05-03-2021 06:49 PM
Due to the pandemic, our District’s highschools are moving to a paperless ticketing system for High School games. A 410C access point was mounted on the outside of the ticketing booth - I am trying to create a network that allows parents to connect to the internet but only allow access to ONE specific site (the ticketing site - gofan.co).
I am having some trouble accomplishing this through the IP Firewall Policies and wanted to reach out here to see if anyone had some ideas.
We currently have FortiNAC deployed which typically allows guest registration on a normal basis, but to avoid any registration issues during games when IT may not be available, I created a separate SSID for the ticketing booth with a simple PSK that parents will be able to connect to easily while in line. I have the user profile dropping clients on the same VLAN our normal guest connect to but wouldn’t be opposed to create a new VLAN for the ticketing site if that would make the desired result easier to achieve. Thanks for your time in advance and for any ideas you may share.
Matt
Solved! Go to Solution.
05-03-2021 08:15 PM
Thank you for letting me know. I ran this past some XIQ technicians and they confirmed that is all we should have to do, but we would need to narrow down the IP scope the site is using to do this effectively.
They recommended using a content filter for this instead, partially due to needing the IP scope, and partially because the APs will slow down significantly if they have to do any heavy filtering, and blocking all traffic minus one site is potentially heavy filtering. I’m sorry I don’t have better news for you here, but you are setting it up correctly.
05-06-2021 05:44 PM
Would there be any advantage to attempting this with a CWP with walled garden, or is that effectively doing the same thing?
05-04-2021 11:47 AM
Sam and Stefan,
Thank you for your responses - I feared it would be more difficult to accomplish than it sounds. I had tried to adjust the IP Firewall Policy to include four IP objects, one pointing to each of the sites that Gofan.co resolved to for me, but that didn’t work well either. I AM able to ping the sing from command prompt with no issues but browsing to the site is a whole other issue. The page eventually loads, partially, but it is very slow. To your point Stefan, there are many other components tied to the website and allowing just one IP is definitely limiting the connection needed for everything to load.
We incorporate Lightspeed content filtering here at our district so I might have to explore how to leverage that into this project.
05-03-2021 08:19 PM
Hi,
you are right, the IP addresses will most likely vary from time to time and based on the region. Here in Germany I get the IP addresses 99.84.5.x
Please also note, that there are several scripts that are hosted on different servers, which might or might not be needed for the functionality of the site. (stripe.net, polyfill.io, bootstrapcdn.com, api.gofan.co, stripe.com and so on...)
But regarding your problem I can’t really help you.Which error message do you receive in the browser? Are you able to resolve the hostname? Can you ping it?
Best regards
Stefan
05-03-2021 08:15 PM
Thank you for letting me know. I ran this past some XIQ technicians and they confirmed that is all we should have to do, but we would need to narrow down the IP scope the site is using to do this effectively.
They recommended using a content filter for this instead, partially due to needing the IP scope, and partially because the APs will slow down significantly if they have to do any heavy filtering, and blocking all traffic minus one site is potentially heavy filtering. I’m sorry I don’t have better news for you here, but you are setting it up correctly.