- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
FAP 221C multiple bridged and tunneled SSIDs Policy problems
Hi,
I have the following situation:
I have configured my FAPs that way that some SSIDs are using tunnelmode. To supply internetaccess for these SSIDs I set up a policy saying Incoming "WLAN SSID" -> Outgoing WAN2, all Services, anytime, NAT.
I have a WAN2 Port, which is set up as Standardroute , but has a lower priority then WAN1 which is used for the Desktop PCs. The idea is to use WAN2 for the WLAN Access (tunnel mode), and WAN1 for the PC-Network.
To make the WAN2 Port used by the WLAN-SSIDs (tunnel mode) I additionally configured policyroutes which say that all traffic coming from the SSIDs IP - Ranges have to go out to the Internet via the WAN2 Port / Wan2 Gateway, which works well.
Now, If I would like to set up another SSID, which should use the WAN1 port for the connection to the internet, I did not get access to the WWW. In my opinion it should work, if I a.) set up the SSID in tunnelmode and add a policy which says that this SSID (incoming) should NAT via WAN1 (outgoing), all services, anytime - but it didn't.
Is this kind of configuration possible?
Are multiple SSIDs in tunnel mode and bridged mode supported?
- Labels:
-
5.4
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Once you create wireless SSIDs, it's treated similarly to other wired interfaces on the FGT. I tried the following config on my setup and it works for me.
ssid1(tunnel)-------FGT----WAN1 (172.30.144.15)
ssid2(tunnel)------FGT----WAN2(192.168.3.10)
1) default route points to wan1
2) add a policy route for ssid2 traffic to go out through wan2
3) add ipv4 policy to allow ssid1---wan1 and ssid2---wan2
4) connect wireless stations to both SSIDs and start ping 8.8.8.8
following capture shows that packets from ssid1 and ssid2 go out from right interfaces.
FWF51E3U15000106 # diagnose sniffer packet wan2 icmp interfaces=[wan2] filters=[icmp] 0.639035 192.168.3.10 -> 8.8.8.8: icmp: echo request 0.645582 8.8.8.8 -> 192.168.3.10: icmp: echo reply 1.698976 192.168.3.10 -> 8.8.8.8: icmp: echo request 1.700784 8.8.8.8 -> 192.168.3.10: icmp: echo reply FWF51E3U15000106 # diagnose sniffer packet wan1 icmp
interfaces=[wan1] filters=[icmp] 0.878268 172.30.144.15 -> 8.8.8.8: icmp: echo request 0.879787 8.8.8.8 -> 172.30.144.15: icmp: echo reply 1.882986 172.30.144.15 -> 8.8.8.8: icmp: echo request 1.884527 8.8.8.8 -> 172.30.144.15: icmp: echo reply
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi and thank you for your reply.
I tried to rebuild you setup. But i get stuck at the beginning.
In my opinion the following config should work in that way that the WLAN-devices get internet access via WAN1 (Standardroute).
The config is as follows:
Standardroute via WAN1 to the Internet, Admin distance 10, Priority 0 (highest). (Info: Standardroute is working, as all PCs on the LAN are able to surf via WAN1)
IPv4 Policy:
Incoming WLAN SSID -> Outgoing WAN1, Source all, Destination all, Service all, NAT
If I am right, there is no need for a policy route for this.
The WLAN-Devices are not able to browse the Internet in this config (or ping 8.8.8.8).
Is the config ok?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Update: After Rebooting the FGT, the configuration is working. This is not the first time this happens.
Very strange behaviour. :(
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for your update. I was just going through your config/comments etc. I work on wireless side and am not that familiar with all the features on FGT. From FGT point of view, wireless interface is pretty much similar to a wired interface.
