Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Anonymous
Not applicable

Created on ‎10-13-2022 09:02 AM Edited on ‎05-28-2025 11:11 PM By Community Manager

Article Id 226607

Technical Tip: Bandwidth management for wireless mesh network on enterprise environment

Description

 

This article describes how to configure distributed bandwidth consumption on Wireless Mesh Topology. 

The following configuration is performed in order to overcome bandwidth choke limitations for a wireless client in mesh networks.

 

Scope

 

FortiAP and FortiGate 5.4 above.

 

Note:

Traffic consumption on the virtual Wi-Fi SSID interface is directly dependent on the physical interface that the AP is connected to.

 

Solution

 

In the following experiment, wireless mesh topology was configured between two APs, that are connected to two different interfaces and networks.

 

AP1-Root-AP - 10.10.10.10/24 - internal1

AP2-Leaf-AP - 20.20.20.20/24 - internal2

 

 

AP1 - Root AP Configuration:

Here, AP1 - RootAP is connected to the internal1 interface. The local IP of AP is 10.10.10.10 and the default gateway is the internal1 interface IP (10.10.10.1).

 

As AP1 is configured as Root AP, connectivity is made Ethernet.

 

Lastly, FortiAP Controller IP is 172.16.16.100.

 

Aashiq_Z_0-1665674568976.png

 

AP2 - Leaf AP Configuration:

AP2 - LeafAP is connected to the internal2 interface. The local IP of AP is 20.20.20.20 and the default gateway is the internal2 interface IP (20.20.20.1). 

 

As AP2 is configured as Leaf AP, connectivity is made Mesh.

Here,

  • Mesh SSID is fortinet and
  • Password is fortinet123

Lastly, FortiAP Controller IP is 172.16.16.100.

 

Aashiq_Z_1-1665674739448.png

 

Interfaces and Security Fabric:

Note:- Security Fabric must be enabled on internal1 and internal 2 interfaces, in order for FortiAP to be Online.

Here, Security Fabric is enabled on the wan1 interface for connectivity between AP and Controller. It helps to discover APs.

 

For ease, interfaces are taken into the Zone.

 

Aashiq_Z_2-1665675420382.jpeg

 

Policy for AP to reach Controller:

The policy is created in order for AP to reach and be discovered by the controller.

 

Aashiq_Z_3-1665675519716.jpeg

 

Manage discovered AP:

AP1 Root-AP is discovered by FortiGate and the default profile is automatically assigned.

 

Aashiq_Z_4-1665675566161.jpeg

 

ARP of discovered AP- Before Mesh:

Here in the CLI, after executing get system arp shows the AP1 (10.10.10.10) is connected with internal1. As connectivity of AP1 was made Ethernet. Where as AP2 was in Mesh, that's why AP2 is not shown on ARP currently. But after mesh connectivity established with AP1. AP2 (20.20.20.20) will appear connected on the internal2 interface.

 

Aashiq_Z_1-1665675717448.jpeg

 

Profiles for AP1-Root and AP2-Leaf AP:

Although, the default profile is automatically assigned. But Root and Leaf AP Profiles are created for ease of configuration and management.

 

Aashiq_Z_6-1665675627115.jpeg

 

Authorized and Assigned Root-AP Profile :

Discovered AP are authorized and the above Root AP Profile is assigned afterward. Here in the Root AP Profile, Mesh_Backhaul SSID is broadcasted. SSID of fortinet and password of fortinet123 was given to Mesh_Backhaul SSID

 

Aashiq_Z_7-1665675626828.jpeg

 

Mesh AP1-Root and AP2-Leaf:

With that configuration, mesh connectivity for AP was completed. Now Leaf AP ad Root AP will discover each other. AP2 - LeafAP is then assigned with Leaf-AP Profile. 

 

Aashiq_Z_2-1665675916077.jpeg

 

 

ARP of discovered AP- After Mesh:

After authorization, get system arp shows AP1 is connected on internal1 whereas AP2 is connected on internal2 with different networks.

 

Aashiq_Z_3-1665676013875.jpeg

 

Policy for WiFi SSID to Internet:

Here, an internet access policy is created for wireless clients.

 

Aashiq_Z_4-1665676013877.jpeg

 

AP1 - RootAP bandwidth consumption and connected Internal1 behavior:

Here, the wireless Client is connected to RootAP. 

 

Aashiq_Z_5-1665676088661.jpeg

 

The bandwidth consumption is affected on the internal1 interface where Root AP is connected.

 

Aashiq_Z_6-1665676088662.jpeg

 

AP2 - LeafAP bandwidth consumption and connected Internal2 behavior:

After the client roamed and seamlessly connected to AP2-LeafAP. The consumption of bandwidth is shown on Leaf AP. 

 

Aashiq_Z_7-1665676088664.jpeg

 

Bandwidth consumption on internal2 peaks as wireless client use more bandwidth. Internal1 is not being after the client shifted from RootAP to LeafAP.

 

Aashiq_Z_8-1665676088665.jpeg

 

Note:

SSIDs with traffic mode type 'Mesh' cannot be added to the bandwidth monitor, and this is by design.

 

Conclusion

In an enterprise environment where bandwidth consumption is not only used by the wireless client but also by other networking devices.

With all that traffic, a bandwidth choke is most likely to happen. Keeping that in mind, meshed AP configuration in an enterprise environment where a wireless client's bandwidth is handled by a root AP connected interface.

This causes the interface to exceed its bandwidth limitation. So above configuration helps to manage and distribute the bandwidth consumption.

 

Related document:

Wireless mesh configuration

Labels:
903
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.