FortiAP
FortiAP devices are thin wireless access points (AP) supporting the latest Wi-Fi technologies (multi-user MIMO 802.11ac Wave 1 and Wave 2, 4x4), as well as 802.11n, 802.11AX , and the demand for plug and play deployment.
Jonathan_Body_FTNT
Article Id 194785

Description

This article explains how wireless and wired clients overlap on the same internal subnet configured on the physical internal interface of the FortiGate.


Scope
FortiOS v4.0 MR3 and above.
FortiAP v4.0 MR3 and above.


Solution

Network diagram:

jbody_FD33334_a_Knova289.jpg


-The FortiGate internal interface has the address 10.10.10.200 configured within the 10.10.10.0/24 subnet.
-The FortiGate has a VAP interface for the wireless network configured with SSID and DHCP server.
-The FortiGate DHCP server range is 10.10.10.[210-250]
-The FortiAP has an interface with the address 10.10.10.100 within the 10.10.10.0/24 subnet.

The WiFi Clients detect the FortiAP and retrieve an IP address to connect to the network.

The WLAN users cannot reach the wired network with the below configuration:

Configuration

Interfaces:
config wireless-controller vap
   edit "Test"
      set vdom "root"
      set ssid "test_123"
      set passphrase ENC zunZccv9+CRCDDKhFGEER3oYtoiBywECwFK3uRny8v0R9QwbAbpyg9uvbFpr7mJe2wLDv1dK2WopA4NnEuvdN4sV95qIoT1PxMuQEK8veY6u83ca
   next
end

config system interface
   edit "dmz"
      set vdom "root"
      set ip 10.10.10.50 255.255.255.0
      set allowaccess ping https ssh fgfm
      set type physical
      set alias "Internal LAN"
   next
   edit "wan1"
      set vdom "root"
      set ip 192.168.182.208 255.255.254.0
      set allowaccess ping https ssh fgfm
      set type physical
   next
   edit "Test"
      set vdom "root"
      set ip 10.10.10.200 255.255.255.0
      set allowaccess https ssh
      set type vap-switch
   next
end
DHCP Server:
config system dhcp server
   edit 2
      set default-gateway 10.10.10.200
      set interface "Test"

config ip-range
edit 1
         set end-ip 10.10.10.250
      set start-ip 10.10.10.210
   next
   end
      set netmask 255.255.255.0
      set dns-server1 192.168.183.1
   next
end
Firewall Addresses:
config firewall address
   edit "WiFi Users"
      set associated-interface "Test"
      set type iprange
      set end-ip 10.10.10.250
      set start-ip 10.10.10.210
   next
end
Firewall Policies:
config firewall policy
   edit 2
      set srcintf "Test"
      set dstintf "wan1"
      set srcaddr "WiFi Users" 
      set dstaddr "all" 
      set action accept
      set schedule "always"
      set service "ANY" 
      set logtraffic enable
      set nat enable
   next
   edit 4
      set srcintf "dmz"
      set dstintf "Test"
      set srcaddr "all" 
      set dstaddr "WiFi Users" 
      set action accept
      set schedule "always"
      set service "ANY" 
      set logtraffic enable
   next
   edit 6
      set srcintf "Test"
      set dstintf "dmz"
      set srcaddr "WiFi Users" 
      set dstaddr "all" 
      set action accept
      set schedule "always"
      set service "ANY"
   next
end
FortiAP Configuration:
FAP22B3U10002563 # cfg -e
export AP_IPADDR="10.10.10.100"
export AP_NETMASK="255.255.255.0"
export IPGW="10.10.10.200"
export ADDR_MODE=STATIC
export TELNET_ALLOW=0
export AC_DISCOVERY_TYPE=0
export AC_IPADDR_1="10.10.10.200"
export AC_CTL_PORT=5246
export AC_DISCOVERY_MC_ADDR="224.0.1.140"
export AC_DISCOVERY_DHCP_OPTION_CODE=138
export COUNTRY_STR=FR
FAP22B3U10002563 #
Solution

WiFi users cannot connect to the wired network because the following CLI command must be enabled in "config system settings":
config system settings
   set allow-subnet-overlap enable
end

 

 

Contributors