- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Communication Attempts Between WLANs and VLANs
Hello!
I have several WLANs in Tunnel traffic mode (FortiAPs) with their own DHCP configuration, using external DNS.
Additionally, I have VLANs that use our internal domain DNS/DHCP.
The issue is that devices on these WLANs are attempting to communicate with devices on the VLANs (and vice versa).
For example, logs related to Windows Delivery Optimization (TCP/7680) show this activity. Since there are no policies allowing communication between these networks, my logs are getting filled with 'implicit deny' entries:
Same thing here:
I could be mistaken, but since the tunnel is sending WLAN traffic directly to my Fortigate, and the only policy in place is for outbound to the WAN, devices on different networks shouldn't be able to see each other, correct?
Where might the misconfig be?
Thanks in advance.
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello
The WLAN interface is like other interface for the firewall, it means if you don't have any firewall rule allowing some traffic between the two networks then they can't see or access each other. And we can see on your logs that the firewall is blocking the traffic as expected.
In that case any attempt from a client to access the other network may have one of the following reasons:
- Some user from WLAN knows the other network and tries to access it
- There was some application configured to access some resource on the other network and it is still trying
- A scan program or possibly a malicious program trying to scan the network
By monitoring the behavior you can understand which kind of case it is.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello
It depends on usage and requirements.
E.g.: A guest VLAN/WLAN is not supposed to see Corp VLAN/WLAN.
But between two Corp VLANs/WLANs you may want to allow some communication between clients like file sharing and so.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey @AEK,
I understand, but the issue is that devices from a tunnel WLAN are "seeing" devices on a corporate VLAN.
Correct me if I'm wrong:
With the WLAN set to Tunnel traffic mode, it should isolate the WLAN from other networks, shouldn't it?
However, this isn't happening as expected, as there are attempts to communicate between them, as shown in the logs above.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello
The WLAN interface is like other interface for the firewall, it means if you don't have any firewall rule allowing some traffic between the two networks then they can't see or access each other. And we can see on your logs that the firewall is blocking the traffic as expected.
In that case any attempt from a client to access the other network may have one of the following reasons:
- Some user from WLAN knows the other network and tries to access it
- There was some application configured to access some resource on the other network and it is still trying
- A scan program or possibly a malicious program trying to scan the network
By monitoring the behavior you can understand which kind of case it is.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Alright. Just needed to confirm that. Thanks @AEK!
Created on 09-16-2024 11:30 AM Edited on 09-16-2024 11:47 AM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
-