Allow specific intra-SSID traffic

AEK · ‎11-12-2024

Hi FGT/FAP admins

I have a SSID in tunnel mode where I enabled "block intra-SSID traffic".

Now I need to allow intra-SSID traffic only between some specific clients on some specific ports. Is there a way to do that? I mean just the same way we do with zones (deny intra-zone traffic then enable exceptions with firewall rules).

AEK

kaurs · ‎11-12-2024

Hi,

In tunnel mode, the traffic is completely blocked between 2 wireless clients on same SSID with block intra-SSID traffic option . Since both clients are connected to same subnet, firewall policy may not help here as policies are supposed to route traffic from interface to another.

Toshi_Esumi · ‎11-12-2024

@kaurs Is WiFi SSIDs different from SSL VPN case? With SSL VPN, you can control access between users with policies ssl.root<->ssl.root. So I thought it might be possible when you set ssid.interface<->ssid.interface policies.

Toshi

AEK · ‎11-13-2024

Yes I think it is different.

With SSL VPN the client-to-client traffic transit through FW, while (it I'm not wrong) for SSID it seems it doesn't leave the AP.

VPN: client <---> FortiGate <---> client
SSID: client <---> AP <---> client

AEK

Toshi_Esumi · ‎11-13-2024

With a tunnel mode, the user traffic should be tunneled to the controller FGT. Isn't that the case?

Toshi

AEK · ‎11-13-2024

Sniffing on the FG when pinging the same subnet shows nothing :(

AEK

HarshChavda · ‎11-12-2024

Hello @AEK ,

You can try place the devices you want to allow communication between on separate SSIDs or VLANs and then setup firewall policy accordingly.

AEK · ‎11-13-2024

Hello Harsh

That will work indeed, but my requirement is to do it on the same SSID.

AEK

Allow specific intra-SSID traffic

Nominate a Forum Post for Knowledge Article Creation

You are leaving our website