FAP in tunnel mode added to a zone interface, no intra-zone access to other VLAN's in zone

Question

I have a "Local LAN Zone" zone that does not have block intra-zone traffic enabled. The only policy involving this zone is a basic "internet out" policy for from "Local LAN Zone" to "wan1". In this this zone is VLAN.2 interface which is assigned to all of my FSW ports which is connected to the FGT using FortiLink.

Under the default behavior on 6.0.5, all of the devices on VLAN.2 can reach (ie. ping) to devices on VLAN 2. without needing any extra policies to allow this. The "internet out" policy allows these devices to get to the internet.

I have a FAP-221E managed by the FGT and I created a tunnel mode SSID. I added this SSID interface into "Local LAN Zone" and the WiFi clients can on this SSID can get to the internet but they cannot reach (ie. ping) any devices on VLAN.2 which is part of the same zone.

Is this expected behavior given that the tunnel modem SSID has a different network segment, or should the fact that intra-zone traffic is not blocked allow WiFi clients to reach (ie. ping) the wired clients on VLAN.2 because they are part of the same zone?

Toshi_Esumi · Answer

No, I wouldn't expect that. Because we do the same for our corp SSID (tunnel mode/separate subnet) and can reach printers, a domain controller, and other devices in different subnets on the LAN, but in the same zone together. We separate GuestWiFi to a different zone so that would require a policy if we want to allow the guest users to use local resources, but so far we haven't had to.

So you need to sniff and "flow debug" traffic coming from the wifi toward LAN. When I tested myself (flow debug) I saw: msg="Allowed by Policy-4294967295:", which I assume referencing the "set intrazone allow" in the zone config, instead of referencing a regular policy.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded