Fortinet black logo

FortiWiFi and FortiAP Configuration Guide

Configuring a FortiWiFi unit as a wireless client

Copy Link
Copy Doc ID 75bba929-4766-11ee-8e6d-fa163e15d75b:404373
Download PDF
Tooltip

Wireless client configuration is only available on select FortiWiFi models. See FortiWiFi unit as a wireless client for the list of supported models.

For most models, the FortiWiFi unit cannot operate as an AP while also operating in client mode. However, select models such as the FortiWiFi 80F series can support AP and client mode concurrently.

Caution

Before setting up the FortiWiFi unit as a wireless client using the steps described below, make sure to remove any AP WiFi configurations such as SSIDs, DHCP servers, policies, and software switch members using the CLI or GUI.

To configure wireless client mode - GUI:
  1. Go to WiFi and Switch Controller > Local WiFi Radio and change the Mode to Wireless Client.

    Note: You must remove any AP WiFi configurations such as SSIDs, DHCP servers, policies, and software switch members before you can change the mode to Wireless Client. Once you select Wireless Client, the FortiWiFi unit will reboot.

  2. Click Add Network and select an SSID to set up the WiFi connection.

  3. Click OK to save the WiFi Network Connection Setting.
  4. From the Local WiFi Radio page, verify that the WiFi network is connected.

  5. Go to Policy & Object > Firewall Policy and click Create New to create a firewall policy.

  6. Enter the following policy information:

    Incoming Interface (srcintf)

    wifi

    Source Address (srcaddr)

    all

    Caution

    For FortiWiFi 80F series models, you must select "aplink" as the destination interface in the firewall policy. Older FortiWiFi models must select "wifi" as the destination interface.

    For more information on the aplink interface, see Understanding FortiWiFi aplink interface.

  7. Configure remaining fields as needed, when you are finished, click OK.

To configure wireless client mode - CLI:
  1. Change the wireless mode to client.

    config system global
      set wireless-mode client
    end

    Note: You must remove any AP WiFi configurations such as SSIDs, DHCP servers, policies, and software switch members before you can change the mode to Wireless Client. Once you select Wireless Client, the FortiWiFi unit will reboot.

  2. Set up a wifi-network entry under interface "wifi".

    config system interface
      edit "wifi"
        config wifi-networks
          edit 1
            set wifi-ssid "FOS_61F_psk"
            set wifi-passphrase *
          next
        end
      next
    end
  3. Create a firewall policy from "internal" to "wifi".

    Caution

    For FortiWiFi 80F series models, you must select "aplink" as the destination interface in the firewall policy. Older FortiWiFi models must select "wifi" as the destination interface.

    config firewall policy
      edit 1
        set name "lan"
        set srcintf "internal"
        set dstintf "wifi"
        set action accept
        set srcaddr "all"
        set dstaddr "all"
        set schedule "always"
        set service "ALL"
        set nat enable
      next
    end
  4. Connect a wired client to the internal ports of the FortiWiFi to verify that it can pass traffic to the Internet.

Controlled AP selection support in FortiWiFi client mode

Use the following CLI commands to provide a more controlled AP selection method (supported in FortiWiFi client mode).

Syntax:

config system interface

edit {name}

set wifi-ap-band {any | 5g-preferred | 5g-only}

next

end

Configuring a FortiWiFi unit to run in concurrent AP and wireless client mode

FortiWiFi 80F/81F-2R-XX models support concurrent AP and Client mode. When the FortiWiFi is configured to run in wireless client mode and the FortiWiFi local radio connects to a third-party SSID, the local radio can concurrently operate in AP mode to provide service to wireless clients.

To configure concurrent AP and wireless client mode - CLI:
  1. Configure the FortiWiFi unit to operate in client mode.

    config system global
      set wireless-mode client
    end
  2. Connect to a third-party SSID, in this example FOS_101F_psk.

    config system interface
      edit "wifi"
          config wifi-networks
            edit 1
              set wifi-ssid "FOS_101F_psk"
              set wifi-passphrase *
            next
          end
      next
    end
    Tooltip

    Optionally, you can configure the wireless client to use a static IP or DHCP by modifying the addressing mode of the WiFi interface:

    config system interface
      edit "wifi"
        set vdom "root"
        set mode static # For static IP. Use “set mode dhcp” for DHCP
        set ip 10.20.80.3 255.255.255.0 # For static IP only
        set allowaccess ping fabric
        set type wireless
        config wifi-networks
          edit 1
            set wifi-ssid "FOS_101F_psk"
            set wifi-passphrase *
          next
        end
      next
    end
  3. Verify the connection between the local radio and the third-party SSID with diag wireless-controller wlsta cfg.

    FortiWiFi-81F-2R-POE # diagnose wireless-controller wlsta cfg
    STA intf        name: wlan17
                  status: up
                      ip: 192.168.81.2
                     mac: d4:76:a0:18:e0:8f
            auto connect: yes
               auto save: no
                 ap band: any
        wifi network cnt: 1
                       1: FOS_101F_psk, 8, 1
               connected: FOS_101F_ psk
  4. Verify the local radio status when working in AP mode with diag wireless-controller wlac -c wtp.

