Fortinet Community

mcdaniels · ‎09-07-2017

Hi,

I have the following situation:

I have configured my FAPs that way that some SSIDs are using tunnelmode. To supply internetaccess for these SSIDs I set up a policy saying Incoming "WLAN SSID" -> Outgoing WAN2, all Services, anytime, NAT.

I have a WAN2 Port, which is set up as Standardroute , but has a lower priority then WAN1 which is used for the Desktop PCs. The idea is to use WAN2 for the WLAN Access (tunnel mode), and WAN1 for the PC-Network.

To make the WAN2 Port used by the WLAN-SSIDs (tunnel mode) I additionally configured policyroutes which say that all traffic coming from the SSIDs IP - Ranges have to go out to the Internet via the WAN2 Port / Wan2 Gateway, which works well.

Now, If I would like to set up another SSID, which should use the WAN1 port for the connection to the internet, I did not get access to the WWW. In my opinion it should work, if I a.) set up the SSID in tunnelmode and add a policy which says that this SSID (incoming) should NAT via WAN1 (outgoing), all services, anytime - but it didn't.

Is this kind of configuration possible?

Are multiple SSIDs in tunnel mode and bridged mode supported?

wanglei_FTNT · ‎09-07-2017

Once you create wireless SSIDs, it's treated similarly to other wired interfaces on the FGT. I tried the following config on my setup and it works for me.

ssid1(tunnel)-------FGT----WAN1 (172.30.144.15)

ssid2(tunnel)------FGT----WAN2(192.168.3.10)

1) default route points to wan1

2) add a policy route for ssid2 traffic to go out through wan2

3) add ipv4 policy to allow ssid1---wan1 and ssid2---wan2

4) connect wireless stations to both SSIDs and start ping 8.8.8.8

following capture shows that packets from ssid1 and ssid2 go out from right interfaces.

FWF51E3U15000106 # diagnose sniffer packet wan2 icmp interfaces=[wan2] filters=[icmp] 0.639035 192.168.3.10 -> 8.8.8.8: icmp: echo request 0.645582 8.8.8.8 -> 192.168.3.10: icmp: echo reply 1.698976 192.168.3.10 -> 8.8.8.8: icmp: echo request 1.700784 8.8.8.8 -> 192.168.3.10: icmp: echo reply FWF51E3U15000106 # diagnose sniffer packet wan1 icmp

interfaces=[wan1] filters=[icmp] 0.878268 172.30.144.15 -> 8.8.8.8: icmp: echo request 0.879787 8.8.8.8 -> 172.30.144.15: icmp: echo reply 1.882986 172.30.144.15 -> 8.8.8.8: icmp: echo request 1.884527 8.8.8.8 -> 172.30.144.15: icmp: echo reply

mcdaniels · ‎09-08-2017

Hi and thank you for your reply.

I tried to rebuild you setup. But i get stuck at the beginning.

In my opinion the following config should work in that way that the WLAN-devices get internet access via WAN1 (Standardroute).

The config is as follows:

Standardroute via WAN1 to the Internet, Admin distance 10, Priority 0 (highest). (Info: Standardroute is working, as all PCs on the LAN are able to surf via WAN1)

IPv4 Policy:

Incoming WLAN SSID -> Outgoing WAN1, Source all, Destination all, Service all, NAT

If I am right, there is no need for a policy route for this.

The WLAN-Devices are not able to browse the Internet in this config (or ping 8.8.8.8).

Is the config ok?

mcdaniels · ‎09-08-2017

Update: After Rebooting the FGT, the configuration is working. This is not the first time this happens.

Very strange behaviour. :(

wanglei_FTNT · ‎09-08-2017

Thanks for your update. I was just going through your config/comments etc. I work on wireless side and am not that familiar with all the features on FGT. From FGT point of view, wireless interface is pretty much similar to a wired interface.

Fortinet Community

FAP 221C multiple bridged and tunneled SSIDs Policy problems