- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Third party Wireless access point
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Third party Wireless access point
Hi all,
I had intended to use a low cost Netgear Wireless Access Point connected via ethernet back to my Fortiwifi60D to extend the wireless network but have and have just been told that I can only use a Fortigate product to do this. That seems almost impossible to believe as I have never had this restriction with any other firewall/router manufacturer.
Before I consider buying a significantly more expensive Fortigate device... Has anyone here ever used a third party wireless access point with a Fortiwifi60D (or any other Fortigate firewall/router)?
Thanks.
16 REPLIES 16
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If the Netgear WAP is connected via ethernet I would think you should be able to use it for wifi access -- I'm planning on doing something similar by the end of the week.
Caveats I've found in the docs and the forum:
- FGT CAPWAP management of a third party WAP won't work - it's FGT specific
- Tunnel to FGT from WAP, like FortiAPs, isn't possible
- If Netgear WAP uses same SSID as 60D, you won't get automatic handoffs between APs, etc., plus you may have to explicitly tell the 60D that your Netgear WAP isn't a rogue AP
So if you don't need the management through the FGT, or the tunnel, and if you are either using a different SSID or have the WAP far enough away from the FortiWifi I would think things would be fine.
Anyone who's actually set this up want to comment?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for your reply tanr. Yes, you'd think is would be ok wouldn't you?! And no, I don't want to manage it from the Fortinet device. However and hour on Friday and three hours today on the phone with Fortinet support (not to mention the hours of waiting around for a call!), seems to suggest otherwise.
I've brought the Netgear WAP home, plugged it into an ethernet port on my home router and with no changes* whatsoever to the configuration it works immediately.
*In fact it still has the office IP address set which is different to my home network! But that's no surprise the IP is just for management.
The SSID is different to the one the Fortiwifi60D is putting out, they're far enough apart (we needed it for this deadzone coverage), but I'm still finding it hard to believe this should not work, it's as if Fortinet have deliberately locked out third party devices.
Tell me more about the Rouge AP config, I wonder if I should be looking at that?
Thanks.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
A third party AP should work just fine behind any Fortigate.... it's just another network device and not something support will be able to help with unless there's an issue with the FGT itself
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@springeruk
I'm hoping the home router you're referring to is behind the FGT?
So you've got the WAP hooked up and working, meaning you can connect to whatever SSID it's broadcasting?
I think you need to be more specific when you say it's not working.
For example:
1. Can you connect a laptop to the Netgear wifi and see a connection?
2. Assuming your laptop gets its IP through DHCP, is it showing an IP in the WAP's subnet?
3. With that laptop, can you ping the IP of the WAP?
4. With that laptop can you ping the IP of the FGT? Of an external website?
I'm guessing that 1 is a "yes", and "4" is a no?
If so, you probably just need to change the IP of your WAP to be within the subnet of whatever FGT interface you've connected it to. Also, the WAP shouldn't be serving out DHCP IPs, it should just let the FGT interface its on give out the IPs.
If you want to keep the WAP with a different IP/subnet, then you'll need to add security policies (and possibly routing) to the FGT
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Upload your config to the ticket. I don't see why it wouldn't work from your description.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Bromont wrote:Upload your config to the ticket. I don't see why it wouldn't work from your description.
Hi Bromont
yes, we all agree it 'should' work, you're preaching to the converted there ;) but it doesn't!
I'm not entirely comfortable with uploading my config here as I'm not certain what (potentially sensitive) information I'll be publicly divulging. When you say 'ticket' are you referring to here or the support ticket, ie, do you work for FGT?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks tanr for your input again. To avoid confusion I've answered your points within the text of your response preceeded with a dash '-'.
A
tanr wrote:@springeruk
I'm hoping the home router you're referring to is behind the FGT?
- No, I actually brought it to my home, the FGT is at the office. Sorry if I wasn't clear about that.
So you've got the WAP hooked up and working, meaning you can connect to whatever SSID it's broadcasting?
- Yes, although again for this test it's in my home. So I can connect to my home wifi or the WAP wifi. DHCP is on my home router.
I think you need to be more specific when you say it's not working.
