Add a content filter profile to specfic SSID

I have a Balance 839E.
Managing a set of peplink wifi nodes.

I have setup a 2nd wifi SSID, “kidsdevices” and I’ve assigned it to a time profile.

I would like to assign a content filtering profile to this SSID as well.

However from what I can see I can only set a content profile and apply it to a manager, user or guest… and I don’t see a way to make this SSID a “guest”
(side note, I also don’t see a way to create a unique profile and name it… IE make a user group “Wireless” which would be handy)

Is it not possible or am I looking at this the wrong way?

Content filtering is only a single profile, but you can decide who it applies to.

To define who is in what use group is done by matching IP addresses, either individually or an entire subnet.

If the number of devices is low you could give them static IP binding in DHCP and then match those addresses, or if the 2nd SSID goes to its own vlan/subnet then you could match the entire subnet. The latter approach would be better in some regards, but may depend on how the rest of your network is configured and connected to implement.

QoS > User Groups > Add

Assign IPs or a subnet and set it to guest.

On your content filter configuration apply it to guest only.

I like the assign IP’s as a subnet, as it’s only two wireless devices that we would apply this to.
However, when I go to Qos > user groups > add, and select adding, I get an error that the IP isn’t valid on the subnet. Essentially it seems like it wants me to put in both a IP AND subnet into this area.

So I would have to create two of these (one for each Ipad / IP assigned)
Is there a wildcard, that I can us, something like 192.168.* that would allow me to mark this as all active IP’s only on subnet

For single IPs just enter the IP address, that seems to be all it wants from me in testing, if they are statically bound I think you can also reference the name you gave in the DHCP binding.

Matching subnets you just need to use the first IP from the CIDR block + the appropriate netmask.

Per your example above if you wanted to match any 192.168.x.y address you’d use the covering prefix of

Actually, I had to swap so that Guest / Manager was exempt.
(since our default subnet has some IOT things on it that we don’t want blocked and I didn’t want to keep having to add DHCP reservations all the time)

and made “Staff” be the one that would apply to the rule and link to the Ipad wifi.

It would be super nice if in the next firmware, a simple way to just select a rule set and apply to wifi would be added. I see you can do a “flexible firewall” type rule to a SSID, so along that logic, doing a flexible content filter policy would be great.