Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Lars11
New Contributor

How to setup a remote FortiAP 14C

Hi all,

 

I tried to set up a FortiAP 14C for the first time and have some questions.

 

One of our customers wants to connect a few branches with the HQ, using FortiAP 14C on the remote side and a FortiGate 40C in the HQ. Each FortiAP should connect devices via WLAN and LAN with the company's network as well as offer them access to the Internet.

 

I found several videos and documents describing the setup of 14C as an AP for WLAN and LAN and following them, I could establish connections as wanted. But this works only, when the FortiAP 14C is located in the same network as the FortiGate 40C. My expectation was, that - if this works fine - I could bring the AP to the branch and the same functionality would be available. But unfortunately, the AP does not establish a VPN connection to the 40C.

 

So, obviously, I misunderstood the setup.

 

Unfortunately, I don't find a document or video which describes the necessary configuration tasks for our environment. So my questions are:

 

1. Does anybody have a link to information, which will help me to correct the setup?

 

2. Is there a way to configure the AP without being near  the 40C? Problem is, that our customer is located 300 km away from our office. If I have to go there to configure the AP, I have no possibility to check the functionality, because I don't have external Internet access there beside the one of the 40C. So if I think, the setup is correct, I have to drive back to our office or to one of the branches to test the device and if there is still something wrong, I've to drive back to the customer's HQ.

 

Would be great to get some help from one of you!

 

 

Regards, Lars

1 Solution
Bromont_FTNT

Yes, CAPWAP on wan1 is enough. You'll want to make sure to enable DTLS on the AP profile so that CAPWAP tunnel is encrypted.

View solution in original post

14 REPLIES 14
Bromont_FTNT
Staff
Staff

 

Have you configured the APs to connect to the public IP address of the 40C? Do you have CAPWAP enabled on the wan port of the 40C?

Lars11

I configured the public IP address of the 40C as "AC IP Address 1" in the 14Cs.   The WAN1 interface of the 40C is not enabled for CAPWAP in general yet. It's enabled for two VPN tunnels bound to WAN1, but not on the interface itself. Can I do that without implications to the VPN tunnels without CAPWAP (there are also those bound to that interface)?   Additional question: There is a radio button "Dedicated to FortiAP", which is not enabled. Is this obsolete for our situation?   Thanks, Lars

Bromont_FTNT

If you have the public IP of the 40C configured as the AC IP address on the 14C then CAPWAP needs to be enabled on the wan port. If you want to use the VPN tunnels instead then configure the 14C to use one of the internal IPs of the 40C 

Lars11

Will CAPWAP enabled really affect the tunnels?

 

There are four defined on WAN1: Two are tunnels with Netgear devices on the other sides, one is for mobile users using FortiClient. Two of them use CAPWAP already.

 

Here's a screenshot with the current config:

 

 

Isn't it enough to turn on CAPWAP on WAN1 directly?

 

Many thanks for your assistance!

 

Bromont_FTNT

Yes, CAPWAP on wan1 is enough. You'll want to make sure to enable DTLS on the AP profile so that CAPWAP tunnel is encrypted.

Lars11

To enable DTLS in the AP profile, it's not necessary to connect the AP directly to the FortiGate? That could be done later, even when it'll be installed in the remote location already, right?

Bromont_FTNT

Yes, you can enable DTLS later on after the 14C is already connected to the 40C remotely. This is done via CLI:

 

#config wireless-controller wtp-profile
#edit <14C_profile>
#set  dtls-policy dtls-enabled
#end
Lars11

Many thanks for your assistance, enabling CAPWAP on WAN1 was the solution. The APs now connect with the 40C in the HQ.

 

Unfortunately I've another problem now:

 

Using a Win7-based PC connected to one of the APs works fine: I could surf the web as well as use servers in the HQ. But there is one application in the HQ which needs access to the harddrive of the Win7 PC by using "net use \\ipaddress\sharename".

 

Whatever I've tried, I'm not able to access the harddrive of a device connected to an AP. The other way round works fine. Do you have any idea? Actually I can't even send a ping from the HQ to the PC. So embarassing... :(

 

Regards, Lars

gschmitt
Valued Contributor

1. Windows Firewall (deactivate and check if it works, you can fret about the "which rule exactly" (Datei und Druckerfreigabe SMB, Domain/Private/Public, Enable, All etc) later)

2. Check if you have a policy internal > wifi interface

Source Address: internalnetwork

Destination Address: WifiNetwork

Service: SMB (or all)

Accept

Labels
Top Kudoed Authors