Hot!Block LAN Internet Sharing

Author
nbctcp
Silver Member
  • Total Posts : 89
  • Scores: 4
  • Reward points: 0
  • Joined: 2015/03/05 04:48:26
  • Location: Indonesia
  • Status: offline
2020/01/17 05:22:50 (permalink) 6.2
0

Block LAN Internet Sharing

GOALS:
1. Block user sharing their Internet connection using other AP
 
In Mikrotik is using this
http://www.mikrotik.co.id/artikel_lihat.php?id=281
 
QUESTIONS:
1. how to achieve that in Fortigate Eval VM 6.2.3
 
tq
#1

3 Replies Related Threads

    Yurisk
    Bronze Member
    • Total Posts : 22
    • Scores: 2
    • Reward points: 0
    • Joined: 2011/12/04 03:30:01
    • Status: offline
    Re: Block LAN Internet Sharing 2020/01/17 05:42:42 (permalink)
    #2
    Dave Hall
    Expert Member
    • Total Posts : 1608
    • Scores: 174
    • Reward points: 0
    • Joined: 2012/05/11 07:55:58
    • Location: Canada
    • Status: offline
    Re: Block LAN Internet Sharing 2020/01/17 10:51:00 (permalink)
    0
    @Nawir.
     
    From the looks of it - the mikrotik solution provided (in the link posted) basically sets the TTL hop count to 1 on down stream packets, so anything pass the next down steam hop (connected client) is decremented to zero and so should drop.  Unfortunately, as far as I am aware, there is nothing like that on the Fortigate side - you likely need to do rouge AP detection (and suppression) or some other solutions.

    NSE4/FMG-VM64/FortiAnalyzer-VM/5.4/6.0 (FWF40C/FW92D/FGT200D/FGT101E)/ FAP220B/221C
    #3
    emnoc
    Expert Member
    • Total Posts : 5508
    • Scores: 355
    • Reward points: 0
    • Joined: 2008/03/20 13:30:33
    • Location: AUSTIN TX AREA
    • Status: offline
    Re: Block LAN Internet Sharing 2020/01/17 11:47:25 (permalink)
    1 (1)
    iptables had --ttl-set that did the same thing but in fortiOS this is not an option.If the AP is doing a layer3 SNAT I highly doubt you can fully mitigate this fwiw

    PCNSE 
    NSE 
    StrongSwan  
    #4
    Jump to:
    © 2020 APG vNext Commercial Version 5.5