Remote WLAN FortiAPs
Remote WLAN FortiAP models enable you to provide a pre-configured WiFi access point to a remote or traveling employee. Once plugged in at home or in a hotel room, the FortiAP automatically discovers the enterprise FortiGate WiFi controller over the Internet and broadcasts the same wireless SSID used in the corporate office. Communication between the WiFi controller and the FortiAP is secure, eliminating the need for a VPN.
By default, all traffic from the remote FortiAP is sent to the FortiGate WiFi controller. If you want to use split tunneling, you can configure which traffic is routed to the FortiGate. Other general Internet traffic is routed unencrypted through the local gateway. Split tunneling avoids loading the FortiGate with unnecessary traffic and allows direct access to local private networks at the location of the FortiAP even if the connection to the WiFi controller goes down.
Configuring the FortiGate for remote FortiAPs
This section assumes that you have already defined SSIDs and now want to make them available to remote FortiAPs.
-
Create FortiAP profiles for the Remote LAN FortiAP models.
If you were not already using Remote LAN FortiAP models, you will need to create FortiAP profiles for them. In the FortiAP profile, you specify the SSIDs that the FortiAP will broadcast. For more information, see Creating a FortiAP profile.
- If you want to configure split tunneling, you must do the following:
- enable split tunneling in the FortiGate GUI
- apply split tunneling to a FortiAP profile
- configure split tunneling behavior in the FortiAP CLI
- enable split tunneling in the SSID
- Configure a FortiAP to connect to FortiGate
- Preauthorize a FortiAP for automatic authorization.
Enable split tunneling options
By default, split tunneling options are not visible in the FortiGate GUI. You can make these options visible using the following CLI command:
config system settings
set gui-fortiap-split-tunneling enable
end
Once you enable split tunneling, you can apply it via the FortiAP profile.
Apply split tunneling
To apply split tunneling - FortiGate GUI
Go to WiFi and Switch Controller > SSIDs and edit your SSID. In the WiFi Settings section, enable Split Tunneling.
Go to WiFi & Switch Controller > FortiAP Profiles and edit the FortiAP Profile(s) that apply to the AP types used in the WiFi network. In the Split Tunneling section, enable Include Local Subnet and Split Tunneling Subnet(s). You can enter a list of the destination IP address ranges.
- Depending on how you configure split tunneling behavior in the CLI (see Configure split tunneling behavior), you can decide if you want the listed IP addresses to be tunneled to the FortiGate, or if you want to avoid tunneling these IP addresses to the FortiGate.
Configure split tunneling behavior
There are two methods the FortiAP can use to tunnel networks from the remote AP:
-
Tunnel: Define the subnets in the profile that you want to tunnel to the FortiGate. These are usually the IP subnets that contain internal corporate applications such as file shares.
Uncheck the Include Local Subet option in the FortiAP profile if you want the remote wireless client to be able to communicate with internal devices at their home/remote site.
-
Local: Define the subnets that you do not want to be tunneled back to the FortiGate. Use this method if you want all traffic to be inspected by the FortiGate, including traffic destined for the internet. This method is more secure but can add latency to the user's internet browsing.
Check the Include Local Subnet option in the FortiAP profile if you want the remote wireless client to be able to communicate with internal devices at their home/remote site
From the FortiGate CLI, enter the following commands to change the split tunneling behavior in a FortiAP profile:
config wireless-controller wtp-profile
edit <profile_name>
set split-tunneling-acl-path {tunnel | local}
end
end
To configure split tunneling addresses
In this example, split tunneling is configured on the example-ssid WiFi network. On FortiAP model 21D, traffic destined for the 192.168.x.x range will not be routed through the FortiGate WiFi controller. This private IP address range is typically used as a LAN by home routers.
config wireless-controller vap
edit example-ssid
set split-tunneling enable
end
config wireless-controller wtp-profile
edit FAP21D-default
set split-tunneling-acl-local-ap-subnet enable
config split-tunneling-acl
edit 1
set dest-ip 192.168.0.0 255.255.0.0
end
end
To enter multiple subnets, create a split-tunneling-acl entry for each one.
To override the split tunneling settings on a FortiAP
If the FortiAP Profile split tunneling settings are not appropriate for a particular FortiAP, you can override the settings on that unit.
config wireless-controller wtp
edit FAP321C3X14019926
set override-split-tunnel enable
set split-tunneling-acl-local-ap-subnet enable
config split-tunneling-acl
edit 1
set dest-ip 192.168.10.0 255.255.255.0
end
end
Enable split tunneling on SSIDs
Once you create your FortiAP profile, you need to enable split tunneling on the SSIDs you want to use on the remote APs.
- Go to WiFi and Switch Controller > SSIDs and edit the SSIDs the remote AP will use.
- Enable Split tunneling.
- Click OK.
Configure a FortiAP unit to connect to FortiGate
Prior to providing a remote WLAN FortiAP unit to an employee, you need to preconfigure the FortiAP to connect to your FortiGate WiFi controller.
To pre-configure a FortiAP - GUI
-
Plug the FortiAP you want to deploy into a port or VLAN that has DHCP configured.
-
If no DHCP server is available, the default IP information to log in to the AP is:
IP Address: 192.168.1.2
Subnet Mask: 255.255.255.0
DGW: 192.168.1.1
-
-
Look for the assigned IP Address on the router or DHCP server.
If no DHCP server is available, use a cross-over cable to connect your Ethernet port directly to the LAN port on the AP.
Note: You might need a power adapter for the FortiAP if POE is not available.
-
From a web browser, access your FortiAP at https://<FAP-IP> where <FAP-IP> is the IP address of the FortiAP.
-
Log in with username
admin
and no password. -
From the FortiAP page, click Local Configuration.
-
In the AC Discovery Type field, select how you want the FortiAP to discover the controller and complete any required fields:
For more information on discovery methods, refer to Advanced WiFi controller discovery.
- Auto: Automatically cycle through all six of the discovery methods until it establishes an AC connection.
- Static: Provide up to three Static IP Addresses (most likely the public facing IP addresses for remote workers).
- DHCP: Use DHCP Option 138.
- DNS: Provide up to three FQDN entries that are resolvable by the FortiAP.
- FortiAP Cloud: Enter your FortiAP Cloud username and password.
-
In the AP Data Channel Security field, select IPsec Enabled.
-
Click OK to save your changes.
To pre-configure a FortiAP - CLI
- Connect the FortiAP to the FortiGate unit.
- Go to WiFi and Switch Controller > Managed FortiAPs and wait for the FortiAP to be listed. Click Refresh periodically to see the latest information. Note the Connected Via IP address.
-
Right click the row of the FortiAP that you want to connect to and then select >_ Connect to CLI.
The CLI Console window opens.
- If the password prompt appears, then enter the required password. By default, no password is set.
- Enter the following commands to set the FortiGate WiFi controller IP address. This IP address is the FortiGate Internet-facing IP address, in this example 172.20.120.142.
cfg -a AC_IPADDR_1=172.20.120.142
cfg -c
- To log out of the FortiAP CLI, enter
exit
.
Preauthorize a FortiAP unit for automatic authorization
By preauthorizing FortiAP units, you facilitate their automatic authorization on the network. Also, you can assign each unit a unique name, such as the employee name, for easier tracking.
- Go to WiFi and Switch Controller > Managed FortiAPs and create a new entry.
- Enter the Serial Number of the FortiAP unit and give it a Name.
- Select the appropriate FortiAP Profile.
- Click OK.
- Repeat steps 1 to 4 for each FortiAP.