DPI not functioning

DPI not functioning

DPI not functioning
DPI not functioning
2024-05-24 12:35:57 - last edited 2024-05-28 16:32:25
Tags: #DPI
Model: ER8411  
Hardware Version: V1
Firmware Version: 1.20

I am having issues with DPI not detecting anything.  What OSI model does your DPI sniff at?  I am now using an Ubuntu controller not in standalone mode anymore.

 

Here is the network diagram:

dbf6cc5e5f904e3abba283bba4154d89

The last message I got from TP Link support was they recommended two things:

 

1. It is recommended to check off all Facebook-related.

2. There is only one VLAN interface on the gateway, but the clients should not be on this subnet. So the DPI data cannot be detected. That's why it's not in effect.

 

Even though I set up TWO DPI filter, one for Facebook and another for TikTok. TikTok only has one, but even when I put all the facebook application into the filter it does nothing.

 

Point 2, I am not even sure what that even means.  

 

So my question is, is DPI sniffing at layer 2?  The only thing I can think of is that, I am not using the ER8411 as a RoaS. I am routing between the ER8411 and my L3 switch (DX010). So any VLAN information is going to be dropped at the interface..

 

Anyone want to chime in?

  0      
  0      
#1
Options
23 Reply
Re:DPI not functioning
2024-05-25 06:11:50

  @mbze430 

 

I have a ER8411 and use DPI, only app I block is tiktok, but I do a test with facebook to and it block right away.

 

Are you sure you have it set up correctly? it can be a bit fiddly to set up.

 

 

 

  0  
  0  
#2
Options
Re:DPI not functioning
2024-05-25 06:19:21

  @mbze430 

 

I did a few more tests against some straming services and they stopped working right away.

 

  0  
  0  
#3
Options
Re:DPI not functioning
2024-05-25 06:35:57 - last edited 2024-05-25 06:36:22

@MR.S 

Seems pretty straight forward to me....

 

 

 

For TikTok on the ER8411 there is only one, but as I have said before.  adding all Facebook does nothing... I can get to Facebook and use Messenger

  0  
  0  
#4
Options
Re:DPI not functioning
2024-05-25 06:47:04

  @mbze430 

 

Ok, I use only one application filter and add blocked app to one group in roules management. 

 

I have testet with many app now and it work every time. facebook and messenger stop working and my straming services stop working when I block Netflix.

 

 

  0  
  0  
#5
Options
Re:DPI not functioning
2024-05-25 06:52:46

  @mbze430 

 

But I try to create a facebook only filter and assigned this to lan and everyting from facebook stop working on my computer.

 

 

 

  0  
  0  
#6
Options
Re:DPI not functioning
2024-05-25 06:59:06

  @mbze430 

 

how did you set up the time range?

 

 

My look like this

 

  0  
  0  
#7
Options
Re:DPI not functioning
2024-05-25 07:21:12

@MR.S 

 

MY time range is set the same.

 

Are you using your ER8411 Router on a Stick on your network?.. meaning all your inter-vlan are on your router (if you have multiple vlans)

 

  0  
  0  
#8
Options
Re:DPI not functioning
2024-05-25 07:47:23

  @mbze430 

 

Yes i have many VLAN, and it work on all as I know, my straming device is on its own vlan and netflix stop working and my computer is on another vlan and netflix dosent work on this either.

 

so your problem is strange. I have the latest firmware on my ER8411 but i run the latest controller beta my bee this is why this work. I use controller version 5.14.20.8

 

 

 

 

  0  
  0  
#9
Options
Re:DPI not functioning
2024-05-25 12:14:36

Hi  @mbze430 

What about this guide? How to Set Up Deep Packet Inspection(DPI) on Omada Router

If you follow this and do soem tests with your application.

If you are blocking a vendor like Google, make sure you block several sites that Google owned.

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.
  0  
  0  
#10
Options
Re:DPI not functioning
2024-05-25 12:42:29 - last edited 2024-05-28 03:34:11

So Support reply,


 

They wanted me to expand my routing interface from 192.168.1.0/30 to /24 but I have NOTHING other than two interfaces talking to each other.

 

Here is my reply... and I don't understand why they keep talking about the VLAN, since my interface is routed....

 

 

I changed it to 192.168.1.1/24 and nothing has changed.  Because as I have told your support that I am NOT using the ER8411 in a Router as a Stick configuration.  My network is setup as multilayer.

 

My layer 3 switch connecting to the ER8411 is using a routed interface.  192.168.1.2.  There are ZERO other devices on my network are on the 192.168.1.1/24 or 192.168.1.1/30 subnet.  only two devices, ER8411 (192.168.1.1) and DX010 (192.168.1.2)

 

this is the route on my DX010 running Microsoft SONiC

admin@sonic:~$ show ip route

Codes: K - kernel route, C - connected, S - static, R - RIP,

       O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP,

       T - Table, v - VNC, V - VNC-Direct, A - Babel, D - SHARP,

       F - PBR, f - OpenFabric,

       > - selected route, * - FIB route, q - queued route, r - rejected route

 

S>*0.0.0.0/0 [1/0] via 192.168.1.1, Ethernet0, 05:01:22

C>*10.0.80.224/27 is directly connected, Vlan80, 05:01:22

C>*10.0.90.224/27 is directly connected, Vlan90, 05:01:22

C>*10.0.100.96/27 is directly connected, Vlan1000, 05:01:22

C>*10.0.253.0/24 is directly connected, Vlan253, 05:01:22

C>*10.0.254.0/24 is directly connected, Vlan254, 05:01:22

C>*10.1.0.1/32 is directly connected, Loopback0, 05:01:27

C>*10.1.100.176/28 is directly connected, Vlan100, 05:01:22

C>*10.1.110.144/28 is directly connected, Vlan110, 05:01:22

C>*10.3.52.0/26 is directly connected, Vlan52, 05:01:22

C>*10.3.68.0/24 is directly connected, Vlan268, 05:01:22

C>*10.3.128.64/26 is directly connected, Vlan1128, 05:01:22

C>*172.17.170.0/26 is directly connected, Vlan170, 05:01:22

C>*172.18.7.32/28 is directly connected, Vlan740, 05:01:22

C>*192.168.1.0/30 is directly connected, Ethernet0, 05:01:22

 

as you can see NO VLAN 2.  because the interfaces are routed.  I don't know why you keep talking about VLAN2 on the ER8411, because any routed interface it doesn't care about VLAN.

