My company has a wifi hotspot service and is hosted via MicroTik. MicroTik router is behind a Fortigate firewall which restrict access to certain websites like youtube.
I didn’t set it up initially, but now i have to make excemption for a one single user to connect to internet directly wihout the use of hotspot service and without any firewall restriction.
Somehow i managed to do the first step, which is binding IP of that user with “bypassing” rule under hotsport settings. now he can connect to internet directly, but with restriction under Fortigate firewall.
When i checked firewall i found out it cannot identify single Users in Wifi network as MicroTik uses “Masquerade” which hides their IP with common IP of the MircoTik router. So i’m unable to make an excemption rule for this specific user.
My question is how to let this user bypass Masquerade , so Fortigate will see his IP/MAC?
Fortigate IP - 192.168.2.1
Microtik - 192.168.2.11
Microtik WIFI hostpsot - 10.5.50.0/24
User IP - 10.5.50.55
In the Firewall NAT rules, create an accept rule in the scr-nat chain for his specific IP and place it above the masquerade rule for the rest of the network. That specific IP will then be exempt from NAT.
The Fortigate will need to know how to get back to the private IP subnet however with a route for communication to work properly. You can also turn off NAT for the entire network as well if desired, once again the Fortigate would just need to have a route for your private LAN’s subnet pointed to the WAN of the MikroTik. That way the Fortigate would see individual IP addresses.
You need to log into the Foritgate, and go to the routing section. Then there you specify the destination address as the LAN subnet for the MikroTik LAN, and the gateway as the WAN IP address of the MiroTik.
