Hi all,
I tried to set up a FortiAP 14C for the first time and have some questions.
One of our customers wants to connect a few branches with the HQ, using FortiAP 14C on the remote side and a FortiGate 40C in the HQ. Each FortiAP should connect devices via WLAN and LAN with the company's network as well as offer them access to the Internet.
I found several videos and documents describing the setup of 14C as an AP for WLAN and LAN and following them, I could establish connections as wanted. But this works only, when the FortiAP 14C is located in the same network as the FortiGate 40C. My expectation was, that - if this works fine - I could bring the AP to the branch and the same functionality would be available. But unfortunately, the AP does not establish a VPN connection to the 40C.
So, obviously, I misunderstood the setup.
Unfortunately, I don't find a document or video which describes the necessary configuration tasks for our environment. So my questions are:
1. Does anybody have a link to information, which will help me to correct the setup?
2. Is there a way to configure the AP without being near the 40C? Problem is, that our customer is located 300 km away from our office. If I have to go there to configure the AP, I have no possibility to check the functionality, because I don't have external Internet access there beside the one of the 40C. So if I think, the setup is correct, I have to drive back to our office or to one of the branches to test the device and if there is still something wrong, I've to drive back to the customer's HQ.
Would be great to get some help from one of you!
Regards, Lars
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Yes, CAPWAP on wan1 is enough. You'll want to make sure to enable DTLS on the AP profile so that CAPWAP tunnel is encrypted.
Have you configured the APs to connect to the public IP address of the 40C? Do you have CAPWAP enabled on the wan port of the 40C?
I configured the public IP address of the 40C as "AC IP Address 1" in the 14Cs. The WAN1 interface of the 40C is not enabled for CAPWAP in general yet. It's enabled for two VPN tunnels bound to WAN1, but not on the interface itself. Can I do that without implications to the VPN tunnels without CAPWAP (there are also those bound to that interface)? Additional question: There is a radio button "Dedicated to FortiAP", which is not enabled. Is this obsolete for our situation? Thanks, Lars
If you have the public IP of the 40C configured as the AC IP address on the 14C then CAPWAP needs to be enabled on the wan port. If you want to use the VPN tunnels instead then configure the 14C to use one of the internal IPs of the 40C
Will CAPWAP enabled really affect the tunnels?
There are four defined on WAN1: Two are tunnels with Netgear devices on the other sides, one is for mobile users using FortiClient. Two of them use CAPWAP already.
Here's a screenshot with the current config:
Isn't it enough to turn on CAPWAP on WAN1 directly?
Many thanks for your assistance!
Yes, CAPWAP on wan1 is enough. You'll want to make sure to enable DTLS on the AP profile so that CAPWAP tunnel is encrypted.
To enable DTLS in the AP profile, it's not necessary to connect the AP directly to the FortiGate? That could be done later, even when it'll be installed in the remote location already, right?
Yes, you can enable DTLS later on after the 14C is already connected to the 40C remotely. This is done via CLI:
#config wireless-controller wtp-profile
#edit <14C_profile>
#set dtls-policy dtls-enabled
#end
Many thanks for your assistance, enabling CAPWAP on WAN1 was the solution. The APs now connect with the 40C in the HQ.
Unfortunately I've another problem now:
Using a Win7-based PC connected to one of the APs works fine: I could surf the web as well as use servers in the HQ. But there is one application in the HQ which needs access to the harddrive of the Win7 PC by using "net use \\ipaddress\sharename".
Whatever I've tried, I'm not able to access the harddrive of a device connected to an AP. The other way round works fine. Do you have any idea? Actually I can't even send a ping from the HQ to the PC. So embarassing... :(
Regards, Lars
1. Windows Firewall (deactivate and check if it works, you can fret about the "which rule exactly" (Datei und Druckerfreigabe SMB, Domain/Private/Public, Enable, All etc) later)
2. Check if you have a policy internal > wifi interface
Source Address: internalnetwork
Destination Address: WifiNetwork
Service: SMB (or all)
Accept
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1688 | |
1087 | |
752 | |
446 | |
226 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.