- Forums
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiBridge
- FortiAuthenticator
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDDoS
- FortiDAST
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiGate Cloud
- FortiExtender
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecorder
- FortiRecon
- FortiSandbox
- FortiScan
- FortiSASE
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- FortiWebCloud
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Re: Configure fortilink for fortiswitch over wifi ...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Configure fortilink for fortiswitch over wifi mesh
3/11/2024: I've made some progress and have updated my original post below as needed. Thank you very much, @Anthony_E, for continuing to look for support!
I know this topic has been covered, but I need help. I have a fortiswitch in a separate building from the main firewall and switch. I am trying to connect to that switch via fortilink, but each time I enable the fortilink-p2p on the REMOTE switch ports, my AP's go into a reboot cycle. Here's my configuration:
FG100F(port12) <-> (port23 via fortilink)Fortiswitch(port 7) <-> FAP432F <-> FAP432F <-> (port2)Fortiswitch(port3) <-> client
The VLAN for the APs is 10.
The VLAN for the client is 20.
Following these guides...
Technical Tip: FortiLink over P2P wireless bridge/... - Fortinet Community
FortiSwitch FortiSwitch Devices Managed by FortiOS 7.0 (fortinetweb.s3.amazonaws.com)
Fortilink Managed Switches over Wireless P2P Bridge – J's Stuff (jsstuff.com)
...I have done the below:
Remote switch:
# set fortilink-p2p-native-vlan 10 (I used VLAN 10 because that is the VLAN for the AP's)
# set fortilink-p2p enable on port2 of the switch
Remote (LEAF) AP:
# cfg -a MESH_ETH_BRIDGE=1
# cfg -a MESH_ETH_BRIDGE_VLANS=1,10,20,4094
# cfg -c
Main switch:
# set fortilink-p2p enable on port7 of the switch. The APs go into their reboot loops after I set this.
Questions:
1. Am I supposed to run set fortilink-p2p-native-vlan 10 on BOTH switches? If yes, how will that affect the existing fortilink connection that switch has with firewall? Already found this answer, it is yes.
2. Do I have to run the AP commands (cfg -a ... ) on the ROOT AP as well as the leaf? The guide does not mention the ROOT AP. The cfg -a MESH_ETH... commands mentioned above are not available until you convert your AP into a LEAF AP using cfg -a MESH_TYPE=1. If I do that, then I lose the ROOT AP. You can't have a MESH system without a ROOT. More on this below.
3. What am I missing?
***Today, 3/11/2024, I believe I've narrowed down the problem to the remote switch. I've worked with Fortinet Support who validated my configuration on all the devices. The problem I'm having is that as soon as I enable set fortilink-p2p enable on both switches, the APs start cycling. The ROOT AP will reset, as will the LEAFs. It will take several minutes for the ROOT to recover, a few more minutes for one or both LEAF APs to recover (there are 2 LEAFs total in this infra, but only one has a switch behind it). As soon as the LEAFs go green, the ROOT resets again, and then the LEAFs, rinse and repeat. I started eliminating variables and this is what I've found.
1. I can fully configure the firewall, main switch, and all APs and the wifi will not be affected. Here is the config.
Firewall
set switch-controller-source-ip fixed (setting suggested by Fortinet support)
set fortilink-p2p-native-vlan 200
set fortilink-vlan-optimization enable
Main Switch
set mgmt-vlan 4094 (default setting?)
set fortilink-p2p enable (on port7)
LEAF APs
cfg -a MESH_ETH_BRIDGE=1
cfg -a MESH_ETH_BRIDGE_VLANS=1,10,20,4094
2. After a factory reset of the REMOTE switch, the mgmt-vlan is set to 1 vice 4094. It needs to be set to 4094. The problem is, as soon as I set it to 4094, I lose direct access to the switch. I do not have physical access to the switch. I have a helper on site who connected a spare laptop to the switch on port 1. I remote into that spare laptop to configure the switch. As soon as I set mgmt-vlan 4094, I lose access. I cannot ssh back in using ssh admin@192.168.1.99. Does the IP change? The only option I have is to have my helper do a factory reset, which changes the mgmt-vlan back to 1. Fortinet Support says that has to be 4094. Can I simply change the mgmt-vlan to 1 for all devices?
