Skip to main content
techno5
techno5
New Member
April 6, 2019
Question

3rd party wifi and security

  • April 6, 2019
  • 1 reply
  • 7815 views

Just received the 60e and I have a ASUS 86u wireless router. 

Is it possible so that certain wireless users to be put in a security group ( by mac address) so those users can access any of the other internal hosts, and those that are not in the group can only access the internet? There is one un-managed network switch connected to the 60e which has a number of ethernet connected devices, and the wifi AP is connected to a port on the 60e.

 

I was not sure if I can create a hardware switch and then separate that from the rest of the network for only wifi users. Put the internal and wifi inteface into a new zone, enabled block intra communication and then create a policy that allows the group members access to anything internal.

    1 reply

    lobstercreed
    lobstercreed
    New Member
    April 7, 2019

    There are a few ways to accomplish this, but it sounds like you've got a pretty good one planned out.  It should work fine!  :)

    techno5
    techno5Author
    New Member
    April 7, 2019

    I was was under the impression that even if you create anew interface and plug in the wifi access point to it, all internal lan can still access all resources and vice versa.. 

     

    what other ways do you recommend?

    lobstercreed
    lobstercreed
    New Member
    April 7, 2019

    Perhaps I misunderstood, but it sounds like you already know that out of the box the "internal" network is a hardware switch of all the internal ports, so you were suggesting breaking that apart and putting the wifi router on its own interface, right?  This would prevent traffic between the "internal" interfaces and the port you broke apart, unless that traffic is defined in a policy.  You further mentioned grouping these into a zone, which would enable them to communicate again unless you block intrazone traffic which you stated you would.  So then you'll create an intra zone policy (source and destination "interface" (zone in this case) would be the same) to match the traffic based on device group (Mac addresses).  

     

    Other ways to accomplish this include doing everything you listed above except not putting them into a zone and simply creating a policy between the interface for the router and the "internal" hardware switch.  Same result in the end.  I suppose it might complicate your outbound policies (to the Internet), so in that case the zone is better.  You could also further subdivide the FortiGate such that you have even more control over each port's interaction with each other port.  This just depends on your needs.  Like I said, you have a really good plan in place, so I wasn't meaning before to suggest you do anything different, but confirming that you were on the right track!  :)

    Terms & ConditionsAccessibility statement