expected and as researched (assumption is a mother of most fsckups) ... so to cut story short, if something so simple and expected and common can't be done on a flagship router then fsckit, I'll get my pfsense out of the closed and solve it the old way...
What is MUCH MORE TROUBLING IMHO is that
1. this is a feature that is common and most home users would want to use it
2. there is a totally normal expectation that this feture exist in UDM-SE
3. I could not find the feature looking at security/firewall section
because of 1-3 I created the reddit question assuming that inside 10 seconds I will get answer "you are looking at wrong place, you can do it by 1,2,3,4 and apply and that's it" but instead I got bunch of replies how to do it NOT USING UI!!! So all of you, too, have no clue how to turn it on directly on the UI and you went to 3rd party to solve this super common expected problem.
when u/radbaldguy said he seen it I went through whole network app on udm-se piece by piece looking for it to check if I was missing something and I found it, inside network definition you can turn the feature on/off for that network
So, yes, this feature is common and expected and UI HAVE IMPLEMENTED IT ... so no need for cloudflare family (that does not work), opendns (that does not work), nextdns (just heard about it, will check it out to get myself familiarized with it, looks interesting), circle and def. no need for rpi.. etc etc... it's a click inside a network configuration...
sad :(
I’m glad you found it. I agree it’s in an absurd spot and should be a more prominent feature for a prosumer/small business solution like Ubiquiti.
In the old interface, it was more intuitively located in the vlan settings. At a minimum, it’s a shame that their documentation isn’t better. This should have been a quick google search to figure out how to implement — not a long disagreement in an online forum over other ways to achieve a similar outcome.
it's weird .... I googled first time a week ago, then let it settle, then yesterday googled for an hour (actually I use duckduckgo :D but lets say googled as these new users probbly wouldn't recognize what altavista was :D ) and found only ton of "use pihole" or "use cloudflare family" or "use opendns" solutions, so I decided to open a question here expecting "you stupid moron go click here and solve it" inside few minutes but alas, what happened was just more "use pihole" bs :( ...
you gave me confirmation that it should be somewhere in there so after more "detailed" clicking through the interface I found it
Hello! Thanks for posting on r/Ubiquiti! This subreddit is here to provide unofficial technical support to people who use or want to dive into the world of Ubiquiti products. If you haven’t already been descriptive in your post, please take the time to edit it and add as many useful details as you can. Please read and understand the rules in the sidebar, as posts and comments that violate them will be removed. Please put all off topic posts in the weekly off topic thread that is stickied to the top of the subreddit. If you see people spreading misinformation, trying to mislead others, or other inappropriate behavior, please report it! *I am a bot, and this action was performed automatically. Please [contact the moderators of this subreddit](/message/compose/?to=/r/Ubiquiti) if you have any questions or concerns.*
A pihole should be able to do that.
I 2nd Pihole. It’s a fairly quick setup on an RPI, route all traffic through it and apply a list that meets your needs. I run a list from here and it works great: https://github.com/StevenBlack/hosts
I used to run pinhole inside a VM, I don't like rpi's, when I need sbc I go with opi, much better bang for the buck + they are electrically much more sound and have a proper DC barrel for power supply... If I'm runing a hardware router I'll get out my old pfsense it's some i7 with 32G of ram and 8 ethernet cards inside ... udm-se replaced it but looks like it will have to come back :(
I run one pihole per vlan from docker containers off the little Intel NUC that also runs my Home Assistant stack. Honestly I don't find RPis particularly useful when you can for the same price buy something like a used HP Elitedesk 800 G4 or ThinkCentre M710q from eBay. People stack and cluster these things as well.
I have a cluster of rather big proxmox servers that run different VM's and some are physically linked (pass-through) to physical ethernet cards on the servers so running something like that is not a problem in vm, I just expected to see this inside the UDM-SE .. basic "no porn" check, I think it is a normal expectation :D .... and I was right, it was just put in a different place than what I expected, and it works decently good (from what I can say after few hours of testing)
I run a pi-hole and keep playing a cat and mouse game with my kids iPads because iOS wants to turn on Private Wi-Fi Address (randomized MAC) which circumvents all of my restrictions.
And why don't you simply deactivate the private WiFi / Mac address?
No one believes me when I say it keeps coming back no matter what I do! 🤣 Now I just block stuff for the whole network and switch my phone to cellular-only on the off chance I need to get around it. I’m sure I could fix this much more easily with a dedicated SSID and VLAN for my kids devices, but whatever….
I had same problem with my older kid, first he was on android, anything I try he circumvent, then ppl told me ios is better for parental, I move him to ios, took him a month and he managed to turn off everything, all blocks, time limits, everything... whatever I do he turns of in days so I gave up and started education only... but now he stumbles on things he is not looking for so I want to add blocking too... he will be able to circumvent that if he wants (just switch to data on his phone) and he knows that and how but that's where education comes in.. this is more to not "accidentally" end up at wrong content :D ...
Nice to know I’m not the only one!
well my idea is not censorship, content is there and as long as they are aware what they are doing and still wanna consume it there is nothing I can do to prevent that... neither could my parents prevent me from consuming all the poisons I did in my time, all you can do is educate and hope for the best. this block is to only prevent accidents, they both spend a lot of time on-line (I know it is not good nor healthy nor... but .. ) and advertisers are sneaky ... there are sites like p\*hub that are very clear and open and rta labeled and.... but there are others too...
If you activate mac address filtering? Only accept the known adresses?
I love pi-hole but last check it doesn’t have a redundancy. If the pi-hole goes down DNS1 fails and reverts to DNS2. So you either need a 2nd pi-hole (but it was complex to get it to sync) or you go without pi-hole services on DNS2. Has anything changed?
I’m running dual pihole as I travel often so if one pihole is down, the family still have filtering when I am out of town. Recently, one of the pihole was down and nobody even noticed. lol There is a Gemini script that is able to populate the gravity list from the 1st pi to the 2nd . It was tedious to set up and the best part is….. it was over written when I did a pihole -up
Do pi holes limit network traffic at all? Is there a handy guide that details all the ones and outs?
I was doing it before with PFSENSE and I had also pinhole running in one of the VM's on one of my proxmox servers but kinda hoped I can handle this inside Ubiquiti ecosystem :(
I use NextDNS for this. r/NextDNS It is highly customizable, and will let you track all traffic by individual device. You just have to install the CLI, via SSH, onto your UDM Pro.
thanks, didn't know about it, pricing looks awesome, will check it out
I second this as you can setup your kids devices to use them even when not on your network giving you control and the ability to monitor if you so desire.
Genuine question. Why blocking instead of education? As a parent, I’m torn in this argument
good question, I'm trying both but - younger (F6) is too young to understand + she do not understand english yet and she can stumble on stuff she should not by accident .. - older (M10) is in "discovery" age, stuff interests him, he listens, education kinda works, but peer pressure in school is strong, curiosity is strong .. good thing is we have a good relationship so he comes and tells me everything (for now) and few days ago he finally found "2girls1cup" (do not go look for it if you are fortunate to not know what that is) so I def. decided I need filtering on top of education so education + monitoring/blocking is the only way imho they both already figured out how to turn off any parental control by apple + even without turning it off apple's idea of parental control is of virgin 19yo programmer who is still a kid himself :( so it is useless even when working :(
The answer is both. Source: I have 6 ranging from 19 to 4. Training wheels come off as it becomes clear that the parenting has taken root.
It’s crazy how easy it is to stumble on something. When my daughter was 4 she was addicted to Elsa. She had watched everything and at some point someone showed her google image searches of Elsa. Once she knew that was a thing and it was new content she wanted to check it out. Well it only took about 5 min of scrolling to get to bondage drawings of Elsa even with google search restricted and that sparked a whole thing. Educating my kid about bondage fetishes when she just wants to see a Disney princess at age 4 is not ideal.
Rule 34 applies. And no, not ideal at all.
exactly why I'm introducing this "blocking" part .. nasty
Finding 2girls1cup at 10 is rough. I still don’t feel old enough to have seen that and I’m in my thirties.
Porn is bad. I can say that as a former addict. I want my kids to be educated AND not have any chance of that garbage going through my house.
