Description
This article describes how to configure FortiExtender(FEX) WAN-Extension (VLAN mode) with FortiGate.
Scope
For FortiExtender v7.2.0 build0113, FortiGate v7.2.0 build1157.
FortiExtender Port4 is directly connected to the WAN2 interface on FortiGate.
Solution
Why FortiExtender VLAN mode?
While using the FortiExtender-WAN type interface, all the traffic to/from FortiGate is encapsulated in the CAPWAP data channel, whereas for VLAN type interface, the traffic is sent/received on the VLAN interface.
Due to absence of encapsulation overheads, VLAN mode delivers better speeds with the requirement that the VLAN interface be directly created on top of the port on which FortiExtender is connected to FortiGate.
Ensure that the VLAN interface is created based on the physical interface of the connected FortiExtender.
Configuration:
FortiGate side configuration steps:
1) Create a WAN2 interface & configure an IP address 192.168.2.99 with a DHCP server running on it and allow Security Fabric connection traffic.
2) Enable 'fortiextender-vlan-mode' on FortiGate using below steps:
Note:
VLAN mode has to be explicitly enabled, as it is disabled by default on FortiGate, and that all the FortiExtender-WAN interfaces must be deleted before VLAN mode is enabled.
# config system global
(global)set fortiextender-vlan-mode enablevlan
(global)end
3) Create a VLAN interface on top of WAN2 (any VLAN ID i.e. 123). Name it FEXVLAN. Make this interface type DHCP client.
FortiExtender side configuration steps:
4) The FortiExtender interface port4 connected to WAN2 will get an IP from FortiGate that is 192.168.2.98.
5) On FortiExtender GUI -- > Navigate to Setting -- > Management, set Controller: FortiGate, Discovery Type: static, Discovery Interface: port4, and create Static Access Control Address with the server: 192.168.2.99.
6) To Authorize FortiExtender on FortiGate GUI -- > Navigate to Network -- > FortiExtender, and wait for the FortiExtender to be discovered by FortiGate and then Authorize FortiExtender with mode: WAN extension, Modem 1 Interface: FEXVLAN.
7) Wait a few moments, FortiExtender may need to reboot if the mode was changed from nat to ip-passthrough (VLAN).
8 ) After the WAN extension tunnel was set up, check the status from FortiExtender GUI -- > Dashboard, Controller Infomation should be: FortiGate, with Status: Connected, and Mode is: FortiGate (ip-passthrough (VLAN)).
9) WAN Extension status can be found from FortiExtender CLI also, by running the below command:
# get extender status
10) The FortiGate will send the VLAN ID to FortiExtender over CAPWAP and FortiExtender will creates a VLAN interface automatically with name VLAN1, vid 123, for example, no special config needed.
11) Now when the FortiExtender modem is connected to the Internet, the FortiGate VLAN interface FEXVLAN will get the same IP address as the FortiExtender LTE interface.
12) On FortiGate, after configuring the correct firewall policy, the client behind FortiGate can go to the internet via the FEXVLAN interface.
13) The idea is to make sure the VLANs are separated for data traffic from control traffic.
