We have a site to site VPN. We need WIFI users to able to access that site to site VPN.
We can' t find the " best practice" solution so we have come up with a few options. What is the community doing?
-Have WIFI users on Forticlient VPN direct to remote site (bit of a hassle)
-Have WIFI users VPN to the LAN and then they' ll have access to site to site (still a hassle)
-We tried adding a second Phase2 for WIFI to the existing tunnel. That failed.
-Share the WIFI and LAN interfaces. That involves practically reprogramming from scratch and is not very secure. http://docs.fortinet.com/cb/html/index.html#page/FOS_Cookbook/Wireless/wireless-bridging-WiFi-and-wired.html
-Can we place a route and policy on the WIFI interface to get that traffic to the LAN and out the site to site? We have not tried that.
Open to ideas on this one. What' s working for you?
On my FWF60B at home, I WiFi into my network, and browse through to all my client' s networks without hassle. Maybe you' re missing something in the configuration? As a quick trick, try NATting the WiFi traffic to a subnet that' s already working.
To be precise, apply source NAT using an IP pool in the ' wlan' ->' LAN' policy to mask the WLAN origin. This will have the added benefit that WLAN traffic will be able to open the tunnel if it was down - something you could only achieve with a second phase2 otherwise.
I think I follow. If you could provide a quick example that would be great.
If I understand, use an IP pool to mask WLAN as if it were LAN? Does that require any extra policies or static routes so the WLAN traffic will go over the LAN to the remote subnet via tunnel?
- create an IP pool with ONE unused IP address from your LAN
that is, from <IP> to <IP>
- you need a policy from WLAN to your tunnel to allow traffic from the WLAN clients into it, to access the remote LAN
- in this policy, specify NAT, ' dynamic' , choose the IP pool you' ve just created
- if needed, add another policy from WLAN to WAN, check static NAT so outgoing traffic will be source labeled with the WAN IP which is public; no need for the IP pool here
If you want to access WLAN clients from the remote network then this will require additional effort (hint: 1:1 destination NAT of the whole address space via VIP). You need a corresponding policy of course.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.