Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Holiday badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDevSec
- FortiDeceptor
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiHypervisor
- FortiGuard
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiAppSec Cloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Support Forum
- Re: Remote WLANs and split-tunneling subnets
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Remote WLANs and split-tunneling subnets
Hi all,
I've already checked tons of manuals, forums, kbs and cookbooks, made hundreds of experiments on live hardware, but can't find the way to do very simple thing - negating defined split-tunneling subnets for remote WLANs. I mean subnets, which are defined in config wireless-controller wtp-profile / edit <profile> / conf split-tunneling-acl. It is nice feature but working opposite way it should - defined subnets are NOT routed to wireless controller.
In most cases, traveler with FAP expecting direct access to corp network without other external resources slowdowns, which is 100% occurs, if we route all SSID traffic to WLC. Just imagine, how slow it could be, if remote WLAN deployed in hotel in Hong Kong, but WLC is on duty at Portugal.
So I think it is quite normal to define just one (or few) subnets (internal corporate network) to route via WLC, and rest of traffic should go through local FAP GW. For now, to implement this, and make just one subnet (192.168.0.0/16) to be routed to WLC, I should define 15 subnets in wtp-profile, and it is almost maximum supported number (you can't define more than 16 subnets there). So it is not possible to add even one more routable subnet (lets say, 10.11.232.0/24).
Hope I'm missing something, that's why I decided to post it here - maybe someone already knows how to ...
Thanks!
Solved! Go to Solution.
Labels:
- Labels:
-
5.6
Nominate a Forum Post for Knowledge Article Creation
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
2 Solutions
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
From release 5.4.6 and 5.6.3, an enhancement in this area has been added. You can set a default action to either Local or tunnel and use ACL to configure exception.
FW80CM3913601573 (S321C) # set split-tunneling-acl-path ? tunnel Split tunneling ACL list traffic will be tunnel. local Split tunneling ACL list traffic will be local NATed
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi crasher,
For 5.6, it will be in 5.6.3 I have corrected original post.
17 REPLIES 17
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
As you've already figured through documentation you went through, FortiAP's sprit-tunnel seemed to have been designed to split local sutnet access from the rest going over the CAPWAP tunnel. I'm afraid it wouldn't work for you.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
toshiesumi wrote:CAPWAP is not a tunnel, its just provisioning protocol, but thanks for answer.
As you've already figured through documentation you went through, FortiAP's sprit-tunnel seemed to have been designed to split local sutnet access from the rest going over the CAPWAP tunnel. I'm afraid it wouldn't work for you.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
From release 5.4.6 and 5.6.3, an enhancement in this area has been added. You can set a default action to either Local or tunnel and use ACL to configure exception.
FW80CM3913601573 (S321C) # set split-tunneling-acl-path ? tunnel Split tunneling ACL list traffic will be tunnel. local Split tunneling ACL list traffic will be local NATed
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
wanglei@fortinet.com wrote:From release 5.4.6 and 5.6.2, an enhancement in this area has been added. You can set a default action to either Local or tunnel and use ACL to configure exception.
FW80CM3913601573 (S321C) # set split-tunneling-acl-path ?
tunnel Split tunneling ACL list traffic will be tunnel. local Split tunneling ACL list traffic will be local NATed
Hi Wanglei, thank you for help, but unfortunately I don't have such command in 5.6.2, at least on fgt240d.
pmk240d (fap21d-split) # set ?
comment Comment.
dtls-policy WTP data channel DTLS policy.
max-clients Maximum number of STAs supported by the WTP.
handoff-rssi Minimum RSSI value for handoff.
handoff-sta-thresh Threshold value for AP handoff.
handoff-roaming Enable/disable handoff when a client is roaming.
ap-country AP country code.
ip-fragment-preventing Prevent IP fragmentation for CAPWAP tunneled control and data packets.
tun-mtu-uplink Uplink tunnel MTU.
tun-mtu-downlink Downlink tunnel MTU.
split-tunneling-acl-local-ap-subnet Enable/disable split tunneling ACL local AP subnet.
allowaccess Allow management access to managed AP.
login-passwd-change Configuration options for login password of managed AP.
lldp Enable/disable LLDP.
pmk240d (fap21d-split) # set split-tunneling-acl-path
command parse error before 'split-tunneling-acl-path'
I have also 100d with same result on 5.6.2, but have no plans to downgrade to 5.4 branch. Should I additionally set something somewhere to enable this piece of magic?
Thanks!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi crasher,
For 5.6, it will be in 5.6.3 I have corrected original post.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
wanglei@fortinet.com wrote:Hi crasher,
For 5.6, it will be in 5.6.3 I have corrected original post.
Wow, thanks a lot, it is just great! Hope you release 5.6.3 soon, keeping eye on it.
