You've probably seen or heard of Ubiquiti UniFi , which is gaining increasing market share and establishing itself as one of the top choices for routers in various network scenarios. Beyond its robustness, many professionals seek to understand how to apply content filtering in UniFi environments to ensure greater security and browsing control. With a wide variety of models and price ranges, UniFi devices cater to everyone from users seeking a cost-effective solution to more demanding environments requiring high performance and reliability.
The popularity of the UniFi line is evident in small and medium-sized businesses (SMBs) , and it is also a common choice among managed service providers (MSPs) and in corporate environments . Its centralized management system and intuitive interface allow for easy integration with the network infrastructure, simplifying everything from initial configurations to continuous monitoring. This makes the solution accessible even to users with limited technical knowledge.
Despite their robustness and high performance, UniFi routers do not natively offer a complete content filtering solution . Standard options are limited to basic blocking of known threats, such as malicious websites or adult content, which may not be sufficient for businesses that need more customized access policies or detailed network traffic reports .
Fortunately, there are simple and effective alternatives that can be easily integrated with UniFi devices to improve security and browsing control. Using DNS filtering is one such solution, allowing you to restrict content categories, monitor access, and apply different policies by user group or time of day.
If you prefer, you can watch the video we prepared on configuring Ubiquiti to use Lumiun DNS .
Next, we'll explore some models from the UniFi line and explain why content filtering is an essential component for the security and control of your network.
What are UniFi Cloud Gateway, Dream Machine, and Next-Generation Gateway routers?
Before discussing the specific functionalities of UniFi routers, it's important to understand the basic structure of the UniFi system , developed by Ubiquiti . UniFi is a centralized management platform that integrates various network and security devices, organized into different functional modules . Each UniFi device can participate in one or more of these modules, depending on its function and capabilities.
The modules of the UniFi ecosystem are:
- Network Manager – Responsible for network management, including routers (gateways), switches, and Wi-Fi access points.
- Protect – Designed for security cameras, recording storage, and real-time monitoring.
- Access – Manages smart locks and access readers, enabling physical control of doors and people entering.
- Talk – An IP telephony (VoIP) system for businesses, with centralized management of extensions and devices.
- Connect – Focused on managing physical spaces, with visitor check-in, dashboards, and integration with the company's physical systems.
In this article, we will discuss three devices. Two of them stand out for integrating the five main modules of the UniFi Network ecosystem: Protect, Access, Talk, and Connect, allowing them to act as central controllers . This means that these devices can manage the entire UniFi network infrastructure , including switches, access points, cameras, access control systems, and VoIP telephony devices , all from a single console.
Management can be done:
- Locally , via the UniFi Network module, with direct access to the device's web interface.
- Remotely , via the UniFi cloud (UI.com), allowing secure and convenient access from anywhere.
This flexibility makes the UniFi ecosystem especially attractive to businesses, integrators, and MSPs seeking centralized control with ease of expansion.
The third device discussed does not have any built-in UniFi module . To manage it, you need to use:
- A server with the UniFi Network application installed , on a computer or VM, for local operation;
- Alternatively, it can be integrated into the environment of another device that acts as a UniFi controller , such as the UCG (UniFi Cloud Gateway) or UDM (UniFi Dream Machine) .
This type of configuration is common in devices like the UXG (UniFi Next-Gen Gateway) , which function exclusively as high-performance gateways and rely on an external controller for configuration and management.
UniFi Cloud Gateway (UCG)
The UniFi Cloud Gateway (UCG) represents one of Ubiquiti's latest generations, designed for modern enterprise environments that demand centralized cloud management and high scalability. It acts as both a gateway and a controller, with integrated support for the UniFi Network , as well as compatibility with the UniFi Cloud Console , enabling remote and unified management of multiple sites and devices.
The UCG does not have integrated Wi-Fi, making it ideal for projects with distributed Access Points . It is focused on professional environments , especially MSPs, medium-sized companies, and distributed networks , offering high performance, advanced security features, and ease of expansion.
