Skip to main content
NoneEng
NoneEng
Explorer II
September 13, 2024
Solved

Communication Attempts Between WLANs and VLANs

  • September 13, 2024
  • 1 reply
  • 2003 views

Hello!

 

I have several WLANs in Tunnel traffic mode (FortiAPs) with their own DHCP configuration, using external DNS.

Additionally, I have VLANs that use our internal domain DNS/DHCP.

 

The issue is that devices on these WLANs are attempting to communicate with devices on the VLANs (and vice versa).

For example, logs related to Windows Delivery Optimization (TCP/7680) show this activity. Since there are no policies allowing communication between these networks, my logs are getting filled with 'implicit deny' entries:

fdFMQ0CUIE.png

Same thing here:

EleOqcuWS7.png

 

I could be mistaken, but since the tunnel is sending WLAN traffic directly to my Fortigate, and the only policy in place is for outbound to the WAN, devices on different networks shouldn't be able to see each other, correct?

Where might the misconfig be?

 

Thanks in advance.

Best answer by AEK

Hello

The WLAN interface is like other interface for the firewall, it means if you don't have any firewall rule allowing some traffic between the two networks then they can't see or access each other. And we can see on your logs that the firewall is blocking the traffic as expected.

In that case any attempt from a client to access the other network may have one of the following reasons:

  • Some user from WLAN knows the other network and tries to access it
  • There was some application configured to access some resource on the other network and it is still trying
  • A scan program or possibly a malicious program trying to scan the network

By monitoring the behavior you can understand which kind of case it is.

1 reply

AEK
SuperUser
AEK
SuperUser
September 13, 2024

Hello

It depends on usage and requirements.

E.g.: A guest VLAN/WLAN is not supposed to see Corp VLAN/WLAN.

But between two Corp VLANs/WLANs you may want to allow some communication between clients like file sharing and so.

AEK
NoneEng
NoneEngAuthor
Explorer II
September 13, 2024

Hey @AEK

 

I understand, but the issue is that devices from a tunnel WLAN are "seeing" devices on a corporate VLAN.
Correct me if I'm wrong:
With the WLAN set to Tunnel traffic mode, it should isolate the WLAN from other networks, shouldn't it?
However, this isn't happening as expected, as there are attempts to communicate between them, as shown in the logs above.

 

AEK
SuperUser
AEKAnswer
SuperUser
September 13, 2024

Hello

The WLAN interface is like other interface for the firewall, it means if you don't have any firewall rule allowing some traffic between the two networks then they can't see or access each other. And we can see on your logs that the firewall is blocking the traffic as expected.

In that case any attempt from a client to access the other network may have one of the following reasons:

  • Some user from WLAN knows the other network and tries to access it
  • There was some application configured to access some resource on the other network and it is still trying
  • A scan program or possibly a malicious program trying to scan the network

By monitoring the behavior you can understand which kind of case it is.

AEK
Terms & ConditionsAccessibility statement