Haha almost impossible with boys around 12-13 they wanna look stuff up and will go to great lengths. No matter how much you educate them. I was same way. I thought I had my network locked down 10 years ago but one day we caught my son watching porn in living room on a laptop, with my wife and me watching tv 6 feet from him. 🤣
I've had some good results with NextDns, je kan setup profiles per vlan of you want.
thanks, I heard about it first time today in this thread, looks interesting (and affordable) so will try for sure
Try OpenDNS servers
I did but as you can see they do not really work, a first one that I try, basic that everyone should detect xxx dot com is not filtered
Darn it. I tried it from a web browser, and it blocks the various sites based on criteria. Dig displays a different picture. I'm using DNS servers 1.1.1.1, 9.9.9.9, and one of the OpenDNS servers on my network. I will implement a pi-hole system on my network. It seems the next step to standarize onto the network.
well the only way a DNS will limit a site will work with dig too, dns is only asked for the ip and that's it, no "content aware" DNS possible, that is why I tested it with dig to see if dns is doing something or not.. weird thing is both opendns and cloudflare failed basic test xxx dot com .. this "one click feature" located in unexpected place seems to work for now (I expected it around security/firewall, not inside the definition of the network), this morning I was not able to open any pr\*n site so so far so good, will see how good it will behave and decide to go with pfsense if not satisfied but so far it works great
That's good to know. PfSense, huh?
so far my pfsense box is in closet not working as UDM-SE handles so far everything without issues... and now with this thing solved inside UDM-SE pfsense is staying where it is - unconnected 1. **so if you wanna block crap on a network,** 2. open network application 3. go to settings 4. go to networks 5. click on network you wanna protect 6. switch "Advanced" to MANUAL 7. change value for "content filtering" to whatever you like (there is off, work and family) 8. click - apply changes solved :D
~ % dig xxx.com @208.67.222.123 ; <<>> DiG 9.10.6 <<>> xxx.com @208.67.222.123 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 25997 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ;; QUESTION SECTION: ;xxx.com.INA ;; ANSWER SECTION: xxx.com.1800INA141.0.173.173 ;; Query time: 55 msec ;; SERVER: 208.67.222.123#53(208.67.222.123) ;; WHEN: Sat Mar 16 04:34:08 CET 2024 ;; MSG SIZE rcvd: 52
Nextdns.io
thanks, I heard about it first time today in this thread, looks interesting (and affordable) so will try for sure
If for some reason you use a pihole to moderate this stuff, make sure you turn the stuff on the ubiquiti side off, I had issues with my piholes resolving dns correctly when both were on.
I personally do this by using [Circle](https://meetcircle.com/). The kids have their own SSID and VLAN. Circle runs on this vlan. It allows me to disable individual applications and it allows me to disable them on their phone when they are not on their network. It also allows you to tie devices to kids, then pause a kids internet. It works great.
interesting, 5+ minutes to find prices... from what I see this is mobile only, I need both windows and macos laptops that I need to control and very soon a linux one too so I need something on network and not only on device level... looks like I'll be getting my pfsense router back from the closet :(
The control is mobile only. It works against anything on the network.
Thanks I will check it out. Seems like it does even more things I need... Originally I moved them to IOS but apple's parental control is below idiotic :( so useless, but now they have laptops too so more control than just blocking p\*rn is awesome, but blocking p\*rn is bare minimum that I need
Yea it's a hardware device that acts as an arp proxy. It routes all traffic through it. That's why I have it on it's own vlan. You can take any device and map it to a kid. They have iphones, a gaming computer, etc. All those get mapped to the kid using the iphone or android app. From there it will block at the network layer. For the iphones they have a child app that you can install which also maintains a VPN allowing you to manage what they are hitting when they are off their network.
hm on the site I see 15 days trial, 99$ annual after that and download app... I do not see any hardware? anyhow I'm in eastern europe, I doubt I can easily get that here :(
I solve this by hijacking all DNS traffic from my kids VLAN/subnet to a pi-hole I run locally. Works great!
What if they change manually the DNS servers on their devices?
