Alta Labs has built a powerful DPI engine into each of our access points. Whether you are an Enterprise Network Administrator or a concerned parent, our access points allow you restrict access to those unauthorized or sensitive sites, applications or application types. This DPI engine is native on the AP itself, so there is no need for switches, routers or firewalls, to be able to utilize this feature.

There are two sections of settings on the Filter page. The top portion under Access Points and Routers can apply to both APs and Route10. The lower portion under Router Only applies only to Route10.

It's important to note that by default, when you start populating the content filter, that enables it and it will apply to all Wi-Fi SSIDs and users on the current site unless you enable the Bypass Filter option, set on a per-password basis in your SSID settings. You can also enable this on a per-client device basis, as needed. 

If there is a Route10 present on the site then it will also apply to all wired devices if the Router Block option is enabled. As of January 2026, there is not a bypass option for traffic traversing Route10, but that will be implemented in a future update. That means it's all or nothing for wired devices at this time. This is controlled by the Router Block toggle found at the bottom of the Access Points and Routers Filter settings.

Set a Filter Policy

First, log into manage.alta.inc, then select the site you would like to create a filter policy for. You can find your sites using the drop down menu in the upper right hand corner of your screen. Now, select the settings tab. From the settings tab, you will select "Filter". Two different menus will appear. First will be the "Block Applications" drop down. You can select as many different applications by name or application groups as you want. You can start typing the name of application or application group and the list will be filtered as you type. 

The second menu lets you enter specific website names. For example, if you wanted to block TikTok or Youtube, you can enter Youtube.com or TikTok.com.

Once you have entered all of the domains you wish to block, be sure to hit save. 

Bypass Filter Policy

Bypass control at the password level per SSID

If you have users who don't need to be governed by the filter policy, you have the ability to bypass the filter using our Multi-Password technology. To enable this, head over to "Settings", navigate to the SSID you are applying the filter to. Then select the password policy you want to have ignore the filter policy. Click on the purple button that is named after the password policy you have selected. Scroll to the bottom of the drop down menu and select "Bypass Filter". Now, make sure the password policy that will use the filter policy, does not have "Bypass Filter" checked. Hit the save button and you're good to go! 

Bypass control on a per-device basis

The bypass isn't just limited to the password, but obviously that is the easiest way to set it at scale. That said you can also set it per-device. Obviously this doesn't scale as well, but it does allow for more flexibility. You would go to Devices, and select the client device from the list that you want to perform the override on. From the web you scroll to where it says Bypass Filter and change it from Use Default to On, then choose Save. From mobile you choose Edit, tap the Bypass Filter toggle to turn it on, then choose save.

Router Only Filters

The Router Only portion of the Filter page offers country blocking, and block list support. The configuration options chosen here will be blocked both ingress (in from the internet) and egress (out to the internet) on Route10. These do not have any impact on APs.

These lists are automatically updated daily.

Block Regions

Under Block Regions, you can choose countries to block. All traffic to and from the selected countries will be blocked.

Block Lists

Under Block Lists, you can choose lists of IPs and IP subnets which you might want blocked on your network. The following explains each list available.

• Bad actors - this is a curated, consolidated block list from multiple sources. It includes compromised systems attacking others, abuse-friendly datacenters that do not generally host any legitimate activity, and other IPs and networks actively spamming, hacking, or other malicious activity.
• Bogons - bogons are networks that should never be seen on the internet. They are either not assigned to an end user, or reserved non-public IP space. 
• FireHOL levels 1-4 - FireHOL is an open source project that maintains block lists of varying levels of risky IPs. Level 1 list is the strongest evidence of serious abuse, with very minimal false positive potential. Level 2 includes level 1 plus IPs and networks with consistently malicious behavior, but not to the severity of level 1. Level 2 is still very low risk of false positives, and is the recommended level to choose if enabling FireHOL. Level 3 includes everything from levels 1 and 2, plus hosting providers with high abuse density but not necessarily purely illegitimate networks. Level 4 includes everything in levels 1 through 3, plus entire networks with historical abuse, and addresses with weak or indirect evidence of abuse. Level 4 is prone to false positives. 
  
  If using FireHOL, you should choose one level only. Choosing multiple levels is duplicative and unnecessary.
• Open Proxies - this is a list of open proxy servers which allow anyone to relay traffic through them. As such, they are magnets for abuse, and there is likely never a legit need to communicate with them.
• Public DoH servers - this is a list of public DNS over HTTPS (DoH) servers. These are not malicious, however for policy reasons you may want to block access to external DoH servers to require systems to use your authorized DNS servers.
• Tor exit nodes - Tor is a free overlay network which enables anonymous communication over the internet. Exit nodes are where traffic from Tor clients exit the Tor network to access the internet. While there are legit uses of Tor, it’s also a magnet for abuse. 
• VoIP fraud - this is a list of IPs known to be participating in various forms of VoIP fraud and abuse. 

If you need additional assistance, please check out our video covering "Content Filtering"