FortiAP
FortiAP devices are thin wireless access points (AP) supporting the latest Wi-Fi technologies (multi-user MIMO 802.11ac Wave 1 and Wave 2, 4x4), as well as 802.11n, 802.11AX , and the demand for plug and play deployment.
gtapia_FTNT
Staff
Staff
Description

This article describes how in a normal operation, FortiGate as a main gateway has to deliver dynamic IP addressing to all users who want to have access for Networking services, but this scenario might change depending on network requirements and capabilities.

Wireless solutions for IoT and BYOD

FortiGate works as a wireless controller managing several FortiAPs, functioning as a DHCP server for end users. However, when a centralised DHCP service is located remotely configuration changes need to be made on FortiSwitches (or 3rd party switches) where DHCP assignment is needed to be propagated by FortiAPs,

gtapia_[object Window]_kb8.JPG



Scope

All FortiGate units function as a Wireless Controller.


Solution
1. Using an internal software switch the port internal1 is connected to FortiSwitch



2.   Go to the port and configure as “Dedicated to FortiSwitch”, configure any desired IP address to manage them. 
gtapia_[object Window]_kb1_1.JPG


3.  Once a Dedicated FortiLink is configured, FortiGate will be able to discover a FortiSwitch (if it is connected to a default FortiLink to FortiSwitch side).


4.   Create VLANs interfaces on FortiGate to bind them to FortiSwitch and distribute each DHCP server traffic. It will be VLAN 10 and 20.


After VLANs are created, the view of VLAN interfaces over internal1 port is as follow:



5. FortiAPs need to be connected to FortiSwitch or on a Native VLAN to FortiGate to allow the FortiAPs to reach FortiGate controller by CAPWAP protocol. This interface is automatically created, it is named “vsw.internal1”, set an IP address segment to reach FortiAP by CAPWAP protocol.



Note : Check Administrative access HTTP(S), PING, SSH to make some troubleshooting over FortiAPs. It is important to check CAPWAP protocol to register and send FortiAP configurations.

6. Then, FortiGate will be able to reach FortiAPs over vsw.internal1 interface. Make sure to give authorization to start working on them.

7.   Attach VLANs to FortiSwitch. Go to “WiFi & Switch Controller” > “FortiSwitch Ports” and allow VLANs on ports destined to FortiAP

8.  Configure an SSID for each Service VLAN. Go to “WiFi & Switch Controller” > “SSID” and click on “Create New (SSID)”, This will be a bridge traffic as it comes from the other device.


9. Create FortiAP profile to attach the SSID previously created.


Note: The same configuration has to be applied on Radio2 selecting the specified SSID for VLAN 10 or 20 

10. Bind previous profiles to each registered FortiAP. Go to to “WiFi & Switch Controller > Managed FortiAPs”. Select FortiAP and set FortiAP profile to announce the SSID.



After being provisioned each FortiAP, they will be rebooted to get new configuration over CAPWAP tunnel.

The following shows the final configuration:


11. Now configure the DHCP servers to the connected ports.

Note : By default FortiSwitch and some 3rd party vendors have DHCP snooping enabled. This configuration blocks DHCP request from untrusted ports, in this way switch is allowing DHCP notifications from original sources.  




To Permit these DHCP packets to reach end devices on both VLANs, disable DHCP Snooping on port1 and port2 in FortiSwitch. Run the following commands:

config switch vlan
    edit 1
        set private-vlan disable
        set description ''
        set igmp-snooping enable
        set dhcp-snooping disable

        set dhcp-snooping-verify-mac disable
        set dhcp-snooping-option82 disable
    next

config switch vlan
    edit 1
        set private-vlan disable
        set description ''
        set igmp-snooping enable
        set dhcp-snooping disable  
        set dhcp-snooping-verify-mac disable
        set dhcp-snooping-option82 disable
    next

Once DHCP snooping is  disabled, DHCP notifications can pass trough FortiSwitch to end users and reach services.




Internal Notes


Contributors