Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
nbctcp
New Contributor III

Block LAN Internet Sharing

GOALS:

1. Block user sharing their Internet connection using other AP

 

In Mikrotik is using this

http://www.mikrotik.co.id/artikel_lihat.php?id=281

 

QUESTIONS:

1. how to achieve that in Fortigate Eval VM 6.2.3

 

tq

3 REPLIES 3
Yurisk
Valued Contributor

You can use Rogue AP detection & suppression:  

https://docs.fortinet.com/document/fortigate/5.6.0/cookbook/882431/suppressing-rogue-aps

 

Yuri
https://yurisk.info/ blog: All things Fortinet, no ads.


All opinions are mine only.
Dave_Hall
Honored Contributor

@Nawir.

 

From the looks of it - the mikrotik solution provided (in the link posted) basically sets the TTL hop count to 1 on down stream packets, so anything pass the next down steam hop (connected client) is decremented to zero and so should drop.  Unfortunately, as far as I am aware, there is nothing like that on the Fortigate side - you likely need to do rouge AP detection (and suppression) or some other solutions.

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C

emnoc
Esteemed Contributor III

iptables had --ttl-set that did the same thing but in fortiOS this is not an option.If the AP is doing a layer3 SNAT I highly doubt you can fully mitigate this fwiw

PCNSE 

NSE 

StrongSwan