- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiWebCloud
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- FAP 221C multiple bridged and tunneled SSIDs Polic...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
FAP 221C multiple bridged and tunneled SSIDs Policy problems
Hi,
I have the following situation:
I have configured my FAPs that way that some SSIDs are using tunnelmode. To supply internetaccess for these SSIDs I set up a policy saying Incoming "WLAN SSID" -> Outgoing WAN2, all Services, anytime, NAT.
I have a WAN2 Port, which is set up as Standardroute , but has a lower priority then WAN1 which is used for the Desktop PCs. The idea is to use WAN2 for the WLAN Access (tunnel mode), and WAN1 for the PC-Network.
To make the WAN2 Port used by the WLAN-SSIDs (tunnel mode) I additionally configured policyroutes which say that all traffic coming from the SSIDs IP - Ranges have to go out to the Internet via the WAN2 Port / Wan2 Gateway, which works well.
Now, If I would like to set up another SSID, which should use the WAN1 port for the connection to the internet, I did not get access to the WWW. In my opinion it should work, if I a.) set up the SSID in tunnelmode and add a policy which says that this SSID (incoming) should NAT via WAN1 (outgoing), all services, anytime - but it didn't.
Is this kind of configuration possible?
Are multiple SSIDs in tunnel mode and bridged mode supported?
Labels:
- Labels:
-
5.4
4 REPLIES 4
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Once you create wireless SSIDs, it's treated similarly to other wired interfaces on the FGT. I tried the following config on my setup and it works for me.
ssid1(tunnel)-------FGT----WAN1 (172.30.144.15)
ssid2(tunnel)------FGT----WAN2(192.168.3.10)
1) default route points to wan1
2) add a policy route for ssid2 traffic to go out through wan2
3) add ipv4 policy to allow ssid1---wan1 and ssid2---wan2
4) connect wireless stations to both SSIDs and start ping 8.8.8.8
following capture shows that packets from ssid1 and ssid2 go out from right interfaces.
FWF51E3U15000106 # diagnose sniffer packet wan2 icmp interfaces=[wan2] filters=[icmp] 0.639035 192.168.3.10 -> 8.8.8.8: icmp: echo request 0.645582 8.8.8.8 -> 192.168.3.10: icmp: echo reply 1.698976 192.168.3.10 -> 8.8.8.8: icmp: echo request 1.700784 8.8.8.8 -> 192.168.3.10: icmp: echo reply FWF51E3U15000106 # diagnose sniffer packet wan1 icmp
interfaces=[wan1] filters=[icmp] 0.878268 172.30.144.15 -> 8.8.8.8: icmp: echo request 0.879787 8.8.8.8 -> 172.30.144.15: icmp: echo reply 1.882986 172.30.144.15 -> 8.8.8.8: icmp: echo request 1.884527 8.8.8.8 -> 172.30.144.15: icmp: echo reply
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi and thank you for your reply.
I tried to rebuild you setup. But i get stuck at the beginning.
In my opinion the following config should work in that way that the WLAN-devices get internet access via WAN1 (Standardroute).
The config is as follows:
Standardroute via WAN1 to the Internet, Admin distance 10, Priority 0 (highest). (Info: Standardroute is working, as all PCs on the LAN are able to surf via WAN1)
IPv4 Policy:
Incoming WLAN SSID -> Outgoing WAN1, Source all, Destination all, Service all, NAT
If I am right, there is no need for a policy route for this.
The WLAN-Devices are not able to browse the Internet in this config (or ping 8.8.8.8).
Is the config ok?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Update: After Rebooting the FGT, the configuration is working. This is not the first time this happens.
Very strange behaviour. :(
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for your update. I was just going through your config/comments etc. I work on wireless side and am not that familiar with all the features on FGT. From FGT point of view, wireless interface is pretty much similar to a wired interface.
Related Posts
- Possible memory issues with 7.2.8 997 Views
- FortiEMS/FortiClient - VPN Tunnel with Multiple... 356 Views
- Ipsec Tunnel problem 277 Views
- FortiTray error: stuck at connecting on... 489 Views
- Phase 2 issues - traffic stops... 447 Views
Labels
-
FortiGate
6,729 -
FortiClient
1,341 -
5.2
801 -
5.4
639 -
FortiManager
580 -
FortiAnalyzer
425 -
6.0
416 -
5.6
362 -
FortiSwitch
345 -
FortiAP
344 -
FortiClient EMS
274 -
FortiMail
262 -
6.2
251 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
160 -
6.4
128 -
FortiNAC
110 -
FortiGuard
106 -
FortiSIEM
92 -
FortiGateCloud
87 -
FortiCloud Products
85 -
IPsec
82 -
FortiToken
73 -
Customer Service
70 -
SSL-VPN
68 -
4.0MR3
64 -
Wireless Controller
62 -
FortiProxy
46 -
FortiADC
44 -
FortiEDR
41 -
Fortivoice
41 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
33 -
FortiSandbox
32 -
SD-WAN
31 -
FortiSwitch v6.4
30 -
Firewall policy
30 -
High Availability
24 -
FortiConnect
24 -
FortiAuthenticator
22 -
VLAN
22 -
FortiWAN
22 -
FortiConverter
21 -
ZTNA
20 -
FortiPortal
18 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
Certificate
16 -
FortiMonitor
14 -
SAML
14 -
Interface
14 -
Logging
14 -
BGP
13 -
DNS
13 -
FortiGate v5.0
13 -
FortiDDoS
13 -
LDAP
12 -
Routing
12 -
FortiCASB
12 -
VDOM
12 -
fortilink
11 -
RADIUS
10 -
Virtual IP
10 -
FortiRecorder
10 -
FortiWeb v5.0
9 -
Authentication
9 -
FortiManager v5.0
9 -
NAT
9 -
4.0MR2
9 -
SSID
8 -
SSL SSH inspection
8 -
Traffic shaping
8 -
SSO
8 -
Application control
8 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
FortiAnalyzer v5.0
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
IP address management - IPAM
7 -
Security profile
6 -
FortiBridge
6 -
Fortigate Cloud
6 -
SNMP
6 -
Proxy policy
5 -
Traffic shaping policy
5 -
FortiAP profile
5 -
Web application firewall profile
5 -
Web profile
5 -
FortiTester
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
IPS signature
4 -
Packet capture
4 -
Antivirus profile
4 -
Automation
4 -
WAN optimization
4 -
DNS Filter
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Port policy
4 -
FortiToken Cloud
3 -
DoS policy
3 -
Email filter profile
3 -
Intrusion prevention
3 -
FortiDB
3 -
trunk
3 -
FortiDeceptor
2 -
System settings
2 -
FortiInsight
2 -
NAC policy
2 -
Fortinet Engage Partner Program
2 -
Users
2 -
Traffic shaping profile
2 -
FortiPAM
2 -
VoIP profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
Protocol option
2 -
4.0MR1
1 -
TACACS
1 -
Replacement messages
1 -
Subscription Renewal Policy
1 -
Schedule
1 -
FortiCWP
1 -
FortiNDR
1 -
SDN connector
1 -
Application signature
1 -
Authentication rule and scheme
1 -
FortiManager-VM
1 -
Web rating
1 -
Internet Service Database
1 -
Fabric connector
1 -
Multicast routing
1 -
Explicit proxy
1 -
Zone
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.