By the way, I've created Telegram channel with automated firmware releases feed to simplify monitoring on fresh ftnt firmwares. Initially I've done it for myself, but if anyone interested, just join https://t.me/fortifw.
Cheers.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Wanglei, hello again, I'm back. :)
wanglei@fortinet.com wrote:Hi crasher,
For 5.6, it will be in 5.6.3 I have corrected original post.
Upgraded to 5.6.3 and tried to use split-tunneling-acl-path with no luck. In my case this command just do nothing. I've made different tests on 100d/240d with fap21d, but unfortunately can't get it work as expected. I've even rebooted AP after modifying wtp-profile, but it does not help (and seems not needed, because changes in profile propagated to AP immediately after clicking OK/pressing Enter after next in cli).
I've made very simple tests just trying to tunnel 192.168.1.0/24 and right after I add it to split-tunnel-acl, it becomes unreachable - it is normal. But no changes after setting split-tunneling-acl-path to tunnel OR local - everything works same way as before, even after reboots/reconnects. So still impossible to invert (negate) ACLs for split tunneling.
Maybe I missing something because there is no any docs available for this feature at this moment?
Thanks in advance for your kind help!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This one from another message thread you answered me
wanglei@fortinet.com wrote:Please post your complete config and we will check it out and get back to you.
Thanks,
Lei
I think it is better to keep everything here.
So, I'm not sure you want complete FG config, or just wireless part? So here it is:
config wireless-controller wtp-profile
edit "fap21d-new"
config platform
set type 21D
end
config lan
set port-mode bridge-to-ssid
set port-ssid "MyFAP21"
end
set ap-country US
set split-tunneling-acl-path tunnel
set split-tunneling-acl-local-ap-subnet enable
config split-tunneling-acl
edit 1
set dest-ip 192.168.1.0 255.255.255.0
next
end
set lldp enable
config radio-1
set band 802.11n-only
set short-guard-interval enable
set auto-power-level enable
set auto-power-high 20
set auto-power-low 2
set wids-profile "default"
set vap-all disable
set vaps "MyFAP21"
set channel "1" "6" "11"
end
next
end
config wireless-controller wtp
edit "FAP21D3U16002729"
set admin enable
set name "fap21d-fortik"
set wtp-profile "fap21d-new"
config radio-1
end
next
end
config wireless-controller vap
edit "MyFAP21"
set vdom "root"
set ssid "fortik"
set schedule "always"
set split-tunneling enable
set multicast-enhance enable
unset broadcast-suppression
set passphrase ENC =*=
next
end
config wireless-controller wids-profile
edit "default"
set comment "Default WIDS profile."
set ap-scan enable
set ap-bgscan-period 300
set ap-scan-passive enable
set wireless-bridge enable
set deauth-broadcast enable
set null-ssid-probe-resp enable
set long-duration-attack enable
set invalid-mac-oui enable
set weak-wep-iv enable
set auth-frame-flood enable
set assoc-frame-flood enable
set spoofed-deauth enable
set asleap-attack enable
set eapol-start-flood enable
set eapol-logoff-flood enable
set eapol-succ-flood enable
set eapol-fail-flood enable
set eapol-pre-succ-flood enable
set eapol-pre-fail-flood enable
next
end
config system interface
edit "MyFAP21"
set vdom "root"
set ip 192.168.22.254 255.255.255.0
set allowaccess ping
set type vap-switch
set scan-botnet-connections block
set device-identification enable
set role lan
set snmp-index 14
config ipv6
set ip6-address 2xxx:xx0:xx41:xx8x::1/64
set ip6-allowaccess ping
set ip6-send-adv enable
set ip6-other-flag enable
config ip6-prefix-list
edit 2xxx:xx0:xx41:xx8x::/64
set autonomous-flag enable
set onlink-flag enable
next
end
end
next
end
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Tested with below config and it's working fine.