I think my only option at this point, without traveling to the site and connecting via the console port for more debugging, is to configure and manage this switch as a standalone unit. What are your thoughts??
Thank you for your time and assistance.
Solved! Go to Solution.
Labels:
- Labels:
-
FortiAP
-
FortiSwitch
1 Solution
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
After spending the entire day yesterday trying to get a fortiswitch enginner to assist me, I finally have the missing part. The engineer told me that the Fortinet article https://community.fortinet.com/t5/FortiSwitch/Technical-Tip-FortiLink-over-P2P-wireless-bridge-mesh/... is actually outdated and it is missing a key piece of information. One needs to add "set static-isl enable" on the trunk that is formed to the new switch like so:
"config switch trunk
edit "2DPTD2300xxxx-0"
set auto-isl 1
set static-isl enable
set members "port6"
next
end"
Once you add that line, the remote switch that sits over the p2p bridge will come up online and STP will no longer interfere and block it.
I really hope fortinet will update that article..
UPDATE June 10 2024: Good news, the article linked above has been updated. There is another very import fact that needs to be taken into account. Both FortiAP units need to be running 7.2.2 as it is the only internally certified version to work in Mesh mode with P2P transparent bridge. Just keep in mind that as soon as you update your leaf AP to 7.2.2 and configure it to run as a transparent mesh, it will no longer be managed by the FortiGate. No clue how to fix this yet and I don't have time to investigate. But it does work.
- « Previous
-
- 1
- 2
- Next »
15 REPLIES 15
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I figured it out. Please see my reply to OP. It was missing 2 things : FortiAPs need to be running 7.2.2 and "set static-isl enable" needs to be set on both fortilink trunks that are formed. Once you do that, it all works just keep in mind the the leaf AP is no longer able to be managed by the FortiGate. No idea how to fix that part but at least it works.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Having the EXACT same issue.. did you ever get this sorted out ?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I was never able to make it work. I changed the infrastructure and removed the switch. I simply connected the endpoint directly to the AP then adjusted the firewall and VLAN rules. This works for us because I have only one hardwired endpoint on this AP.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
After spending the entire day yesterday trying to get a fortiswitch enginner to assist me, I finally have the missing part. The engineer told me that the Fortinet article https://community.fortinet.com/t5/FortiSwitch/Technical-Tip-FortiLink-over-P2P-wireless-bridge-mesh/... is actually outdated and it is missing a key piece of information. One needs to add "set static-isl enable" on the trunk that is formed to the new switch like so:
"config switch trunk
edit "2DPTD2300xxxx-0"
set auto-isl 1
set static-isl enable
set members "port6"
next
end"
Once you add that line, the remote switch that sits over the p2p bridge will come up online and STP will no longer interfere and block it.
I really hope fortinet will update that article..
UPDATE June 10 2024: Good news, the article linked above has been updated. There is another very import fact that needs to be taken into account. Both FortiAP units need to be running 7.2.2 as it is the only internally certified version to work in Mesh mode with P2P transparent bridge. Just keep in mind that as soon as you update your leaf AP to 7.2.2 and configure it to run as a transparent mesh, it will no longer be managed by the FortiGate. No clue how to fix this yet and I don't have time to investigate. But it does work.
Created on 06-05-2024 06:46 AM Edited on 06-10-2024 07:19 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
WOW! You deserve some frothy beverages for running this to ground. I wish the switch engineer I worked with was aware of that setting. I have messaged the moderator responsible for that Tech Tip article, referred to this thread, and asked him to update it.
@wmiller203405, please see the above post, you have to set static-isl enable on the trunk.
UPDATE June 10,2024. Thank you for passing on that critical info. We gain fortilink remote switch management but lose remote leaf AP management. Definitely not ideal, but at least we know.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Shawn,
Unfortunately, there is a bug in the FortiAP-432FR device firmware which does not allow mesh mode to work at all. We actually installed UniFi p2p devices and were able to get the fortiswitches working over the wireless bridge with this info. We also had to enable the mgmt vlan on the the fortiswitch to get the gate to recognize it. Should look like the following.
