Help
FortiExtender
FortiExtender offers wireless connectivity for nearly any operational network.
avenditti
Staff
Staff

Created on ‎08-04-2024 08:25 AM

Article Id 330144

Technical Tip: How to setup multiple managed FortiExtenders in WAN-Extension (CAPWAP mode) in a Active-Passive HA cluster of FortiGate

Description

This article describes how to configure multiple FortiExtenders in the configuration of a managed WAN-Extension (CAPWAP mode) and use them with an HA active-passive cluster of FortiGate.
Scope

Each FortiGate is connected to 2 FortiExtenders to maximize WAN availability while preserving resilience in the event of a hardware failure.

 

Target scenario:

 

avenditti_0-1722611124707.png

 

FortiOS: v7.2.7 build 1577
FortiExtender 511F v7.4.4 (Starting from v7.4.4 has been added the hitless failover in WAN-extension mode in HA configuration)
Solution

Referring to the connection schema:

 

  1. On FortiGate,
  • Edit the WAN2 interface,
  • Configure the static IP 192.168.200.1,
  • Configure a DHCP server with the IP addresses scope 192.168.200.2 - 192.168.200.2 (single IP),
  • Allow Security Fabric Connection traffic
  • Allow the device detection (Note: the role of the interface should be Undefined)
avenditti_1-1722611594510.png

 

 

  1. Create a new interface with the 'FortiExtender WAN Extension' type. The one in this example will be called FEX1 (in order to distinguish it with the other one towards the second FortiExtender).

 

avenditti_2-1722611594513.png
avenditti_3-1722611594515.jpeg

 

 

  1. Connect to the FortiExtender GUI (default IP 192.168.200.99 over port1, port2 or port3, username 'admin' with no password).
    Edit the port4 to have 'last resort' access for the next steps. Change the addressing mode to static and assign the IP 192.168.1.100 (optionally, define the DHCP Server for the interface to facilitate the access). Make sure that the interface status is 'up'.

 

avenditti_4-1722611594523.png

 

 

  1. By default, the lan 'zone' (port1, port2 and port3) has the DHCP Server enabled - this configuration of the DHCP server must be deleted. Identify the DHCP Server for the LAN (be careful not to remove the DHCP server for port4 if it has been created). It should be similar to the following one (execute the command config system dhcpserver in the CLI, followed by show)

 

config system dhcpserver

show

config system dhcpserver

    edit 1

        set status enable

        set lease-time 86400

        set dns-service default

        set ntp-service specify

        set ntp-server1

        set ntp-server2

        set ntp-server3

        set default-gateway 192.168.200.99

        set netmask 255.255.255.0

        set interface lan

        set start-ip 192.168.200.110

        set end-ip 192.168.200.210

        set mtu 1500

        set reserved-address disable

    next

 

Remove the DHCP Server active for the lan 'zone' (port1, port2 and port3)

 

config system dhcpserver

delete 1 

end

 

  1. Continue from the CLI to change the lan mode from static to DHCP Client

config system interface

edit lan

set mode dhcp 

end

 

Note: If connected via port 1, port 2 or port 3, the device connection may be lost. If so, reconnect using port4 (towards the IP 192.168.1.100):

 

  1. In the FortiExtender GUI, navigate to Setting (left bar) -> Management, then set up the following:
  • Controller: FortiGate,
  • Discovery Type: static,
  • Discovery Interface: port1, port2, port3 [1]

Create a Static Access Control Address with the server 192.168.200.1 (ID 1).

 
avenditti_6-1722612242571.png

[1] The picture reports Port4 as Discovery Interface. It should report 'lan' (port1, port2 and port3)

 

 

  1. Connect the port1 interface of the FortiExtender to WAN2 of the FortiGate. An IP will be received from FortiGate, which is 192.168.200.2 here. Confirm this with the DHCP Server widget available from the Dashboard menu of the FortiGate or directly from the FortiExtender -> Network, then edit the LAN interface.

 

avenditti_7-1722612322796.png
avenditti_9-1722612384946.png

 

Be sure the IP address has been assigned to FortiExtender before proceeding with the next steps.

 

 

  1. To Authorize FortiExtender, on FortiGate GUI navigate to Network >> FortiExtender, wait for the FortiExtender to be discovered by FortiGate (may take a few minutes) and then Authorize FortiExtender (from the Authorization button) with the following mode:

 

  • WAN extension,
  • Modem 1 Interface: FEX1

The FortiExtender will reboot and the mode will change from NAT to ip-passthrough. Wait until it comes back online (i.e. shows as green) under Network -> FortiExtender. Note: The process may take a few minutes, be patient.

 

To ensure the selection of FEX1 as the Modem 1 Interface once FortiExtender has been approved (and it rebooted), edit it (right-click then select Edit) and confirm that all appears as in the following screenshots:

 
avenditti_17-1722612804241.png
 

avenditti_24-1722613440850.png

 

 

  1. In the FortiGate GUI, navigate to Network -> FortiExtender and edit the wanext-default profile by adding the PIN (if present) for the associated SIM.

 

avenditti_12-1722612443105.png

 

avenditti_13-1722612443128.png

 

 

  1. In the FortiGate GUI, navigate to Network -> Interface and check for the status of the FEX1 interface. It should be seen in the active state with the same IP of the lte1 interface of the FortiExtender (retrieve this information from the FortiExtender Dashboard).

 

avenditti_14-1722612443137.png

 

avenditti_21-1722613196416.png

 

Note: If the status of the FEX1 interface is disabled, check:

  • the PIN associated to the SIM
  • that the Modem 1 Interface was associated with the FEX1 interface (Step 7)

 

 

  1. To add the second FortiExtender, repeat the steps from 1 to 10 with only the following changes:

 

  • Step 1: use port3, configure the static IP 192.168.201.1, configure a DHCP server with the IP addresses scope 192.168.201.2 - 192.168.201.2.
  • Step 2: create a new interface with type 'FortiExtender WAN Extension'. It will be named FEX2 in this example.
  • Step 6: create a Static Access Control Address with the serve 192.168.201.1 (ID 1).
  • Step 7: FortiExtender will get an IP from FortiGate which is 192.168.201.2.
  • Step 8: Modem 1 Interface: FEX2.
  • Step 10: check for the status of the FEX2 interface. It should be seen in the active state with the same IP of the lte1 interface of the FortiExtender.

Note: It may be necessary to add a Data Plan in order to specify the APN.

 

Additional TIPS

 

  1. To connect the FortiExtender, is also possible to establish an SSH connection directly from the FortiGate CLI by using the address assigned in DHCP from the FortiGate. For example, for the first FortiExtender:

execute ssh admin@192.168.200.2

 

  1. To evaluate the operational mode of the FortiExtender, consider using the following commands:

get system status

get extender status

 

  1. Since the 'Retrieve default gateway from server' option could be enabled or disabled on the FortiGate FEXx interface (based on the requirements), the static route that will use this interface as the outgoing interface may be required (which will need to have dynamic gateway enabled).

config router static

    edit xxx

        set device “FEX1” 

        set dynamic-gateway enable

    next

end
75
0 Kudos
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.