-------------------------- config wtp-profile ------------
FG100D3G15802056 # show wireless-controller wtp-profile FAP14C-default
config wireless-controller wtp-profile
edit "FAP14C-default"
config platform
set type 14C
end
config lan
set port-mode bridge-to-ssid
set port-ssid "splittun"
end
set ap-country US
set split-tunneling-acl-path tunnel
set split-tunneling-acl-local-ap-subnet enable
config split-tunneling-acl
edit 1
set dest-ip 90.90.90.0 255.255.255.0
next
edit 3
set dest-ip 8.8.8.8 255.255.255.255
next
end
set allowaccess telnet http https ssh
config radio-1
set band 802.11n
set darrp enable
set frequency-handoff enable
set vap-all disable
set vaps "splittun"
set channel "1" "6" "11"
end
next
end
---------------- config vap --------------
config wireless-controller vap
edit "splittun"
set vdom "root"
set ssid "spltun-rt"
set schedule "always"
set split-tunneling enable
unset broadcast-suppression
set passphrase ENC U2NJE/4uVNzCEBCtXn8MK6kiSLYqY9z8RUHKg97F9+6hJvsy31Srowzk2/OH2Yv2jbWN00uIdW2miyxw7UVBSqKIJU9g98Vv+dP7QqqJ8WyRkSikML35iThKOuxa2biqCSbHdX/IcAhA1BBGHEuV/fVMbuOpxmEK4HVHpQnBDsRu5PC2ppvZ57vbDtCZl8qrKWIOeQ==
next
end
Maybe you can let me know the AP version and output of ifconfig br0, ifconfig br.ts.0 and vcfg from FAP. You can telnet into the AP
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Labels
-
FortiGate
8,694 -
FortiClient
1,762 -
5.2
801 -
FortiManager
729 -
5.4
639 -
FortiAnalyzer
558 -
FortiSwitch
475 -
FortiAP
471 -
FortiClient EMS
431 -
6.0
416 -
5.6
362 -
FortiMail
318 -
6.2
251 -
SSL-VPN
245 -
FortiAuthenticator v5.5
234 -
IPsec
208 -
FortiWeb
205 -
5.0
196 -
FortiNAC
189 -
FortiGuard
139 -
6.4
128 -
SD-WAN
115 -
FortiAuthenticator
103 -
FortiGateCloud
102 -
FortiSIEM
99 -
FortiCloud Products
96 -
FortiToken
92 -
Firewall policy
82 -
Customer Service
79 -
Wireless Controller
79 -
4.0MR3
64 -
FortiProxy
60 -
High Availability
56 -
FortiADC
54 -
Fortivoice
53 -
FortiEDR
52 -
vlan
51 -
ZTNA
49 -
Routing
46 -
FortiExtender
45 -
FortiSandbox
44 -
DNS
43 -
FortiDNS
42 -
LDAP
41 -
BGP
40 -
Authentication
38 -
FortiGate v5.4
35 -
SAML
35 -
NAT
35 -
FortiSwitch v6.4
34 -
RADIUS
34 -
Certificate
34 -
SSO
33 -
Interface
31 -
VDOM
30 -
FortiConnect
29 -
FortiLink
29 -
FortiWAN
27 -
Web profile
27 -
Application control
26 -
FortiConverter
25 -
Logging
25 -
FortiGate v5.2
24 -
Virtual IP
24 -
SSL SSH inspection
23 -
FortiPAM
22 -
Fortigate Cloud
20 -
FortiSwitch v6.2
19 -
FortiPortal
19 -
FortiMonitor
18 -
Traffic shaping
17 -
WAN optimization
16 -
FortiDDoS
15 -
OSPF
15 -
SSID
15 -
Automation
15 -
FortiGate v5.0
14 -
FortiSOAR
14 -
Static route
14 -
System settings
14 -
Web application firewall profile
14 -
IP address management - IPAM
14 -
SNMP
13 -
FortiGate-VM
12 -
FortiCASB
12 -
Admin
12 -
FortiManager v5.0
11 -
FortiRecorder
11 -
Security profile
11 -
FortiManager v4.0
10 -
IPS signature
10 -
FortiAP profile
10 -
Proxy policy
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiWeb v5.0
9 -
FortiBridge
9 -
Traffic shaping policy
9 -
Intrusion prevention
9 -
FortiDeceptor
8 -
RMA Information and Announcements
8 -
Port policy
8 -
4.0
7 -
FortiAnalyzer v5.0
7 -
FortiCache
7 -
DNS filter
7 -
Antivirus profile
7 -
Fabric connector
7 -
FortiToken Cloud
6 -
Explicit proxy
6 -
trunk
6 -
Packet capture
6 -
Traffic shaping profile
6 -
Web rating
6 -
Fortinet Engage Partner Program
6 -
FortiTester
5 -
Users
5 -
Email filter profile
5 -
3.6
4 -
FortiCarrier
4 -
FortiScan
4 -
FortiDirector
4 -
API
4 -
Internet service database
4 -
Application signature
4 -
Authentication rule and scheme
4 -
DLP sensor
4 -
Netflow
4 -
Replacement messages
4 -
Cloud Management Security
4 -
FortiDB
3 -
FortiHypervisor
3 -
FortiNDR
3 -
NAC policy
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
Protocol option
3 -
TACACS
3 -
SDN connector
3 -
Service
3 -
VoIP profile
3 -
Multicast routing
3 -
FortiInsight
2 -
FortiAI
2 -
Kerberos
2 -
Schedule
2 -
Multicast policy
2 -
Zone
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
ICAP profile
1 -
Vulnerability Management
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1712 | |
| 1093 | |
| 752 | |
| 447 | |
| 231 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.