FortiExtender
FortiExtender offers wireless connectivity for nearly any operational network.
azhou
Staff
Staff
Article Id 216578

Description

 

This article describes how to setup FortiExtender (FEX) LAN-Extension with FortiGate (FGT).

 

Scope

 

FortiGate and FortiExtender.

 

Solution

 

The below scenario was tested with the following build and interfaces.

 

FortiExtender: FX200F v7.2.1 build121

FortiGate:  FG200E v7.2.1 build1229

FortiExtender: Port2 (note: use port1 and port2  if need link load balance)

FortiGate: vlan1044 interface from wan1

 

Key requirements to setup FortiExtender Lan-extension successfully:

 

1) FortiExtender uplink port 2 can ping FortiGate vlan1044 interface, at layer3 it should be reachable.

 

2) The Security Fabric is enabled as allow access on the FortiGate vlan1044 interface.

 

3) The backhaul for uplink is setup in FortiGate extender-profile, uplink for FX200F is port1,  port2.

 

Note: Different platforms required different uplink ports, for FEX201E default uplink is wan/lte which can't be modified.

 

4) On FortiExtender after discovery-type is set to FortiGate, ac-discovery-type can be either static or broadcast.

 

If it is set to broadcast, FortiExtender and FortiGate should be in the same broadcast domain.

 

If it is set to static, then provide the correct FortiGate vlan1044 IP address.

 

Steps:

 

1) On FortiGate, create a vlan1044 interface and configure an IP address 192.168.144.61 on vlan1044, and allow Security Fabric connection traffic.

 

2) On FortiExtender, configure an IP address 192.168.142.39 on port2, ping ok from port2 to 192.168.144.61.

 

3) On FortiExtender GUI - Navigate to Setting -> Management, set Controller:

 

FortiGate, Discovery Type: static, Discovery Interface: port1, port2, and create Static Access Control Address with the server: 192.168.144.61.

 

azhou_1-1656705806366.png

 

4) FortiGate generate extender-profile entry automatically if the above steps are correct.

 

5) FortiGate authorized FortiExtender.

 

On FortiGate GUI - Navigate to Network -> FortiExtender, and wait for the FortiExtender to be discovered by FortiGate and then authorize FortiExtender with mode: LAN extension.

 

azhou_2-1656708499758.png

 

6) After FortiExtender was authorized, FortiExtender le-switch, le-uplink-port automatically generated:

 

azhou_0-1656707347389.png

azhou_6-1656709673664.png

 

7) On FortiGate LAN-extension interface and tunnel interface are generated automatically with DHCP assigned IP address.

 

azhou_8-1656710481645.png

 

azhou_7-1656710409013.png

 

 

8 ) Check FortiExtender extender status and see lan-extension mode in CWWS_RUN state at least 30 seconds by 'get extender status' on FortiExtender.

 

lan-ext-tech.bmp

 

Or on the FortiExtender GUI dashboard check network mode and Controller information.

 

azhou_3-1656708950209.pngazhou_4-1656708983936.png

 

9) Check the VPN IPSec tunnel created properly on FortiExtender and see the packets in and out.

 

FortiExtender GUI VPN:

 

azhou_5-1656709124146.png

 

 

CLI:

 

# get vpn ipsec tunnel details

le-uplink-port2: #5712, ESTABLISHED, IKEv2, 9b6f17f7ba5bc1a5_i* 51932d7c0c6dffd6_r
local 'peerid-XdxG1ldK0x0qplkOA5YQwX2SrVKrH80n1W90ykD4tmD7AfRzZ0K3cWEe' @ 192.168.142.39[4500]
remote 'localid-eDi7WlnrxyQ3ogKRLVV421PeuhhUpiXmGtsUIR4Km9CWosnXpVHVqfx' @ 192.168.144.61[4500]
AES_CBC-128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
established 77247s ago, rekeying in 7522s
le-uplink-port2: #30, reqid 2, INSTALLED, TUNNEL, ESP:AES_CBC-128/HMAC_SHA1_96/MODP_2048
installed 36797s ago, rekeying in 2762s, expires in 10723s
in c33fe317 (0x00000018), 617736 bytes, 7354 packets, 3s ago
out 7b708b9d (0x00000018), 619326 bytes, 7369 packets, 3s ago
local 10.252.40.9/32
remote 10.252.40.1/32
le-uplink-port1: #5711, ESTABLISHED, IKEv2, afbc9af4f7a03f4f_i* e78e10882365c577_r
local 'peerid-XdxG1ldK0x0qplkOA5YQwX2SrVKrH80n1W90ykD4tmD7AfRzZ0K3cWEe' @ 192.168.141.39[4500]
remote 'localid-eDi7WlnrxyQ3ogKRLVV421PeuhhUpiXmGtsUIR4Km9CWosnXpVHVqfx' @ 192.168.144.61[4500]
AES_CBC-128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
established 77247s ago, rekeying in 1417s
le-uplink-port1: #29, reqid 1, INSTALLED, TUNNEL, ESP:AES_CBC-128/HMAC_SHA1_96/MODP_2048
installed 36814s ago, rekeying in 6218s, expires in 10706s
in cacfa1b5 (0x00000017), 6018125 bytes, 47310 packets, 0s ago
out 7b708b9c (0x00000017), 8649604 bytes, 65004 packets, 0s ago
local 10.252.40.8/32
remote 10.252.40.1/32

 

10) Client got the DHCP IP address same as the subnet with the le-switch IP address.

 

azhou_1-1656707435254.png

 

11) Create a policy on FortiGate, and give the correct incoming/outgoing interface, and service policy, so the client can access the outside internet.

Contributors