Remote WLAN FortiAP models enable you to provide a pre-configured WiFi access point to a remote or traveling employee. Once plugged in at home or in a hotel room, the FortiAP automatically discovers the enterprise FortiGate WiFi controller over the Internet and broadcasts the same wireless SSID used in the corporate office. Communication between the WiFi controller and the FortiAP is secure, eliminating the need for a VPN.
By default, all traffic from the remote FortiAP is sent to the FortiGate WiFi controller. If split tunneling is configured, only traffic destined for the corporate office networks is routed to the FortiGate. Other general Internet traffic is routed unencrypted through the local gateway. Split tunneling avoids loading the FortiGate with unnecessary traffic and allows direct access to local private networks at the location of the FortiAP even if the connection to the WiFi controller goes down.
Configuring the FortiGate for remote FortiAPs
This section assumes that you have already defined SSIDs and now want to make them available to remote FortiAPs.
- Create FortiAP profiles for the Remote LAN FortiAP models
- If split tunneling will be used
- configure override split tunneling in Managed FortiAPs
- enable split tunneling in the SSID
- configure the split tunnel networks in the FortiAP profile
To create FortiAP profiles
If you were not already using Remote LAN FortiAP models, you will need to create FortiAP profiles for them. In the FortiAP profile, you specify the SSIDs that the FortiAP will broadcast. For more information, see Creating a FortiAP profile.
To override split tunneling
Go to WiFi & Switch Controller > Managed FortiAPs and edit your managed APs. When preconfiguring the AP to connect to your FortiGate WiFi controller, you can choose to override split tunneling, optionally including the local subnet of the FortiAP.
To enable split tunneling options
By default, split tunneling options are not visible in the FortiGate GUI. You can make these options visible using the following CLI command:
config system settings
set gui-fortiap-split-tunneling enable
To configure split tunneling - FortiGate GUI
Go to WiFi & Switch Controller > SSID and edit your SSID. In the WiFi Settings section, enable Split Tunneling.
Go to WiFi & Switch Controller > FortiAP Profiles and edit the FortiAP Profile(s) that apply to the AP types used in the WiFi network. In the Split Tunneling section, enable Include Local Subnet and Split Tunneling Subnet(s), where you can enter a list all of the destination IP address ranges that should not be routed through the FortiGate WiFi controller. Packets for these destinations will instead be routed through the remote gateway local to the FortiAP.
The list of split tunneling subnets includes public Internet destinations and private subnets local to the FortiAP. Split tunneling public Internet destinations reduces traffic through the FortiGate unit. Split tunneling local private subnets allows these networks to be accessible to the client behind the FortiAP. Otherwise, private network IP destinations are assumed to be behind the FortiGate WiFi controller.
To configure split tunneling - FortiGate CLI
In this example, split tunneling is configured on the example-ssid WiFi network. On FortiAP model 21D, traffic destined for the 192.168.x.x range will not be routed through the FortiGate WiFi controller. This private IP address range is typically used as a LAN by home routers.
config wireless-controller vap
set split-tunneling enable
config wireless-controller wtp-profile
set split-tunneling-acl-local-ap-subnet enable
set dest-ip 192.168.0.0 255.255.0.0
To enter multiple subnets, create a split-tunneling-acl entry for each one.
To override the split tunneling settings on a FortiAP
If the FortiAP Profile split tunneling settings are not appropriate for a particular FortiAP, you can override the settings on that unit.
config wireless-controller wtp
set override-split-tunnel enable
set split-tunneling-acl-local-ap-subnet enable
set dest-ip 192.168.10.0 255.255.255.0
Configuring a FortiAP unit
Prior to providing a remote WLAN FortiAP unit to an employee, you need to preconfigure the FortiAP to connect to your FortiGate WiFi controller.
To pre-configure a FortiAP
- Connect the FortiAP to the FortiGate unit.
- Go to WiFi & Switch Controller > Managed FortiAPs and wait for the FortiAP to be listed. Click Refresh periodically to see the latest information. Note the Connected Via IP address.
Right click the row of the FortiAP that you want to connect to and then select >_ Connect to CLI.
The CLI Console window opens.
- If the password prompt appears, then enter the required password. By default, no password is set.
- Enter the following commands to set the FortiGate WiFi controller IP address. This IP address is the FortiGate Internet-facing IP address, in this example 172.20.120.142.
cfg -a AC_IPADDR_1=172.20.120.142
- To log out of the FortiAP CLI, enter exit.
- To close the CLI Console window, click the X in the top right corner of the window.
Preauthorizing a FortiAP unit
By preauthorizing FortiAP units, you facilitate their automatic authorization on the network. Also, you can assign each unit a unique name, such as the employee name, for easier tracking.
- Go to WiFi & Switch Controller > Managed FortiAPs and create a new entry.
- Enter the Serial Number of the FortiAP unit and give it a Name. Select the appropriate FortiAP Profile.
- Click OK.
- Repeat steps 1 to 3 for each FortiAP.