UniFi Dream Machine (UDM)
The UniFi Dream Machine (UDM) and its variations (UDM-Pro, UDM-SE) are "all-in-one" solutions designed to integrate multiple functions into a single device. The standard UDM model has a router, firewall, UniFi controller, and Wi-Fi access point all in one device, making it ideal for small offices or advanced homes UDM-Pro and UDM-SE models, however , do not have built-in Wi-Fi but offer greater processing power, additional ports, support for UniFi Protect (camera recording), and, in the case of the SE, PoE ports.
The UDM line focuses on ease of use , offering complete control of the network and other UniFi modules without the need for additional equipment.
UniFi Next-Generation Gateway (UXG)
The UniFi Next-Gen Gateway (UXG) , especially the UXG-Pro model, is aimed at those who need a high-performance router/firewall but want to keep the UniFi controller separate, whether on a Cloud Key, UCG, or dedicated server. Unlike the UDM line, the UXG does not have an integrated UniFi controller , nor does it support modules such as Protect, Access, or Talk. Its focus is purely on routing, security, and network performance .
It is the ideal option for environments where management is centralized by another device, and where segmentation of functions is sought for greater flexibility and scalability , such as in corporate networks, distributed projects, or with many simultaneous users .
These three models reflect different approaches within the UniFi ecosystem: UDM for simplicity and all-in-one functionality, UCG for integrated, cloud-based control, and UXG for performance and modularity. The ideal choice depends on network size, the need for centralized control, and expansion strategy.
UniFi's limitations in content filtering
Content filtering on UniFi devices has significant limitations, especially for environments requiring detailed control over internet usage. Ubiquiti offers only a few basic and generic , without allowing granular customization by category or specific domain .
“Work” and “Family” security profiles are available , which focus on blocking adult content and malicious websites . However, these options rely on DNS resolutions with predefined blocks, using third-party servers. Because DNS traffic is not processed or analyzed directly by the UniFi system, there is no generation of detailed reports on what was accessed or blocked.
This approach results in a number of limitations:
- It is not possible to implement dynamic blocks by category , such as social media, games, betting, streaming, among others;
- The option to create custom blocklists per domain ;
- There is no visibility or browsing reports , which prevents monitoring of employees' internet usage behavior.
This scenario compromises the adoption of strategies for productivity control , information security , and network usage policies , which depend on visibility and flexibility in access management.
Furthermore, while the UniFi firewall is robust and efficient for network security, with rules based on IP addresses, ports, protocols, and access policies, it is not designed to act as a content control tool . Its focus is on protecting the network against threats , managing traffic , and applying routing and segmentation rules , not on filtering website types or browsing behaviors.
The Importance of Content Filters in Corporate Networks
Implementing content filters on corporate networks is essential to ensure security , productivity , and compliance in the organizational environment. Companies, schools, clinics, and other institutions handle sensitive data , and any breach represents significant risks to operations and reputation.
One of the main benefits is protection against cyber threats such as phishing , malware , and ransomware . The filters act as a preventative barrier , blocking access to malicious websites before users interact with them. This additional layer of security reduces the attack surface, protecting the network and devices against infections and data leaks.
Furthermore, controlling access to content unrelated to professional activities directly contributes to increased productivity . Restricting platforms such as social media, streaming services, games, and entertainment helps maintain employee focus and reduce distractions during the workday.
Filters also play an important role in preserving a healthy and ethical corporate environment , preventing access to inappropriate content such as pornography, violence, or hate speech. The presence of this type of material compromises the organizational climate and exposes the company to legal and reputational risks.
Another key differentiator is the generation of detailed browsing logs and customized reports , offering managers visibility into network usage. This allows for more informed decisions and policies aligned with the organization's needs.
From a legal standpoint, the adoption of content filters helps in complying with internal internet usage policies , the guidelines of the LGPD (General Data Protection Law) , and other information security . Sectors such as education , healthcare , and companies with multiple networks and different access profiles benefit from this technology, ensuring control, compliance , and continuous protection.
How to apply content filtering on UniFi networks
Despite UniFi's native limitations regarding content filtering, it's possible to implement more effective control by configuring custom DNS servers . This approach allows you to block unwanted and malicious content using DNS providers with built-in filtering , such as Cloudflare for Families, CleanBrowsing, AdGuard DNS , or more robust commercial solutions that offer customizable filters and detailed reporting .