For example:
1. Can you connect a laptop to the Netgear wifi and see a connection?
- Yes
2. Assuming your laptop gets its IP through DHCP, is it showing an IP in the WAP's subnet?
- The WAP is on the same subnet as the network, it's just an extension of the network connected via ethernet.
- Interestingly it takes 60-70 seconds for devices to be allocated an IP address when connecting via the WAP on the FGT network, whereas it takes just a few seconds (as one would expect) when connected via the WAP on my home network (Connecting a computer to the FGT wifi or any ethernet connection on the FGT network in the office again takes just a few seconds).
3. With that laptop, can you ping the IP of the WAP?
- Yes.In fact I can ping any device connected to the network switch on the network but not the FGT (which is connected to the switch) or any devices that are directly connected to LAN ports on the FGT.
4. With that laptop can you ping the IP of the FGT? Of an external website?
- No and No.
I'm guessing that 1 is a "yes", and "4" is a no?
If so, you probably just need to change the IP of your WAP to be within the subnet of whatever FGT interface you've connected it to. Also, the WAP shouldn't be serving out DHCP IPs, it should just let the FGT interface its on give out the IPs.
- The WAP is on the same subnet
- The WAP isn't (cannot) serving DHCP, our Win Server serves DHCP and DNS
- Working with FGT yesterday we tried disabling DHCP at the sever and enabling it on the FGT, that didn't help.
If you want to keep the WAP with a different IP/subnet, then you'll need to add security policies (and possibly routing) to the FGT
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
From your answers, it looks a lot like a L2 issue. If you unplug the RJ45 port of the AP, and connect a laptop on it, can you receive an IP address? and ping the FGT?
I'm operating by "Crocker's Rules"
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
michaelbazy wrote:Hi MikeFrom your answers, it looks a lot like a L2 issue. If you unplug the RJ45 port of the AP, and connect a laptop on it, can you receive an IP address? and ping the FGT?
- Yes to both those questions.
Related Posts
Labels
-
FortiGate
6,507 -
FortiClient
1,300 -
5.2
801 -
5.4
639 -
FortiManager
563 -
6.0
416 -
FortiAnalyzer
413 -
5.6
362 -
FortiAP
333 -
FortiSwitch
332 -
FortiClient EMS
262 -
6.2
251 -
FortiMail
239 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
149 -
6.4
128 -
FortiNAC
106 -
FortiGuard
102 -
FortiGateCloud
87 -
FortiSIEM
86 -
FortiCloud Products
82 -
IPsec
71 -
FortiToken
69 -
Customer Service
69 -
4.0MR3
64 -
SSL-VPN
58 -
Wireless Controller
58 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
39 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
31 -
FortiSwitch v6.4
28 -
FortiConnect
23 -
SD-WAN
23 -
FortiWAN
22 -
Firewall policy
22 -
FortiConverter
21 -
High Availability
20 -
VLAN
19 -
FortiPortal
18 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
Certificate
14 -
DNS
13 -
FortiDDoS
13 -
SAML
12 -
BGP
12 -
Routing
12 -
FortiCASB
12 -
Interface
11 -
Logging
11 -
FortiGate v5.0
10 -
FortiAuthenticator
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
LDAP
9 -
FortiManager v5.0
9 -
Virtual IP
9 -
NAT
9 -
4.0MR2
9 -
RADIUS
8 -
Traffic shaping
8 -
SSID
7 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
SSL SSH inspection
6 -
Authentication
6 -
Fortigate Cloud
6 -
IP address management - IPAM
6 -
Security profile
5 -
Traffic shaping policy
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
IPS signature
3 -
packet capture
3 -
FortiToken Cloud
3 -
FortiAP profile
3 -
Intrusion prevention
3 -
Automation
3 -
DoS policy
3 -
Port policy
3 -
FortiDB
3 -
FortiDeceptor
2 -
FortiInsight
2 -
NAC policy
2 -
VoIP profile
2 -
Antivirus profile
2 -
Web profile
2 -
Traffic shaping profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
Fortinet Engage Partner Program
2 -
trunk
2 -
SDN connector
1 -
4.0MR1
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Web rating
1 -
FortiPAM
1 -
Application signature
1 -
Multicast routing
1 -
Authentication rule and scheme
1 -
Zone
1 -
FortiManager-VM
1 -
Internet Service Database
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.