Allow specific intra-SSID traffic

Forum|Forum|1 year ago
November 12, 2024
2 replies
3181 views

Hi FGT/FAP admins

I have a SSID in tunnel mode where I enabled "block intra-SSID traffic".

Now I need to allow intra-SSID traffic only between some specific clients on some specific ports. Is there a way to do that? I mean just the same way we do with zones (deny intra-zone traffic then enable exceptions with firewall rules).

kaurs

Staff

Hi,

In tunnel mode, the traffic is completely blocked between 2 wireless clients on same SSID with block intra-SSID traffic option . Since both clients are connected to same subnet, firewall policy may not help here as policies are supposed to route traffic from interface to another.

Toshi_Esumi

SuperUser

@kaurs Is WiFi SSIDs different from SSL VPN case? With SSL VPN, you can control access between users with policies ssl.root<->ssl.root. So I thought it might be possible when you set ssid.interface<->ssid.interface policies.

Toshi

AEKAuthor

SuperUser

Yes I think it is different.

With SSL VPN the client-to-client traffic transit through FW, while (it I'm not wrong) for SSID it seems it doesn't leave the AP.

VPN: client <---> FortiGate <---> client
SSID: client <---> AP <---> client

AEK

HarshChavda

Staff

Hello @AEK ,

You can try place the devices you want to allow communication between on separate SSIDs or VLANs and then setup firewall policy accordingly.

AEKAuthor

SuperUser

Hello Harsh

That will work indeed, but my requirement is to do it on the same SSID.

AEK

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded