Version:

Version:


Table of Contents

Download PDF
Copy Link

Data transportation over the LAN extension interface

FortiGate automatically generates an interface of "lan-extension" type for each authorized FortiExtender. The name of the interface is the same as the FortiExtender entry name.

config extender-controller extender
    edit "FX0015919000027"
        set id "FX201E5919000027"
        set authorized enable
        set device-id 1
        set extension-type lan-extension
        set override-allowaccess enable
        set profile "FX201E-lanext-default"
    next
end
config system interface
    edit "FX0015919000027"
        set vdom "root"
        set type lan-extension
        set role lan
        set snmp-index 26
        set interface "fext-ipsec-ut4Z"
    next
end

This interface is the virtual interface that abstracts all the underlying transportation detailed tunneling protocol. You can view the interface as a LAN interface in FortiGate. Unlike a real LAN interface, this lan-extension interface will connect a FortExtender across the Internet.

It is transparent to users to provide a reliable, secure interface. For example, you can configure "ip" to this interface and enable DHCP server on it.

config system interface
        edit "FX0015919000027"
            set vdom "root"
            set ip 192.168.3.99 255.255.255.0
            set allowaccess ping https ssh snmp http telnet
            set type lan-extension
            set role lan
            set snmp-index 26
           set interface "fext-ipsec-ut4Z"
        next
    end
    config system dhcp server
        edit 3
            set default-gateway 192.168.3.99
            set netmask 255.255.255.0
            set interface "FX0015919000027"
            config ip-range
                edit 1
                    set start-ip 192.168.3.2
                    set end-ip 192.168.3.98
                next
            end
        next
    end

A appropriate firewall policy can be used to forward the traffic out from the FortiGate's WAN interface. Suppose that "wan1" is the WAN interface of the FortiGate, you can configure it as follows. You can apply a more strict firewall policy based on your need.

config firewall policy
    edit 1
        set name "LAN-EXT"
        set uuid 8b7c21e4-221e-51ec-0a0d-34e7b478557b
        set srcintf "FX0015919000027"
        set dstintf "wan1"
        set action accept
        set srcaddr "all"
        set dstaddr "all"
        set schedule "always"
        set service "ALL"
        set nat enable
    next
end

On the FortiExtender side, the "lan" interface will be mapped to the lan-extension interface in FortiGate. You can have computers directly connected in any LAN port in FortiExtender, or have a switch between the LAN and the computers. The computers will get IPs from the DHCP server configured in lan-extenson interface and can forward traffic out through FortiGate based on the firewall policy.

Data transportation over the LAN extension interface

FortiGate automatically generates an interface of "lan-extension" type for each authorized FortiExtender. The name of the interface is the same as the FortiExtender entry name.

config extender-controller extender
    edit "FX0015919000027"
        set id "FX201E5919000027"
        set authorized enable
        set device-id 1
        set extension-type lan-extension
        set override-allowaccess enable
        set profile "FX201E-lanext-default"
    next
end
config system interface
    edit "FX0015919000027"
        set vdom "root"
        set type lan-extension
        set role lan
        set snmp-index 26
        set interface "fext-ipsec-ut4Z"
    next
end

This interface is the virtual interface that abstracts all the underlying transportation detailed tunneling protocol. You can view the interface as a LAN interface in FortiGate. Unlike a real LAN interface, this lan-extension interface will connect a FortExtender across the Internet.

It is transparent to users to provide a reliable, secure interface. For example, you can configure "ip" to this interface and enable DHCP server on it.

config system interface
        edit "FX0015919000027"
            set vdom "root"
            set ip 192.168.3.99 255.255.255.0
            set allowaccess ping https ssh snmp http telnet
            set type lan-extension
            set role lan
            set snmp-index 26
           set interface "fext-ipsec-ut4Z"
        next
    end
    config system dhcp server
        edit 3
            set default-gateway 192.168.3.99
            set netmask 255.255.255.0
            set interface "FX0015919000027"
            config ip-range
                edit 1
                    set start-ip 192.168.3.2
                    set end-ip 192.168.3.98
                next
            end
        next
    end

A appropriate firewall policy can be used to forward the traffic out from the FortiGate's WAN interface. Suppose that "wan1" is the WAN interface of the FortiGate, you can configure it as follows. You can apply a more strict firewall policy based on your need.

config firewall policy
    edit 1
        set name "LAN-EXT"
        set uuid 8b7c21e4-221e-51ec-0a0d-34e7b478557b
        set srcintf "FX0015919000027"
        set dstintf "wan1"
        set action accept
        set srcaddr "all"
        set dstaddr "all"
        set schedule "always"
        set service "ALL"
        set nat enable
    next
end

On the FortiExtender side, the "lan" interface will be mapped to the lan-extension interface in FortiGate. You can have computers directly connected in any LAN port in FortiExtender, or have a switch between the LAN and the computers. The computers will get IPs from the DHCP server configured in lan-extenson interface and can forward traffic out through FortiGate based on the firewall policy.