Created on 10-28-2011 06:29 AM Edited on 05-26-2022 11:50 AM By Anonymous
Description
This article explains how wireless and wired clients overlap on the same internal subnet configured on the physical internal interface of the FortiGate.
Scope
FortiOS v4.0 MR3 and above.
FortiAP v4.0 MR3 and above.
Solution
Network diagram:
-The FortiGate internal interface has the address 10.10.10.200 configured within the 10.10.10.0/24 subnet.
-The FortiGate has a VAP interface for the wireless network configured with SSID and DHCP server.
-The FortiGate DHCP server range is 10.10.10.[210-250]
-The FortiAP has an interface with the address 10.10.10.100 within the 10.10.10.0/24 subnet.
The WiFi Clients detect the FortiAP and retrieve an IP address to connect to the network.
The WLAN users cannot reach the wired network with the below configuration:
Configuration
Interfaces:
config wireless-controller vap
edit "Test"
set vdom "root"
set ssid "test_123"
set passphrase ENC zunZccv9+CRCDDKhFGEER3oYtoiBywECwFK3uRny8v0R9QwbAbpyg9uvbFpr7mJe2wLDv1dK2WopA4NnEuvdN4sV95qIoT1PxMuQEK8veY6u83ca
next
end
config system interface
edit "dmz"
set vdom "root"
set ip 10.10.10.50 255.255.255.0
set allowaccess ping https ssh fgfm
set type physical
set alias "Internal LAN"
next
edit "wan1"
set vdom "root"
set ip 192.168.182.208 255.255.254.0
set allowaccess ping https ssh fgfm
set type physical
next
edit "Test"
set vdom "root"
set ip 10.10.10.200 255.255.255.0
set allowaccess https ssh
set type vap-switch
next
endDHCP Server:
config system dhcp server
edit 2
set default-gateway 10.10.10.200
set interface "Test"
config ip-range
edit 1
set end-ip 10.10.10.250
set start-ip 10.10.10.210
next
end
set netmask 255.255.255.0
set dns-server1 192.168.183.1
next
endFirewall Addresses:
config firewall address
edit "WiFi Users"
set associated-interface "Test"
set type iprange
set end-ip 10.10.10.250
set start-ip 10.10.10.210
next
endFirewall Policies:
config firewall policy
edit 2
set srcintf "Test"
set dstintf "wan1"
set srcaddr "WiFi Users"
set dstaddr "all"
set action accept
set schedule "always"
set service "ANY"
set logtraffic enable
set nat enable
next
edit 4
set srcintf "dmz"
set dstintf "Test"
set srcaddr "all"
set dstaddr "WiFi Users"
set action accept
set schedule "always"
set service "ANY"
set logtraffic enable
next
edit 6
set srcintf "Test"
set dstintf "dmz"
set srcaddr "WiFi Users"
set dstaddr "all"
set action accept
set schedule "always"
set service "ANY"
next
endFortiAP Configuration:
FAP22B3U10002563 # cfg -e
export AP_IPADDR="10.10.10.100"
export AP_NETMASK="255.255.255.0"
export IPGW="10.10.10.200"
export ADDR_MODE=STATIC
export TELNET_ALLOW=0
export AC_DISCOVERY_TYPE=0
export AC_IPADDR_1="10.10.10.200"
export AC_CTL_PORT=5246
export AC_DISCOVERY_MC_ADDR="224.0.1.140"
export AC_DISCOVERY_DHCP_OPTION_CODE=138
export COUNTRY_STR=FR
FAP22B3U10002563 #Solution
WiFi users cannot connect to the wired network because the following CLI command must be enabled in "config system settings":
config system settings
set allow-subnet-overlap enable
end
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.