Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
nvelocity
New Contributor

VPN and WIFI

We have a site to site VPN. We need WIFI users to able to access that site to site VPN. We can' t find the " best practice" solution so we have come up with a few options. What is the community doing? -Have WIFI users on Forticlient VPN direct to remote site (bit of a hassle) -Have WIFI users VPN to the LAN and then they' ll have access to site to site (still a hassle) -We tried adding a second Phase2 for WIFI to the existing tunnel. That failed. -Share the WIFI and LAN interfaces. That involves practically reprogramming from scratch and is not very secure. http://docs.fortinet.com/cb/html/index.html#page/FOS_Cookbook/Wireless/wireless-bridging-WiFi-and-wired.html -Can we place a route and policy on the WIFI interface to get that traffic to the LAN and out the site to site? We have not tried that. Open to ideas on this one. What' s working for you?
4 REPLIES 4
rwpatterson
Valued Contributor III

On my FWF60B at home, I WiFi into my network, and browse through to all my client' s networks without hassle. Maybe you' re missing something in the configuration? As a quick trick, try NATting the WiFi traffic to a subnet that' s already working.

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
ede_pfau
Esteemed Contributor III

To be precise, apply source NAT using an IP pool in the ' wlan' ->' LAN' policy to mask the WLAN origin. This will have the added benefit that WLAN traffic will be able to open the tunnel if it was down - something you could only achieve with a second phase2 otherwise.

Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
nvelocity

I think I follow. If you could provide a quick example that would be great. If I understand, use an IP pool to mask WLAN as if it were LAN? Does that require any extra policies or static routes so the WLAN traffic will go over the LAN to the remote subnet via tunnel?
ede_pfau
Esteemed Contributor III

- create an IP pool with ONE unused IP address from your LAN that is, from <IP> to <IP> - you need a policy from WLAN to your tunnel to allow traffic from the WLAN clients into it, to access the remote LAN - in this policy, specify NAT, ' dynamic' , choose the IP pool you' ve just created - if needed, add another policy from WLAN to WAN, check static NAT so outgoing traffic will be source labeled with the WAN IP which is public; no need for the IP pool here If you want to access WLAN clients from the remote network then this will require additional effort (hint: 1:1 destination NAT of the whole address space via VIP). You need a corresponding policy of course.

Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
Labels
Top Kudoed Authors