    FortiWiFi-81F-2R-POE # diagnose wireless-controller wlac -c wtp FW81FP-WIFI0 | grep connection
    connection state : Connected

    The FortiWiFi unit can now operate in both AP mode and client mode.

To configure VAP and SSID interfaces on the FortiWiFi local radio profile - CLI:

By default, the FortiWiFi local radio has a FWF-default profile; no other profiles can be applied to the local radio. You can modify the band, channel, and SSID selections in the FWF-default profile to apply to the local radio. Wireless clients that connect to the local radio are subject to the FortiWiFi firewall policies.

  1. Create a new VAP interface and select it in the FWF-default profile.

    config wireless-controller vap
      edit "wifi1"
        set ssid "FOS_lab_psk"
        set passphrase *
      next
    end
    config wireless-controller wtp-profile
      edit "FWF-default"
        config radio-1
          set vap-all manual
          set vaps "wifi1"
        end
        config radio-2
          set vap-all manual
          set vaps "wifi1"
        end
      next
    end

    The local radio applies the profile setting when broadcasting SSIDs.

  2. Verify that these settings are applied with diag wireless-controller wlac -c wtp.

  3. Create a firewall policy from "wifi1" to the "aplink" interface to allow wireless clients to pass traffic from the unit.

    config firewall policy
      edit 1
        set name "wifi1"
        set uuid e0140546-1d0d-51ee-da6c-53fb724051ac
        set srcintf "wifi1"
        set dstintf "aplink"
        set action accept
        set srcaddr "all"
        set dstaddr "all"
        set schedule "always"
        set service "ALL"
        set nat enable
      next
    end
  4. Connect a wireless client through the local radio of the FortiWiFi and verify that it has the correct IP and can pass traffic to the Internet with diagnose wireless-controller wlac -d sta online.

    FortiWiFi-81F-2R-POE # diagnose wireless-controller wlac -d sta online
       vf=0 mpId=0 wtp=1 rId=2 wlan=wifi1 vlan_id=0 ip=10.10.80.2 ip6=:: mac=f8:e4:e3:d8:5e:af vci= host=WiFi-Client-2 user= group= signal=-45 noise=-95 idle=0 bw=0 use=5 chan=108 radio_type=11AX_5G security=wpa2_only_personal mpsk= encrypt=aes cp_authed=no l3r=1,0 G=0.0.0.0:0,0.0.0.0:0-0-0 -- 0.0.0.0:0 0,0 online=yes mimo=2
Tooltip

Wireless client configuration is only available on select FortiWiFi models. See FortiWiFi unit as a wireless client for the list of supported models.

For most models, the FortiWiFi unit cannot operate as an AP while also operating in client mode. However, select models such as the FortiWiFi 80F series can support AP and client mode concurrently.

Caution

Before setting up the FortiWiFi unit as a wireless client using the steps described below, make sure to remove any AP WiFi configurations such as SSIDs, DHCP servers, policies, and software switch members using the CLI or GUI.

To configure wireless client mode - GUI:
  1. Go to WiFi and Switch Controller > Local WiFi Radio and change the Mode to Wireless Client.

    Note: You must remove any AP WiFi configurations such as SSIDs, DHCP servers, policies, and software switch members before you can change the mode to Wireless Client. Once you select Wireless Client, the FortiWiFi unit will reboot.

  2. Click Add Network and select an SSID to set up the WiFi connection.

  3. Click OK to save the WiFi Network Connection Setting.
  4. From the Local WiFi Radio page, verify that the WiFi network is connected.

  5. Go to Policy & Object > Firewall Policy and click Create New to create a firewall policy.

  6. Enter the following policy information:

    Incoming Interface (srcintf)

    wifi

    Source Address (srcaddr)

    all

    Caution

    For FortiWiFi 80F series models, you must select "aplink" as the destination interface in the firewall policy. Older FortiWiFi models must select "wifi" as the destination interface.

    For more information on the aplink interface, see Understanding FortiWiFi aplink interface.

  7. Configure remaining fields as needed, when you are finished, click OK.

To configure wireless client mode - CLI:
  1. Change the wireless mode to client.

    config system global
      set wireless-mode client
    end

    Note: You must remove any AP WiFi configurations such as SSIDs, DHCP servers, policies, and software switch members before you can change the mode to Wireless Client. Once you select Wireless Client, the FortiWiFi unit will reboot.

  2. Set up a wifi-network entry under interface "wifi".

    config system interface
      edit "wifi"
        config wifi-networks
          edit 1
            set wifi-ssid "FOS_61F_psk"
            set wifi-passphrase *
          next
        end
      next
    end
  3. Create a firewall policy from "internal" to "wifi".

