Homelab
Content Filtering
Configuring Content Filtering in UniFi: CyberSecure for Restricted VLANs
Overview
This article configures DNS-based content filtering for Restricted VLANs using UniFi's CyberSecure feature. You'll create a filter policy that blocks inappropriate content categories, enables ad blocking, and enforces safe search on major search engines. All filtering happens at the network level - no client software required.
Before You Begin
Prerequisites
- Firewall Rules completed
What We're Setting Up
| Feature | Purpose |
|---|---|
| Content Categories | Block adult, malware, gambling sites |
| Ad Blocking | Remove ads network-wide |
| Safe Search | Enforce on Google, Bing, YouTube |
How CyberSecure Works
CyberSecure intercepts DNS queries from devices on the filtered VLANs. Queries are checked against blocklists (partnership with NextDNS). Blocked domains return NXDOMAIN, preventing the connection.
| Step | What Happens |
|---|---|
| 1 | Device requests example.com |
| 2 | UDM intercepts DNS query |
| 3 | Domain checked against blocklist |
| 4 | Allowed: Return real IP |
| 4 | Blocked: Return NXDOMAIN |
| Note: | DNS filtering can be bypassed with DNS-over-HTTPS (DoH) or VPNs. For determined users, consider device-level controls as well. |
Create Filter Policy
Navigate to Settings → CyberSecure → Content Filtering.
Create New Policy
Click Create New Policy and configure:
| Name | Networks |
|---|---|
| Restricted Filter | Restricted-Trusted (40), Restricted-Isolated (45) |
Category Selection
Enable blocking for these categories:
| Category | Reason |
|---|---|
| Adult Content | Age-inappropriate material |
| Malware | Security protection |
| Phishing | Security protection |
| Gambling | Age-inappropriate |
| Drugs | Age-inappropriate |
| Weapons | Age-inappropriate |
| Tip: | Start with fewer categories and add more based on what gets through. Over-blocking creates frustration and workarounds. |
Ad Blocking
In the policy settings:
- Enable Ad Blocking
- This blocks known ad-serving domains
| Note: | Ad blocking may break some free services that require ads. Add exceptions as needed. |
Safe Search
In the policy settings:
- Enable Safe Search
- This enforces safe search on:
- Bing
- YouTube (Restricted Mode)
- DuckDuckGo
Add Exceptions
Some educational or entertainment sites may be incorrectly categorized. Add exceptions as needed.
Allow Specific Domains
Navigate to Settings → CyberSecure → Content Filtering → [Restricted Filter] → Exceptions.
Add allowed domains:
| Domain | Reason |
|---|---|
example.edu | School website |
educational-game.com | Approved game |
Block Specific Domains
You can also explicitly block domains that aren't in categories:
| Domain | Reason |
|---|---|
time-waster.com | Productivity |
Verify Content Filtering
Test Blocked Category
From a device on Restricted-Trusted:
- Try accessing a known adult site
- Should see "This site can't be reached" or similar DNS error
Test Safe Search
From a device on Restricted-Trusted:
- Go to google.com
- Search for something that would show inappropriate results without safe search
- Verify results are filtered
Test Ad Blocking
From a device on Restricted-Trusted:
- Visit a site with known ads (news sites work well)
- Verify ads are blocked or show placeholder
Check Filter Logs
Navigate to Settings → CyberSecure → Activity to see:
- Blocked queries
- Which devices triggered blocks
- Category distribution