In the UniFi management panel, it's possible to configure specific DNS servers for different networks , allowing you to apply content filters to certain areas of the infrastructure—for example, blocking internet access on a network intended for visitors , while maintaining access on another used by employees . This enables more flexible control according to the needs and usage profile of each environment.
A critical point of this approach is when network devices operate with static (fixed) IP addresses . In these cases, since they do not receive configurations via DHCP, it is necessary to manually configure the DNS servers on each device , which increases maintenance effort and hinders the scalability of the solution. In networks with DHCP enabled, on the other hand, the distribution of filtered DNS is automatic and efficient, facilitating the application of the policy on a large scale.
A good practice when using DNS server-based content filters is to create traffic redirection rules , ensuring that all DNS requests made by network devices are forwarded to the DNS servers configured in UniFi . This way, the content filter is effectively applied to all network users, preventing the use of alternative DNS servers to bypass the restrictions.
A safe and robust alternative: Lumiun DNS
Lumiun Lumiun DNS is a DNS management and security solution geared towards corporate and institutional environments. It offers protection against digital threats , optimization of internet usage , and visibility into network traffic . Among its main features are: customizable content filtering with dynamic lists and specific categories; detailed access reports from network devices; and filters to block malicious domains , contributing to safer browsing.
Lumiun DNS configuration can be done quickly and easily using DNS Stamp , which utilizes the DoH (DNS over HTTPS) . DoH is a technology that resolves domain names over HTTPS connections, encrypting DNS queries to ensure the privacy and integrity of transmitted data . By operating over the HTTPS protocol, DoH blends into regular web traffic, making interception more difficult and preventing attacks such as man-in-the-middle .
How to register with Lumiun DNS
Go to https://dns.lumiun.com/register to create your free account. By creating an account, you will start a free 14-day trial of the Pro Plan. After 14 days, you can choose between the Free, Pro, or Education plans.
Fill in your first name, last name, email, phone number, and password to create your free account. If you prefer, you can create it directly with your Google account.
Confirm registration via email.
After registering, confirm your account by clicking the “Verify email” in the email that was sent to you. If the email is not in your inbox, check your Spam folder and mark it as “Not Spam” to receive future emails.
Complete the initial steps.
After confirmation, you will be directed to the policies page, but first, you must enter your organization's information.
After this setup, you will go through a brief "Tour" about Lumiun DNS.
Good practices to enhance security
An effective way to increase network protection and reduce risks related to malicious traffic is to block outbound traffic on ports 53 (DNS) and 853 (DNS over TLS) , allowing connections only to authorized DNS servers . This measure prevents the use of untrusted DNS servers, reduces the chances of data leaks, and makes it more difficult to use DNS as a channel for attacks.
segmentation through VLANs allows for the application of specific security policies to different groups of devices, sectors, or subnets. This approach helps contain the spread of threats , isolate suspicious behavior, and make incident response more agile and efficient. Solutions like Lumiun DNS 's Segment53 reinforce this strategy by allowing the application of distinct DNS filters for each network segment, increasing control and security in a granular way.
monitoring of network reports and logs is another fundamental pillar for corporate environments. Analyzing this data makes it possible to identify anomalous patterns, unauthorized access, and early signs of threats , such as attempts to overload the network through DNS queries.
Finally, it is essential to keep firmware, software, APIs, and equipment always up-to-date , mitigating risks associated with known vulnerabilities . It is also important to ensure the persistence of security settings and to ensure that the system maintains critical policies even after reboots or updates.
The protection your UniFi was missing
UniFi devices are powerful and reliable, with models suitable for different types of network infrastructure. However, when it comes to content filtering , they have limitations: they only offer static filters, without customization options or detailed access reports .
Adopting a DNS filter fills this gap, transforming UniFi devices into an even more complete network protection . This type of integration adds extra layers of security, enables dynamic control over accessed content , and helps comply with regulations and laws , such as the LGPD ( ). Tools supporting the DoH (DNS over HTTPS) offer an important advantage by encrypting DNS traffic and preventing it from being intercepted or redirected by third parties.
For those seeking security and content control without sacrificing their existing UniFi infrastructure, solutions like Lumiun DNS make this process simple, efficient, and reliable .