- « Previous
-
- 1
- 2
- Next »
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Related Posts
- Wireless NAC limitations with FortiGate 40F... 212 Views
- Blocked traffic 222 Views
- Route traffic using Fortiswitch, but witouth... 215 Views
- Need Help with Configuring SNMP for... 146 Views
- FortiAP 231F not connecting to FG 500 Views
Labels
-
FortiGate
7,160 -
FortiClient
1,413 -
5.2
801 -
5.4
639 -
FortiManager
620 -
FortiAnalyzer
456 -
6.0
416 -
FortiAP
376 -
FortiSwitch
373 -
5.6
362 -
FortiClient EMS
291 -
FortiMail
281 -
6.2
251 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
175 -
FortiNAC
128 -
6.4
128 -
FortiGuard
115 -
IPsec
107 -
SSL-VPN
103 -
FortiGateCloud
97 -
FortiSIEM
93 -
FortiCloud Products
89 -
FortiToken
76 -
Customer Service
71 -
Wireless Controller
65 -
4.0MR3
64 -
FortiProxy
49 -
SD-WAN
48 -
FortiADC
45 -
FortiEDR
44 -
Fortivoice
44 -
FortiDNS
39 -
FortiExtender
35 -
FortiGate v5.4
35 -
FortiAuthenticator
35 -
FortiSandbox
34 -
Firewall policy
33 -
FortiSwitch v6.4
32 -
VLAN
31 -
High Availability
31 -
DNS
24 -
FortiWAN
24 -
FortiConnect
24 -
ZTNA
23 -
BGP
21 -
FortiConverter
21 -
Certificate
20 -
SAML
19 -
FortiGate v5.2
19 -
FortiPortal
18 -
LDAP
18 -
Interface
18 -
FortiSwitch v6.2
17 -
Routing
17 -
VDOM
17 -
FortiMonitor
15 -
Authentication
15 -
FortiGate v5.0
14 -
FortiLink
14 -
Fortigate Cloud
14 -
FortiDDoS
14 -
Logging
14 -
NAT
13 -
RADIUS
12 -
FortiCASB
12 -
Application control
11 -
Web profile
11 -
Traffic shaping
10 -
Virtual IP
10 -
SSO
10 -
SSL SSH inspection
10 -
FortiRecorder
10 -
SSID
9 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
WAN optimization
9 -
4.0MR2
9 -
IP address management - IPAM
8 -
FortiBridge
8 -
FortiGate v4.0 MR3
8 -
OSPF
8 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
FortiAnalyzer v5.0
7 -
FortiAP profile
7 -
SNMP
7 -
4.0
7 -
Admin
7 -
Web application firewall profile
7 -
Static route
6 -
Security profile
6 -
Proxy policy
6 -
Traffic shaping policy
6 -
Automation
6 -
IPS signature
5 -
Packet capture
5 -
DNS Filter
5 -
FortiCache
5 -
FortiManager v4.0
5 -
trunk
5 -
FortiDeceptor
4 -
FortiDirector
4 -
Web rating
4 -
Intrusion prevention
4 -
Port policy
4 -
Antivirus profile
4 -
FortiPAM
4 -
FortiCarrier
4 -
FortiTester
4 -
3.6
4 -
DLP sensor
4 -
FortiScan
4 -
Fabric connector
3 -
NAC policy
3 -
Multicast routing
3 -
System settings
3 -
FortiToken Cloud
3 -
Traffic shaping profile
3 -
Fortinet Engage Partner Program
3 -
DLP Dictionary
3 -
DLP profile
3 -
FortiDB
3 -
DoS policy
3 -
Email filter profile
3 -
FortiInsight
2 -
Netflow
2 -
Users
2 -
Protocol option
2 -
FortiAI
2 -
Application signature
2 -
FortiHypervisor
2 -
VoIP profile
2 -
Internet Service Database
2 -
Explicit proxy
2 -
4.0MR1
1 -
Multicast policy
1 -
Zone
1 -
FortiCWP
1 -
Kerberos
1 -
Subscription Renewal Policy
1 -
FortiNDR
1 -
TACACS
1 -
Replacement messages
1 -
Schedule
1 -
SDN connector
1 -
FortiManager-VM
1 -
Authentication rule and scheme
1 -
Service
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1062 | |
| 889 | |
| 527 | |
| 441 | |
| 152 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.