I have a FAP 221C on a remote site. It is connected to the network 192.168.178.0/24 on the remote site and connects via capwap to the FG on our main site. Now I tried to use split tunneling on the FAP Profile. I want the remote traffic to split into 192.168.99.0/24 behind our FG and the rest of the traffic is supposed to use the remote sites local internet access. So I entered 192.168.99.0/24 to the split tunnel acl on the profile. This didn't work. I tried a tunnel SSID and a bridge SSID. I couldn't find a cookbook for this. Can anyone help? Do I have to configure anything on the AP directly for this to work? Or is it just not possible with this modle since it isn't a "remote" FAP?
You don't need to configure anything on the AP. Split-tunnel only applies to tunnel-mode VAP.
1) enable split tunnel and configure acl under wtp-profile you applied to AP
config wireless-controller wtp-profile
set split-tunneling-acl-path tunnel <----traffic matching acl below is tunnelled up to FGT. Otherwise, it stays local
set dest-ip 192.168.99.0 255.255.255.0
2) enable split tunnel under VAP ( only for tunnel mode VAP)
FortiWiFi-61E # config wireless-controller vap
FortiWiFi-61E (vap) # edit vap1
FortiWiFi-61E (lwang-tun-2) # set split-tunneling enable
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.