• FortiExtender: FXW51G-v7.6.2-build441.
• FortiGate: FortiGate-80F v7.6.3,build3499.
• FortiExtender: lan.
• FortiGate: wan2.

Key requirements to set up FortiExtender Multiple-PDN WAN-Extension VLAN mode successfully:

1. Only FortiExtender-511G/FortiExtender-511G-WiFi supports the Multiple-PDN feature with one supported SIM inserted.
2. Set APNs under dataplan in a certain order provided by ISP, the modem could fail to get connected if the user configures APN in random order.
3. Enable multiple-PDN and pdn-plan after the dataplan was set properly.
4. When WAN-Extension vlan mode is on FortiExtender via LAN interface, LAN acts as a DHCP server.

Steps:

1. Enable FortiExtender-vlan-mode on FortiGate after deleted all fext-wan type of interfaces:

config system global

    set fortiextender-vlan-mode enable

end

2. Enable fabric on FortiGate wan2 interface:

config system interface
    edit "wan2"
        set vdom "root"
        set mode dhcp

        set allowaccess ping fabric
        set type physical
        set description "WAN_Ext"
        set snmp-index 2
    next

3. Create a VLAN interface on top of wan2 with DHCP mode and vlanId:

config system interface
    edit "fex511vlan-1"
        set vdom "root"
        set mode dhcp
        set status down
        set device-identification enable
        set role lan
        set snmp-index 18
        set interface "wan2"
        set mtu-override enable
        set vlanid 101
    next

4. Configure the dataplan for the supported ISP carrier:

config extension-controller dataplan
    edit "plan1"
        set apn "sp.telus.com"
        set capacity 10240
    next
        edit "plan2"
            set apn "isp.telus.com"
            set capacity 20000
        next
    end

5. FortiExtender will have default settings for the user without additional configuration after factory-reset of FortiExtender.

• By default, FortiExtender's LAN interface has ip address 192.168.200.99/24 and the LAN acts as a DHCP server.  Verify the IP address of lan interface and the DHCP server configuration.

CLI:

FXW51GXXXXXXXXXX# get system dhcp-server config
== [ 1 ]
name: 1 status: disable lease-time: 86400 interface: lan
dns-service:: default dns-server: 208.91.112.53
ntp-service:: specify ntp-server:
gateway: 192.168.200.99
ip-range: 192.168.200.110 <--> 192.168.200.210
netmask: 255.255.255.0

• Verify FortiExtender system management with the discovery interface LAN port4 by default:

config system management
    set discovery-type auto
        config fortigate
            set ac-discovery-type broadcast
            set ac-ctl-port 5246
            set ac-data-port 25246
            set discovery-intf lan port4
            set ingress-intf 
        end

• Verify switch-members of the LAN on FortiExtender by config system switch-interface.

config system switch-interface
    edit lan
        set vlan-support disable
            config member
                edit port1
                    set type physical
                    set port port1
                    set vids
                    set pvid 1

6. Connect WAN2 of FortiGate with FortiExtender LAN interface, wan2 gets ip address from the DHCP server.
7. After FortiGate discovers the FortiExtender, extender-profile FXW51G-wanext-default and FEX511G specific extender entry will be generated automatically.

config extension-controller extender-profile

    edit "FXW51G-wanext-default"
        set id 0

        set model FXW51G
            config cellular
                set dataplan "plan1" "plan2"
                    config sms-notification
        end
            config modem1
                set multiple-PDN disable

config extension-controller extender
    edit "FX016SXXXXXXXXX"
        set id "FXW51GXXXXXXXXXX"
        set authorized discover
        set device-id 0
        set extension-type wan-extension

        set profile "FXW51G-wanext-default"