    Caution

    For FortiWiFi 80F series models, you must select "aplink" as the destination interface in the firewall policy. Older FortiWiFi models must select "wifi" as the destination interface.

    config firewall policy
      edit 1
        set name "lan"
        set srcintf "internal"
        set dstintf "wifi"
        set action accept
        set srcaddr "all"
        set dstaddr "all"
        set schedule "always"
        set service "ALL"
        set nat enable
      next
    end
  4. Connect a wired client to the internal ports of the FortiWiFi to verify that it can pass traffic to the Internet.

Controlled AP selection support in FortiWiFi client mode

Use the following CLI commands to provide a more controlled AP selection method (supported in FortiWiFi client mode).

Syntax:

config system interface

edit {name}

set wifi-ap-band {any | 5g-preferred | 5g-only}

next

end

Configuring a FortiWiFi unit to run in concurrent AP and wireless client mode

FortiWiFi 80F/81F-2R-XX models support concurrent AP and Client mode. When the FortiWiFi is configured to run in wireless client mode and the FortiWiFi local radio connects to a third-party SSID, the local radio can concurrently operate in AP mode to provide service to wireless clients.

To configure concurrent AP and wireless client mode - CLI:
  1. Configure the FortiWiFi unit to operate in client mode.

    config system global
      set wireless-mode client
    end
  2. Connect to a third-party SSID, in this example FOS_101F_psk.

    config system interface
      edit "wifi"
          config wifi-networks
            edit 1
              set wifi-ssid "FOS_101F_psk"
              set wifi-passphrase *
            next
          end
      next
    end
    Tooltip

    Optionally, you can configure the wireless client to use a static IP or DHCP by modifying the addressing mode of the WiFi interface:

    config system interface
      edit "wifi"
        set vdom "root"
        set mode static # For static IP. Use “set mode dhcp” for DHCP
        set ip 10.20.80.3 255.255.255.0 # For static IP only
        set allowaccess ping fabric
        set type wireless
        config wifi-networks
          edit 1
            set wifi-ssid "FOS_101F_psk"
            set wifi-passphrase *
          next
        end
      next
    end
  3. Verify the connection between the local radio and the third-party SSID with diag wireless-controller wlsta cfg.

    FortiWiFi-81F-2R-POE # diagnose wireless-controller wlsta cfg
    STA intf        name: wlan17
                  status: up
                      ip: 192.168.81.2
                     mac: d4:76:a0:18:e0:8f
            auto connect: yes
               auto save: no
                 ap band: any
        wifi network cnt: 1
                       1: FOS_101F_psk, 8, 1
               connected: FOS_101F_ psk
  4. Verify the local radio status when working in AP mode with diag wireless-controller wlac -c wtp.

    FortiWiFi-81F-2R-POE # diagnose wireless-controller wlac -c wtp FW81FP-WIFI0 | grep connection
    connection state : Connected

    The FortiWiFi unit can now operate in both AP mode and client mode.

To configure VAP and SSID interfaces on the FortiWiFi local radio profile - CLI:

By default, the FortiWiFi local radio has a FWF-default profile; no other profiles can be applied to the local radio. You can modify the band, channel, and SSID selections in the FWF-default profile to apply to the local radio. Wireless clients that connect to the local radio are subject to the FortiWiFi firewall policies.

  1. Create a new VAP interface and select it in the FWF-default profile.

    config wireless-controller vap
      edit "wifi1"
        set ssid "FOS_lab_psk"
        set passphrase *
      next
    end
    config wireless-controller wtp-profile
      edit "FWF-default"
        config radio-1
          set vap-all manual
          set vaps "wifi1"
        end
        config radio-2
          set vap-all manual
          set vaps "wifi1"
        end
      next
    end

    The local radio applies the profile setting when broadcasting SSIDs.

  2. Verify that these settings are applied with diag wireless-controller wlac -c wtp.

  3. Create a firewall policy from "wifi1" to the "aplink" interface to allow wireless clients to pass traffic from the unit.

    config firewall policy
      edit 1
        set name "wifi1"
        set uuid e0140546-1d0d-51ee-da6c-53fb724051ac
        set srcintf "wifi1"
        set dstintf "aplink"
        set action accept
        set srcaddr "all"
        set dstaddr "all"
        set schedule "always"
        set service "ALL"
        set nat enable
      next
    end
  4. Connect a wireless client through the local radio of the FortiWiFi and verify that it has the correct IP and can pass traffic to the Internet with diagnose wireless-controller wlac -d sta online.

    FortiWiFi-81F-2R-POE # diagnose wireless-controller wlac -d sta online
       vf=0 mpId=0 wtp=1 rId=2 wlan=wifi1 vlan_id=0 ip=10.10.80.2 ip6=:: mac=f8:e4:e3:d8:5e:af vci= host=WiFi-Client-2 user= group= signal=-45 noise=-95 idle=0 bw=0 use=5 chan=108 radio_type=11AX_5G security=wpa2_only_personal mpsk= encrypt=aes cp_authed=no l3r=1,0 G=0.0.0.0:0,0.0.0.0:0-0-0 -- 0.0.0.0:0 0,0 online=yes mimo=2