 

admin@sonic:~$ show vlan brief

+-----------+-----------------+---------------+----------------+-------------+-----------------------+

|   VLAN ID | IP Address      | Ports         | Port Tagging   | Proxy ARP   | DHCP Helper Address   |

+===========+=================+===============+================+=============+=======================+

|        10 |                 | Ethernet115   | untagged       | disabled    |                       |

|           |                 | Ethernet119   | tagged         |             |                       |

|           |                 | PortChannel01 | tagged         |             |                       |

+-----------+-----------------+---------------+----------------+-------------+-----------------------+

|        52 | 10.3.52.1/26    | Ethernet125   | tagged         | disabled    | 10.0.253.254          |

|           |                 | PortChannel01 | tagged         |             |                       |

+-----------+-----------------+---------------+----------------+-------------+-----------------------+

|        80 | 10.0.80.225/27  | Ethernet113   | tagged         | disabled    |                       |

|           |                 | Ethernet116   | tagged         |             |                       |

|           |                 | Ethernet125   | tagged         |             |                       |

|           |                 | PortChannel01 | tagged         |             |                       |

+-----------+-----------------+---------------+----------------+-------------+-----------------------+

|        90 | 10.0.90.225/27  | Ethernet116   | tagged         | disabled    |                       |

|           |                 | Ethernet125   | tagged         |             |                       |

|           |                 | PortChannel01 | tagged         |             |                       |

+-----------+-----------------+---------------+----------------+-------------+-----------------------+

|       100 | 10.1.100.177/28 | Ethernet125   | tagged         | disabled    | 10.0.253.254          |

|           |                 | Ethernet126   | tagged         |             |                       |

|           |                 | PortChannel01 | tagged         |             |                       |

+-----------+-----------------+---------------+----------------+-------------+-----------------------+

|       110 | 10.1.110.145/28 | Ethernet124   | tagged         | disabled    | 10.0.253.254          |

|           |                 | Ethernet125   | tagged         |             |                       |

|           |                 | PortChannel01 | tagged         |             |                       |

+-----------+-----------------+---------------+----------------+-------------+-----------------------+

|       170 | 172.17.170.1/26 | Ethernet116   | tagged         | disabled    | 10.0.253.254          |

|           |                 | Ethernet124   | tagged         |             |                       |

|           |                 | Ethernet125   | tagged         |             |                       |

|           |                 | Ethernet126   | tagged         |             |                       |

|           |                 | PortChannel01 | tagged         |             |                       |

+-----------+-----------------+---------------+----------------+-------------+-----------------------+

|       252 |                 | Ethernet117   | tagged         | disabled    |                       |

|           |                 | PortChannel01 | tagged         |             |                       |

+-----------+-----------------+---------------+----------------+-------------+-----------------------+

|       253 | 10.0.253.1/24   | Ethernet112   | untagged       | disabled    |                       |

|           |                 | Ethernet116   | tagged         |             |                       |

|           |                 | Ethernet125   | tagged         |             |                       |

|           |                 | PortChannel01 | tagged         |             |                       |

+-----------+-----------------+---------------+----------------+-------------+-----------------------+

|       254 | 10.0.254.1/24   | Ethernet116   | tagged         | disabled    |                       |

|           |                 | Ethernet124   | tagged         |             |                       |

|           |                 | Ethernet125   | tagged         |             |                       |

|           |                 | Ethernet126   | tagged         |             |                       |

|           |                 | PortChannel01 | tagged         |             |                       |

+-----------+-----------------+---------------+----------------+-------------+-----------------------+

|       268 | 10.3.68.1/24    | Ethernet125   | tagged         | disabled    | 10.0.253.254          |

|           |                 | PortChannel01 | tagged         |             |                       |

+-----------+-----------------+---------------+----------------+-------------+-----------------------+

|       740 | 172.18.7.33/28  | Ethernet124   | tagged         | disabled    | 10.0.253.254          |

|           |                 | Ethernet125   | tagged         |             |                       |

|           |                 | PortChannel01 | tagged         |             |                       |

+-----------+-----------------+---------------+----------------+-------------+-----------------------+

|      1000 | 10.0.100.97/27  | Ethernet125   | tagged         | disabled    | 10.0.253.254          |

|           |                 | PortChannel01 | tagged         |             |                       |

+-----------+-----------------+---------------+----------------+-------------+-----------------------+

|      1128 | 10.3.128.65/26  | Ethernet125   | tagged         | disabled    | 10.0.253.254          |

|           |                 | PortChannel01 | tagged         |             |                       |

+-----------+-----------------+---------------+----------------+-------------+-----------------------+

|      4000 |                 | Ethernet124   | untagged       | disabled    |                       |

|           |                 | Ethernet125   | untagged       |             |                       |

|           |                 | Ethernet126   | untagged       |             |                       |

|           |                 | PortChannel01 | untagged       |             |                       |

+-----------+-----------------+---------------+----------------+-------------+-----------------------+

 

  0  
  0  
#11
Options