Hi everyone,
Sorry if I'm not using the correct forum to post my question...
I'm trying to connect two FortiAP 220B together by using a mesh topology but as I'm using FortiCloud and it seems I'm missing something. I'm trying to replicate the diagram below less the FortiGate as it is replaced by FortiCloud.
FortiAP units used as both mesh root AP and leaf AP
In my configuration, the first AP (A), the mess root, is directly connected to an Ethernet network with an access to the Internet. The second AP (B) should only be able to reach the Internet thru AP "A" because it is not connected physically. The mesh configuration has been made in Forticloud with the 5Ghz radio and the mesh SSID is the only one on this interface.
When looking at the AP "B" in the CLI I can see that both APs are connected together correctly and running (see below) but the IP traffic is never going thru as I'm not able to ping the other AP nor the Internet. I can also see on AP "A" that a client is connected to the mesh network SSID. It is AP "B" but it is displaying the IP address of my Internet service provider?!?!
I've read about everything I can find on the web for configuring a Fortinet wireless mesh network but to be honest I'm out of ideas because nothing I found explain how to do it in FortiCloud. I'm pretty sure I have to authorized the meshed AP "B" somehow but I can't find anything about this in any menus FortiCloud has to offer.
Also, I've read from the FortiCloud Administration Guide at page 27 that mesh support has been added to FortiCloud v3.3.0: https://docs.fortinet.com/uploaded/files/3896/FortiCloud-330-AdminGuide.pdf. I'm running on FortiCloud V3.3.0_0256.
Thanks in advance for any help you could give me!
Here is the extract from the CLI of the remote AP
cw_diag -c mesh
Sys Cfg AP addr mode: static stp mode : 0 dflt ip : 192.168.2.112 dflt mask: 255.255.255.0 dflt gw : 192.168.2.1
Mesh Cfg Uplink : Mesh Uplink AP SSID : meshssid AP BSSID : 00:09:0f:34:aa:a2 AP PASSWD : ****** local eth bridge : 2(Disable)
Mesh Oper AP Type : Mesh Uplink wbh status : [style="background-color: #ffff00;"]running[/style] wbh rId : 0 wbh mac : 72:09:0f:fd:34:30 wbh bssid : 00:09:0f:34:aa:a2 wbh Chan : 44 vap mhc : 1 eth type : 0x0000
main dhcp ip : 0.0.0.0 main dhcp mask : 0.0.0.0 main dhcp gw : 0.0.0.0
bh dhcp ip : 0.0.0.0 bh dhcp mask : 0.0.0.0 bh dhcp gw : 0.0.0.0
main ip : 192.168.2.112 main mask : 255.255.255.0 main gw : 192.168.2.1
bh ip : 0.0.0.0 bh mask : 0.0.0.0 bh gw : 0.0.0.0 bh mac : 00:00:00:00:00:00
eth bridge : 0(Unknown)
Solved! Go to Solution.
Hi All,
1) mesh support with FCLD was added recently and is only available to some of newer AP models ( 220B is not supported)
2) mac-access-control with FCLD is per SSID base and it's only available from 5.6.2. If you are using 220B, unfortunately it's not supported as the model has been EOLed for a while).
I wouldn't be any helpful while this is one of my test items with FortiCloud 3.3.0 and I haven't made any progress yet. By the way, one thing I noticed in your diagram was you don't have to configure mesh SSID on "leaf" AP profile. It just looks for mesh SSID an upstream AP (root or branch) broadcasts. But even if you configured it, it wouldn't prohibit it from acting as "branch" AP. At a glance, only thing we can configure at FortiCloud site seems to be the "Mesh Link" checkbox in SSID config, which should be all we need.
So I don't know why it wouldn't work at this moment. The admin guide is almost useless, which doesn't explain any of "how to configure" but only saying "supported". What kind of "guide" is it if it doesn't tell how? When I tried to figure out what "MAC Access Control" does, I found the guide said "per AP". But the fact seems to be configuring the list of MAC addresses to allow access and attach it to an SSID(s). So not "per AP" but "per SSID".
Thank you Toshi for your reply. From what I'm reading we are at the same place for now...
Let me know if your tests get better results than mine!
Have a good day!
Even MAC Access Control doesn't seem to work. I have a ticket opened with TAC. Probably mesh is on the same boat.
Hi All,
1) mesh support with FCLD was added recently and is only available to some of newer AP models ( 220B is not supported)
2) mac-access-control with FCLD is per SSID base and it's only available from 5.6.2. If you are using 220B, unfortunately it's not supported as the model has been EOLed for a while).
That's good to know. I'll test with 221C/E then.
By the way, I asked this TAC person, who is still researching, but can you tell me how MAC access control work? Is it based on DHCP like FGT wirless-controller's MAC filter? Or special mechanism on the AP to block/filter MAC so that NAT mode/Bridge mode doesn't matter?
I wish that kind of info were available on the 3.3.0 admin guide.
Thanks wanglei. That was not the answer I was seeking but at least it's an answer! :)
I hope Fortinet will produce more documentation around wireless mesh configuration with FortiCloud to avoid others getting trapped by the limitations.
Have a good day!
Thanks for your comments @UserQC and @Toshi,
As far as how MAC-access-control works, basically AP checks whether certain MAC is allowed during association phase. Client might pass association but it couldn't get IP or pass any traffic
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1739 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.