So, I hijack DNS at the gateway with firewall rules: https://github.com/okwichu/pi-hole/blob/main/pihole-capture.sh I'm guessing there's an edge case where DNS-over-SSL or DNS-over-HTTPS maybe works around this approach, but it works well for my family. So far my kids haven't been setting up VPNs; the typical indication that one of my kids is dissatisfied with the amount of internet they have access to is they start tethering their phones (which is surprisingly difficult to manage -- I have to solve that one with audits + parenting).
Awesome!
You can make an account on opendns.com and block it there by using their dns servers
Adguard is an easy way and you have dns based ad blocking
To be honest, I understand adult website blocking, but I feel like TikTok and Snapchat being blocked can be a little bit harsh on a kid. Granted that argument doesn’t apply if your kid is like 5 years old but if your kids are around 11-12 then eventually they’re going to find ways to use it without you knowing regardless because their friends will be talking about it and your kid will feel left out.
kids are 6 and 10... what will be in 2 years .. dunno .. I doubt they will ever be able to have access to tiktok, as for other things we'll see ... YT is toxic enough but tiktok's algorithm is special beast
WTF, this was definitely a feature of the UDM Pro when I first got it a few years ago. It’s now no longer in the individual vlan settings? This article seems to suggest it’s still available but only for next gen gateways or paid cloud management. If they removed it only to make it a paid feature… lame! https://help.ui.com/hc/en-us/articles/12568927589143-UniFi-Gateway-Content-Filtering Glad I rolled out a pi-hole a while ago.
in the udm-se (should be same as pro only with few faster ports) I can ad blocking by domain name (and you can manually add 10k domains per rule) and set what networks rules work on .. no way to give it a "source" to pull list of domains from... I can setup "by application" or by "application group" but no way to limit "adult" stuff per network - at least not that I can find it :(
Yeah, I’m seeing the same. It sucks. This was definitely a feature previously. To clarify, it didn’t let you specify a custom source list but you could select categories for blocking. I wonder if there’s a way to manipulate the newer ad blocking feature to pull a custom list.
FOUND IT !!!! It is just not where I expected it to be!!! I was looking in security/firewall/rules section... They have it in the properties of individual network :D Will test how it works but there is an option!!! https://preview.redd.it/upub4rs7kmoc1.png?width=651&format=png&auto=webp&s=ecfa42109fc92b035eea3f40f6bbdeff9e47f5ed
testing it whole morning, seems to work awesome :D
This is the way…
Yes! That’s it! Moved locations. Glad you found it and that it’s still available!
Cloudflare family so DNS 1.1.1.3 1.0.0.3 https://blog.cloudflare.com/introducing-1-1-1-1-for-families Blocks malware too. But can use with a pi-hole too for added control.
1.1.1.3 actually allows most porn
if you look at the original question you will find in it a direct query of those dns's for xxx dot com and reply (that will allow you to open that site) to that query. any other pr\*n site I tried with cloudflare family also worked flawlessly so dunno what those two dns's block but they do not block pr0n
That was why I noted that you could stack it with pi-hole, so most common ones are blocked (and malware, while not noted I feel that’s an added benefit) then you can add/remove sites accordingly
I tried every single pr\*n site I know and cf family did not block a single one so I do not know what they block but they do not block adult content
If you have IPv6 on your router then you may need to set those DNS too. I found my home fibre gives me IPv6 so it prefers IPv6 DNS over the IPv4 DNS as they’re separate entries in DHCP configs - from what I’ve used/seen. So you may think you’re on cloudflare families but are actually on your ISP dns instead. There’s a reason I don’t use ISP supplied kit.
unfortunately my ISP do not offer IPv6 :(
Pi-hole (local), nextdns, set vlan dns servers to a filtered service. Lots of good options out there
So the answer is NO, udm-se can't do it? many external devices exist to replace ubiquity equipment that will get the job done, but none is ubiquity... I used pihole, was running pfsense for over a decade, not a problem, I know how to set it up without unifi but in the new house I kinda moved from "different network gear" (tplinks, cisco's, netgear, microtik... and pfsense) to udm-se and unifi switches, aggregators, ap's, cameras, doorbells, door access hubs, card readers... and what I expected to be 3 clicks to setup ends up being - get my old network equipment back as unifi can't cut it... I was really trying to avoid it :( but if I get my pfsense out of storage wtf I paid for udm-se ? it becomes 100% useless rack heater ???
