Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
misha
New Contributor II

Devices can't see each other across different APs

Hello,

We've got a problem in our network. When devices are connected to two different access points (Local-WiFi-radio and FortiAP-221E), they can't seem to find each other even though they're on the same SSID. But, if they're connected to the same access point, everything works fine. Devices operate in Tunnel mode.

We made sure that the setting which stops devices from talking to each other (client isolation) is turned off on both the access points. Also, we checked that both are set up to work in the same subnet. Still, we're stuck with this issue.


We're using a FortiWiFi 40F and a FortiAP 221-E.

Problem:
ClientA -> FortiAP1 -> FortiGate (FortiWiFI)-> FortiAP2(FortiWiFi) -> ClientB - Ping Fail
ClientA -> FortiAP1 -> FortiGate (FortiWiFI)-> FortiAP1 -> ClientB - Ping Success
ClientA -> FortiAP2(FortiWiFi) -> FortiGate (FortiWiFI) -> FortiAP2(FortiWiFi) -> ClientB - Ping Success

9 REPLIES 9
AEK
Honored Contributor

Hi Misha

Please run the following on FG while you are pinging from client A to client B.

diagnose debug enable
diagnose debug flow filter saddr x.x.x.x  (Client-A IP)
diagnose debug flow filter daddr y.y.y.y   (Client-B IP)
diagnose debug flow show function-name enable
diagnose debug flow trace start 20
AEK
AEK
misha
New Contributor II

Thank you!
I followed these instructions and there is nothing in the output. Moreover, when ping works and devices see each other (devices connected to the same access point), there is nothing either. Traffic does not pass through FortiGate. At the same time, the SSID traffic mode is in Tunnel mode, and both access points are also in Tunnel mode.

hbac
Staff
Staff

Hi @misha,

 

You can check if you have this option enabled? https://community.fortinet.com/t5/FortiAP/Techincal-Tip-How-Block-intra-SSID-traffic-option-on-ssid/...

 

Regards, 

misha
New Contributor II

It is disabled

ebilcari
Staff
Staff

Have you tried to disable "Broadcast suppression" in SSID configurations?

supp.PNG

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
misha
New Contributor II

Hello, it doesn't work.

ebilcari

If the end hosts are windows hosts you can check the ARP table if there is an entry for the respective node, from CMD use the command:

>arp -a

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
Skytech1
New Contributor III

Hi Misha,

 

By default on tunnel mode, each SSID in tunnel mode will be considered as a Interface, so if you want to enable communication between devices connected to different interfaces you will have to make firewall policies, do you have those in place between interfaces?

 

Regards,

 

Andres

misha
New Contributor II

Hello! Thank you and sorry for waiting.
I know the interface of my external FortiAP and I have policies
FortiAP1->WiFi-SSID ALLOW
WiFi-SSID->FortiAP1 ALLOW
But I don't know how to configure a firewall rule for FortiAP2 (FortiWiFi). I see that FortiAP2(FortiWiFi) has an address of 127.0.0.1 (see screenshot)image.png

Labels
Top Kudoed Authors