Solved

Only Allow Access To One Site


Due to the pandemic, our District’s highschools are moving to a paperless ticketing system for High School games.  A 410C access point was mounted on the outside of the ticketing booth - I am trying to create a network that allows parents to connect to the internet but only allow access to ONE specific site (the ticketing site - gofan.co).

I am having some trouble accomplishing this through the IP Firewall Policies and wanted to reach out here to see if anyone had some ideas.

We currently have FortiNAC deployed which typically allows guest registration on a normal basis, but to avoid any registration issues during games when IT may not be available, I created a separate SSID for the ticketing booth with a simple PSK that parents will be able to connect to easily while in line.  I have the user profile dropping clients on the same VLAN our normal guest connect to but wouldn’t be opposed to create a new VLAN for the ticketing site if that would make the desired result easier to achieve.  Thanks for your time in advance and for any ideas you may share.

Matt

icon

Best answer by Sam Pirok 3 May 2021, 22:15

Thank you for letting me know. I ran this past some XIQ technicians and they confirmed that is all we should have to do, but we would need to narrow down the IP scope the site is using to do this effectively.

They recommended using a content filter for this instead, partially due to needing the IP scope, and partially because the APs will slow down significantly if they have to do any heavy filtering, and blocking all traffic minus one site is potentially heavy filtering. I’m sorry I don’t have better news for you here, but you are setting it up correctly. 

View original

8 replies

Userlevel 6

Hi Matt, I’d recommend creating a user profile IP firewall policy along these lines:

This is a variation of the guest internet access only default IP firewall object. The rules are applied to any traffic from the top down, so this firewall will allow DHCP traffic, allow DNS traffic, deny any internal network address request, allow access to gofan.co (13.226.93.113), and deny all other requests for traffic destinations. 

You don’t have to create a new VLAN for this traffic if you don’t want to, the rules will still apply to any traffic coming through that SSID and others on the same VLAN will not be effected. Is that what you were looking for?

Hi Sam,

Thanks for the quick reply - I had created an IP Firewall Policy very similar to the one you shared; See the attached photo.  The only difference is that I created a HOSTNAME object pointing to “gofan.co” and referenced that object in my FW Policy….That didn’t work for me (obviously lol).  When I tried to resolved the IP address of gofan.co, I only saw 54.206.XXX.XXX addresses and figured that was an AWS link and it would have the possibility of changing so I didn’t think to reference that IP.  Where did you get the 13.226.93.113 address from?  Thanks in advance!

 

Userlevel 6

I just pinged gofan.co from my AP230, but you might be able to get a better idea of the IP scope for that site from a packet capture? 

Yeah - I am getting different results here:

I can try to reference the IP address above in the firewall policy but I think the IP address will change...I am not sure how many IPs the site actually has….I don’t know a way to capture them all with one object other than being able to reference the hostname / URL itself.

Userlevel 6

Thank you for letting me know. I ran this past some XIQ technicians and they confirmed that is all we should have to do, but we would need to narrow down the IP scope the site is using to do this effectively.

They recommended using a content filter for this instead, partially due to needing the IP scope, and partially because the APs will slow down significantly if they have to do any heavy filtering, and blocking all traffic minus one site is potentially heavy filtering. I’m sorry I don’t have better news for you here, but you are setting it up correctly. 

Userlevel 6
Badge

Hi,

you are right, the IP addresses will most likely vary from time to time and based on the region. Here in Germany I get the IP addresses 99.84.5.x

Please also note, that there are several scripts that are hosted on different servers, which might or might not be needed for the functionality of the site. (stripe.net, polyfill.io, bootstrapcdn.com, api.gofan.co, stripe.com and so on...) 

But regarding your problem I can’t really help you.Which error message do you receive in the browser? Are you able to resolve the hostname? Can you ping it?

Best regards
Stefan

Sam and Stefan,

Thank you for your responses - I feared it would be more difficult to accomplish than it sounds.  I had tried to adjust the IP Firewall Policy to include four IP objects, one pointing to each of the sites that Gofan.co resolved to for me, but that didn’t work well either.  I AM able to ping the sing from command prompt with no issues but browsing to the site is a whole other issue.  The page eventually loads, partially, but it is very slow.  To your point Stefan, there are many other components tied to the website and allowing just one IP is definitely limiting the connection needed for everything to load.

We incorporate Lightspeed content filtering here at our district so I might have to explore how to leverage that into this project.

 

 

Userlevel 3

Would there be any advantage to attempting this with a CWP with walled garden, or is that effectively doing the same thing?

Reply