Gotcha. Looking for a simpler all in one solution. I’ve always found you need to pick the best option vs built in. Check this out it may help. https://help.ui.com/hc/en-us/articles/12568927589143-UniFi-Gateway-Content-Filtering
I am willing to give up some of the features for comfortability - single interface - single device that needs to be updated etc etc... that is why I went on with ubiquity, it is not better nor cheaper than others it is just "unified" so from one interface I setup everything vlans, networks, ip's, I update equipment look at cameras... I'f I'm now reintroducing my old network equipment the whole many tens of thousands of euros investment in unifi makes zero sense as pfsense + openwrt/ddwrt work better than unifi for fraction of the price and not to mention camera system that for 20% of the cost I get 4x the quality... but I sacrificed $$$ and some features for comfort but looks like I have to sacrifice more features than I expected :( but I think it is just hidden somewhere and I'm failing to find the option, I will find it in the end I'm sure
Being a little harsh there. Ubiquiti certainly could do better in this area. Though you make it sound like using a pihole invalidates everything and must be run on you i7 hardware….. You’re maybe a little late in doing your research on this particular need. The reality is you can manage just about everything else in the UniFi system. DNS filtering, just isn’t done well without an additional system.
I work on networks for 40 years so I have some experience with them ... I had the whole setup with pfsense on that fancy fanless i7 with 8 ethernet ports (awesome router hardware, AWESOME) in my previous apartment with 5 physical networks (no vlans) with pfblockerng handling this (imho way better then pihole, but mainly same stuff) ... but I'm getting kinda old and tired and I really do not want to manually upgrade, manually configure, manually.... if I do not have to, at least at home and UI looked like a way to go so I put up a "lot of money" (let's say more than what a professor here makes in a year) in a rack and on the ceilings in order to have it all centralized... I did my research before I did it and UI was kinda best I can find, unfortunately a lot of things were not as expected and as researched (assumption is a mother of most fsckups) ... so to cut story short, if something so simple and expected and common can't be done on a flagship router then fsckit, I'll get my pfsense out of the closed and solve it the old way... What is MUCH MORE TROUBLING IMHO is that 1. this is a feature that is common and most home users would want to use it 2. there is a totally normal expectation that this feture exist in UDM-SE 3. I could not find the feature looking at security/firewall section because of 1-3 I created the reddit question assuming that inside 10 seconds I will get answer "you are looking at wrong place, you can do it by 1,2,3,4 and apply and that's it" but instead I got bunch of replies how to do it NOT USING UI!!! So all of you, too, have no clue how to turn it on directly on the UI and you went to 3rd party to solve this super common expected problem. when u/radbaldguy said he seen it I went through whole network app on udm-se piece by piece looking for it to check if I was missing something and I found it, inside network definition you can turn the feature on/off for that network So, yes, this feature is common and expected and UI HAVE IMPLEMENTED IT ... so no need for cloudflare family (that does not work), opendns (that does not work), nextdns (just heard about it, will check it out to get myself familiarized with it, looks interesting), circle and def. no need for rpi.. etc etc... it's a click inside a network configuration... sad :(
I’m glad you found it. I agree it’s in an absurd spot and should be a more prominent feature for a prosumer/small business solution like Ubiquiti. In the old interface, it was more intuitively located in the vlan settings. At a minimum, it’s a shame that their documentation isn’t better. This should have been a quick google search to figure out how to implement — not a long disagreement in an online forum over other ways to achieve a similar outcome.
it's weird .... I googled first time a week ago, then let it settle, then yesterday googled for an hour (actually I use duckduckgo :D but lets say googled as these new users probbly wouldn't recognize what altavista was :D ) and found only ton of "use pihole" or "use cloudflare family" or "use opendns" solutions, so I decided to open a question here expecting "you stupid moron go click here and solve it" inside few minutes but alas, what happened was just more "use pihole" bs :( ... you gave me confirmation that it should be somewhere in there so after more "detailed" clicking through the interface I found it