8. Enable Multiple-PDN and SIM-PIN as necessary in FXW51G-wanext-default:

config extension-controller extender-profile
    edit "FXW51G-wanext-default"
        set id 0
        set model FXW51G
            config cellular
                set dataplan "plan1" "plan2"
                    config sms-notification
                end
                    config modem1
                        set sim1-pin enable
                        set sim1-pin-code ENC 7p3IshT7uiZ60wdnWxoz6/MoQ7/bx5IgNhgdue/GivdIyKOq4NAWzR4nyPHftl+KHssvHgHXQlVwX+9yUm92gjDOlKL9A/h0HWebrTYmJF2dkh2/Zm/xvJ/4baWHeSEzubKx9RhWS+cJgdk4RnRqqbAunOnYxKEdXFaW1Qs5my3A+hiowYmsKWnRpj+3stZbERlMBllmMjY3dkVA
                        set multiple-PDN enable
                        set pdn1-dataplan "plan1"
                        set pdn2-dataplan "plan2"
                        set pdn3-dataplan ''
                        set pdn4-dataplan ''
                      end
                  end

9. FortiGate authorizes FortiExtender under extension-controller extender:

edit "FX016SXXXXXXXXX"

    set id "FXW51GXXXXXXXXXX"
    set authorized enable
    set device-id 0
    set extension-type wan-extension
    set profile "FXW51G-wanext-default"
        config wan-extension
            set modem1-pdn1-interface "fex511vlan-1"
            set modem1-pdn2-interface "fex511vlan-2"
         end
     next

10. Verify VLAN mode wan-extension was established between FortiGate and FortiExtender:

FXW51GXXXXXXXXXX# get extender status
Extender Status
name : FXW51GXXXXXXXXXX
mode : CAPWAP

session : active
fext-addr : 192.168.200.99
ingress-intf : lan
fext-wan-addr : 25.18.245.44
controller-addr : 192.168.200.110:5246,25246
controller-name : FGT80FTKXXXXXXXX
uptime : 0 days, 0 hours, 29 minutes, 57 seconds
management-state : CWWS_RUN
session : standby
fext-addr : 0.0.0.0
ingress-intf :
fext-wan-addr : 25.18.245.44
controller-addr : 192.168.200.110:5248,25248
controller-name :
management-state : CWWS_DISCOVERY
session : obm
fext-addr : 0.0.0.0
ingress-intf :

controller-addr : fortiextender-dispatch.forticloud.com:443

account-id : 0
management-state : CWWS_CLD_CONN
base-mac : 78:18:EC:DE:33:88
network-mode : ip-passthrough (vlan)
fgt-backup-mode : backup
discovery-type : broadcast
discovery-interval : 5
echo-interval : 30
report-interval : 30
statistics-interval : 120
mdm-fw-server : fortiextender-firmware.forticloud.com
os-fw-server : fortiextender-firmware.forticloud.com

11. Verify FortiGate has the IP and can ping the internet via vlan interfaces fex511vlan-1 and fex511vlan-2.

FortiGate-80F # get system interface | grep fex511vlan-1
== [ fex511vlan-1 ]
name: fex511vlan-1 mode: dhcp management-ip: 0.0.0.0 0.0.0.0 ip: 25.24.90.204 255.255.255.248 status: up netbios-forward: disable type: vlan netflow-sampler: disable sflow-sampler: disable src-check: enable explicit-web-proxy: disable explicit-ftp-proxy: disable proxy-captive-portal: disable trunk: disable switch-controller-feature: none wccp: disable drop-overlapped-fragment: disable drop-fragment: disable mtu-override: disable

FortiGate-80F # execute ping-options interface fex511vlan-1

FortiGate-80F # execute ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8): 56 data bytes
64 bytes from 8.8.8.8: icmp_seq=0 ttl=51 time=33.6 ms
64 bytes from 8.8.8.8: icmp_seq=1 ttl=51 time=21.5 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=51 time=15.0 ms
64 bytes from 8.8.8.8: icmp_seq=3 ttl=51 time=16.0 ms
64 bytes from 8.8.8.8: icmp_seq=4 ttl=51 time=16.0 ms

--- 8.8.8.8 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 15.0/20.4/33.6 ms

Note:

It takes some time for FortiGate to get an IP address. How long it will take depends on when the FortiExtender modem reaches in CONNECT state.