Article Id
227240
Description
This article describes how FortiAP can be configured and managed remotely (Remote AP Management). The following experiment is performed in order to demonstrate traffic flow behavior in tunnel and bridge mode of the remotely managed AP.
Scope
FortiAP and FortiGate 5.x, 6x and 7x.
Solution
The following is a step-by-step guide providing details on configuring remote AP and understanding its traffic flow.
1) Remote AP Configuration
Here, FortiAP is connected to the internal1 interface of Branch FortiGate with a network of 192.168.1.0/24
- AP local IP: 192.168.1.2
- Default Gateway: 192.168.1.99
- Wireless Controller IP: 10.10.10.1 (HQ FortiGate Wireless Controller IP)
In the following experiment, the HQ FortiGate wireless controller is reachable only through L2 VPN. However, direct publicly reachable IP can also be used in the WTP Configuration section and IPsec VPN the option can be enabled afterward (Latest FortiAP Series).
2) Remote AP Reachability
In order to discover and manage FortiAP remotely by HQ FortiGate Wireless Controller. VPN connection is established between head office FortiGate and branch office FortiGate.
a) On Branch FortiGate
To establish a VPN, a peer IP is configured in the network section. Encryption and hashes are matched.
Since all traffic including internet traffic is expected to flow through HQ FortiGate. The default route of 0.0.0.0/0 is set to the VPN interface.
FortiAP is connected to the Internal1 interface. So, the policy from internal1 to VPN Interface is configured. This allows FortiAP to flow traffic and reach the HQ FortiGate wireless controller.
b) On HQ FortiGate
A peer IP is configured in the network section, and every encryption and hashes are matched.
In order for HQ FortiGate wireless controller to establish VPN and bring FortiAP up online. It must have a reachable route to remote AP. Since FortiAP is connected to the 192.168.1.0/24 network, a static route with a remote destination of 192.168.1.0/24 is configured.
Note: The AP-connected interface subnet must not be present in the 'directly connected' interface of the FortiGate wireless controller. For example, AP connected to branch FortiGate network (e.g. 192.168.X.X) must not be present in the HQ FortiGate 'directly connected' interface. This causes the VPN interface to unable to reach the remote AP network since it is already present in the HQ FortiGate interface.
However, subnet overlapping and VRF can be used to overcome the conflict which is usually not recommended. Because it makes routing more complex and proper strategy is usually needed for subnet overlapping and VRF to maintain. Here is the provided link
After that, the policy to reach the destined FortiGate wireless controller IP is configured in order for FortiAP to be discovered and managed by HQ FortiGate.
c) Interfaces and Security Fabric
Note: Security Fabric must be enabled on VPN and DMZ (Controller IP connected) interface.
3) Traffic Mode Configuration
Here, configure tunnel and bridge mode SSID and practically demonstrate how traffic flows and behave in different traffic modes.
a) Tunnel Mode
A tunnel SSID interface is created and Test-WiFi SSID with 50.50.50.50/24 subnet is used for lease.
SSID is then assigned to the profile and broadcasted through AP.
Policy to wan1 interface is configured for wireless users to access the internet.
To reach the branch network (192.168.2.0/24). The Static route is set on the HQ FortiGate wireless controller.
Here, the internet interface wan1 (172.x.x.x) is NATed on the ISP end.
After the static route, the policy is configured to flow traffic from the Tunnel Mode SSID interface to the VPN interface.
On Branch FortiGate. Policy from the controller to the destined network is created. So, VPN to internal2 is configured.
Below is the understanding of tunnel mode traffic flow.
Below is the understanding of tunnel mode traffic flow.
- The user's data frame is transmitted to AP.
- AP looks at the configuration of traffic mode (e.g Tunnel mode). So it encapsulates and transmits frames to wireless controllers through the VPN interface.
- The wireless controller then de-encapsulates and inspect the frame. Applies necessary action if configured for DSCP/WMM tag.
- It then forwards to the configured destination through the VPN interface, back to the branch network.
IP configuration of wireless users in tunnel mode.
Internet access for wireless users.
Wireless user is now reachable to the branch's desired network.
On wireless controller HQ FortiGate, the packet sniffer shows the user traffic entered the controller and hairpin back to the branch network through the same link (VPN interface).
On branch FortiGate, traffic reaches AP and passes through the tunnel mode interface to VPN, and reaches the desired network.
The wireless users traffic hairpin back to the branch and cross the same link multiple times. This causes traffic to consume more bandwidth. In a low-speed WAN link, such as an AP located in a branch office connected using an ADSL line, having traffic cross the link multiple times unnecessarily reduces bandwidth and performance.
However, bridging frames locally at the AP helps frames that are destined for local resources to stay local and not needlessly cross the WAN link inside a tunnel.
b) Bridge mode
Bridge Mode SSID is configured in the HQ FortiGate wireless controller.
Bridge Mode SSID is then assigned to the profile and attached to managed remote AP.
AP connected interface, internel1 is then made DHCP server to lease IP to the wireless client.
On branch FortiGate. Since AP is used for bridge mode. The same internal1 to VPN interface policy remained.
On HQ FortiGate wireless controller, policy form VPN to Internet-facing interface (wan1) is configured for internet connectivity. Wireless users are able to successfully authenticate and access the internet.
Since AP bridged locally. AP Connected interface is used as a source interface and internal2 as the destination interface to reach the desired network.
Below is the understanding of bridge mode traffic flow.
- The user's data frame is transmitted to AP.
- AP looks at the configuration of traffic mode (e.g. Bridge mode). It then sends traffic to AP connected interface i.e. internal1
- The Data frame is then forwarded destined interface.
IP configuration of wireless users in bridge mode.
Internet access for wireless users.
Wireless user is now reachable to the branch's desired network.
On HQ FortiGate wireless controller. The packet sniffer shows, no packet traverses the controller.
On branch FortiGate, traffic reaches AP and passes through the connected interface which is interna1, and reaches the desired network.
In bridge mode SSID, wireless traffic is bridged directly to the local LAN that the AP is connected to. Both wired and wireless users use the same network. This mode is useful when deploying an AP, that connects to a wireless controller over a WAN link, at remote locations.
