Extended cellular WAN of FortiGate
Connect to FortiGate
- Connect your FortiExtender LAN port to the POE-enabled port of FortiGate.
- Enable the FortiExtender Controller on FortiGate.
- Make sure that your FortiGate enables FortiExtender Controller.
- Enable the CAPWAP access to use the FortiGate interface to which FortiExtender is connected.
- Authorize the FortiExtender device.
- Go to Network > FortiExtender, and wait for the FortiExtender device to be discovered by FortiGate.
- Bind the device to an interface and authorize it.
# config system global
(global) # set fortiextender enable
(global) # end
The FortiExtender-related GUI is hidden by default. To enable it, go to System > Feature Visibility.
config system interface
edit lan
append allowaccess capwap
end
Once the FortiExtender is discovered, you must authorize it by associating it either with a virtual WAN interface or a VLAN interface.
In FortiGate 5.4 and higher releases, you must manually create either a virtual WAN interface of type FEX-WAN or a VLAN sub-interface, and link it to FortiExtender as part of the authorization process, as illustrated below.
Make sure that FortiExtender and FortiGate are connected on Layer 2 by default. If they are not connected via Layer 2 but can reach each other via Layer-3 networking, configure your FortiExtender with static discovery using the following FortiExtender CLI commands: config system management fortigate set ac-discovery-type static set static-ac-ip-addr 192.168.1.99 set ac-ctl-port 5246 set ac-data-port 25246 end
|
VLAN mode and performance
While using the FEX-WAN type interface, all the traffic to/from FortiGate is encapsulated in the CAPWAP data channel, whereas for VLAN type interface, the traffic is sent/received on the VLAN interface. Due to absence of encapsulation overheads, VLAN mode delivers better speeds with the requirement that the VLAN interface be directly created on top of the port on which FortiExtender is connected to FortiGate.
Note that VLAN mode must be explicitly enabled, as it is disabled by default on FortiGate, and that all the FEX-WAN interfaces must be deleted before VLAN mode is enabled. #config system global (global) # set fortiextender-vlan-mode enable (global) # end Ensure that the VLAN interface is created based on the physical interface of your connected FortiExtender. |
Modem connectivity
FortiExtender allows for multiple modes of operation of the modem from FortiGate.
- Always Connect—By default, this feature is enabled when a FortiExtender is authorized. In this mode, the modem is always connected to the Internet, meaning that the FortiExtender is readily available for Internet access from the FortiGate. If there are multiple active WAN interfaces on the FortiGate, care must be taken to ensure that the distances of the FortiExtender interface and other WAN interfaces are configured appropriately. The FortiExtender’s modem is always connected to the Internet. It can be a primary or backup method of connecting to the Internet for the FortiGate.
- On Demand—In this mode, FortiExtender instructs the modem to connect to an ISP for Internet access only upon executing the dial-up command and disconnects only upon a subsequent hang-up command from the FortiGate CLI.
To connect
execute extender dial <SN>
// <SN> is the FortiExtender's serial number.
To disconnect
execute extender hangup <SN>
// <SN> is the FortiExtender's serial number.
Dual FortiExtender operations
Active/Passive mode
By default, each FortiGate device can support up to two FortiExtenders at a time. Typically, the first FortiExtender that it has authorized takes the primary role and the second one takes the secondary role. The primary FortiExtender always provides Internet access and the secondary FortiExtender stays in passive mode. If the primary FortiExtender goes down, the secondary FortiExtender gets activated, and vice versa.
Active/Active mode
To have access to active Internet sessions on both FortiExtenders simultaneously, the role of the secondary FortiExtender needs to be changed to primary.
config extender-controller extender
edit < fext serial no > /* FortiExtender with secondary
role */
set role primary
end
Cellular as backup of Ethernet WAN
In this redundant mode of operation, the FortiExtender daemon running on FortiGate monitors a given WAN link on the FortiGate, and brings up FortiExtender’s cellular Internet access when the WAN link is down and brings down the FortiExtender cellular Internet when the WAN link comes up. For example:
config extender-controller extender
edit <FEXT serial number>
set admin enable
set ifname <fext interface>
set mode redundant
set redundant-intf < wan interface I,e wan1>
end
In this mode of operation, the FortiExtender interface comes up if the WAN interface goes down and goes down if the WAN interface comes up.
ECMP across FEX-wan1 and wan1
To set up Equal-cost multi-path routing (ECMP) to automatically find the best path:
- On the FortiGate UI, go to Router > Static > Settings, and do the following:
- Configure ECMP Load Balancing Method.
- Choose among Source IP based, Weighted Load Balance, Spillover, Source-Destination IP based, and
- Configure your settings as required.
- Go to System > Network > Interfaces and edit FEX-wan1, setting the distance to the same distance as the wan1 interface under Router > Static > Static Routes. (In this example, the distance is 10.)
Now the traffic is shared between the wan1 and FEX-wan1 links according to the ECMP Load Balancing Method used. This deployment can be extrapolated for dual FortiExtender installation.
SD-WAN in FortiOS 5.6 and higher
FortiOS now recognizes and uses FEX as a valid interface within an SD-WAN interface bundle. Using SD-WAN, FortiGate becomes a WAN path controller and supports diverse connectivity methods. With FEX, 3G/4G can be used as a primary connection, a backup interface, or a load-balanced WAN access method with Application-Aware WAN path control selection. It provides high availability and QoS for business-critical applications by using the best effort access for low-priority applications through low-cost links, and backs up service through associations with an FEX link. This enables aggregation of multiple interfaces into a single SD-WAN interface using a single policy.
To accomplish this:
- Add the FortiExtender interface as a member of the SD-WAN interface, as illustrated below.
- Define a load-balancing algorithm, as shown in the following example of volume-based distribution.
- Define your policies for the whole bundle (but not per interface) as illustrated below.
For more information about how to deploy SD-WAN in general, refer to FortiOS documentation.