As a primer, the Remote WLAN functionality allows certain FortiAPs to be deployed to a remote site (such as with a remote/travelling employee) where they can broadcast the same SSID as the corporate wireless network. This is effectively a Wi-Fi-based extension back to the corporate office. Remote WLAN has two notable features that extend its capabilities:

• LAN port bridging, where the onboard LAN ports for the FortiAP may be configured to connect to the SSID so that wired clients can also benefit from the extension back to the corporate office (see also: FortiWifi and FortiAP Configuration Guide - LAN port options),
• And, Split-tunneling, where the FortiAP can use access control lists (ACLs) to determine what traffic should be sent back to the corporate office versus what traffic may be sent out directly via the FortiAP's local Internet connection (e.g., to reduce unnecessary bandwidth consumption).

However, after enabling split-tunneling for an SSID and deploying the FortiAP for Remote WLAN, administrators will find that the FortiGate will report multiple instances of devices named 'vap-bssid' with DHCP leases from that SSID. In the example below, the DHCP lease list on the FortiGate shows multiple instances of a 'vap-bssid' device that obtained multiple IP addresses from the 10.1.100.0/24 subnet:

The device name 'vap-bssid' actually corresponds to the FortiAPs deployed in the Remote WLAN configuration. When the FortiAP sends the DHCP Request, it includes the DHCP option 12 to specify the hostname as 'vap-bssid':

Dynamic Host Configuration Protocol (Request)

Message type: Boot Request (1)
Hardware type: Ethernet (0x01)
Hardware address length: 6
Hops: 0
Transaction ID: 0x07768607
Seconds elapsed: 0
Bootp flags: 0x8000, Broadcast flag (Broadcast)
Client IP address: 10.1.100.154
Your (client) IP address: 0.0.0.0
Next server IP address: 0.0.0.0
Relay agent IP address: 0.0.0.0
Client MAC address: Fortinet_65:58:c0 (38:c0:xx:xx:xx:ac)
Client hardware address padding: 00000000000000000000
Server host name not given
Boot file name not given
Magic cookie: DHCP
Option: (53) DHCP Message Type (Request)
Option: (57) Maximum DHCP Message Size
Option: (61) Client identifier
Option: (50) Requested IP Address (10.1.100.154)
Option: (54) DHCP Server Identifier (10.1.0.193)
Option: (55) Parameter Request List
Option: (12) Host Name

Length: 9
Host Name: vap-bssid

Option: (60) Vendor class identifier
Option: (255) End

Meanwhile, the FortiGate Device Inventory function (if enabled for the SSID interface) will utilize this information in DHCP Option 12 to learn the device's hostname, which is why the corresponding entry in the DHCP lease list shows as 'vap-bssid'.

As noted above, this behavior, where the FortiAP requests multiple DHCP leases, is expected when the split-tunneling feature is enabled in the SSID configuration. For example:

config wireless-controller vap

    edit 'Office-desk'

        set ssid 'Office-desk'
        set passphrase fortinet
        set schedule 'always'
        set split-tunneling enable

    next

end

With split-tunneling enabled, the FortiAP will require one IP address for each physical interface that is participating in the SSID. This will include at least one IP address for the base MAC address belonging to the wireless radio broadcasting the SSID, and it may also include one additional IP address for each LAN port that is bridged to the same SSID. For example, if a FortiAP has split-tunneling enabled as well as 3x LAN interfaces bridged to that SSID, then it is expected to see that FortiAP requesting a total of 4x IP addresses from the DHCP pool.

To confirm this, SSH into one of the FortiAPs and run the wcfg command. Check for the FortiAP Base MAC address, LAN port MAC addresses, and corresponding IP addresses, then compare them against the entries in the DHCP lease list (those entries will likely show a hostname of 'vap-bssid').

Remote_AP1 # wcfg

base-mac : 38:c0:xx:xx:xx:58
LAN port cnt : 4
port1-cfg : BR-TO-SSID(3) 0 38:c0:xx:xx:xx:59 ssid=Test_SSID vlan_tag=0000 flags=00000041 lsw split
10.1.94.213 255.255.255.0
port2-cfg : offline (0)
port3-cfg : offline (0)
port4-cfg : offline (0)

Note: The port1 MAC address is simply incremented from the Base MAC Address of the FortiAP.

Since this is the expected behavior when using the split-tunneling feature, administrators will need to increase the DHCP address pool size to account for both the IP addresses of connected wireless clients as well as the IP addresses required for the wireless/wired LAN ports on the FortiAP.

For example, if there are 10 FortiAPs in a Remote WLAN configuration with 4 LAN ports, administrators can expect a total of 50 IP addresses to be assigned just to the FortiAPs (10x FortiAPs, each requiring an IP address for the wireless radio plus 4x additional IP addresses for the LAN ports).

Note: Technically, the DHCP addresses are triggered solely by enabling split-tunneling, which CAN be enabled without deploying the FortiAP for Remote WLAN usage. However, the most common use case for FortiAP split-tunneling is with Remote WLAN, and so this article discusses the two features together.

Related documents:

Remote WLAN FortiAPs

LAN port options