Fortinet black logo

Admin Guide (FGT-Managed)

Data transportation over the LAN extension interface

Copy Link
Copy Doc ID e2c8cf6a-ac5a-11ec-9fd1-fa163e15d75b:782124
Download PDF

Data transportation over the LAN extension interface

FortiGate automatically generates a "lan-extension" interface for each FortiExtender that it has authorized. The name of the interface is the same as the FortiExtender entry name.

config extender-controller extender
    edit "FX0015919000027"
        set id "FX201E5919000027"
        set authorized enable
        set device-id 1
        set extension-type lan-extension
        set override-allowaccess enable
        set profile "FX201E-lanext-default"
    next
end
config system interface
    edit "FX0015919000027"
        set vdom "root"
        set type lan-extension
        set role lan
        set snmp-index 26
        set interface "fext-ipsec-ut4Z"
    next
end

This interface is the virtual interface that abstracts all the details of the underlying transportation tunneling protocol. You can view the interface as a LAN interface in the FortiGate. Unlike a real LAN interface, this "lan-extension" interface will connect the FortiExtender across the internet.

It is transparent to users to provide a reliable, secure interface. For example, you can configure the "ip" of this interface and enable DHCP server on it.

config system interface
        edit "FX0015919000027"
            set vdom "root"
            set ip 192.168.3.99 255.255.255.0
            set allowaccess ping https ssh snmp http telnet
            set type lan-extension
            set role lan
            set snmp-index 26
           set interface "fext-ipsec-ut4Z"
        next
    end
    config system dhcp server
        edit 3
            set default-gateway 192.168.3.99
            set netmask 255.255.255.0
            set interface "FX0015919000027"
            config ip-range
                edit 1
                    set start-ip 192.168.3.2
                    set end-ip 192.168.3.98
                next
            end
        next
    end

An appropriate firewall policy can be used to forward traffic out of the FortiGate's WAN interface. Suppose that "wan1" is the WAN interface of the FortiGate, you can configure it as follows. You can also apply a more strict firewall policy based on your need.

config firewall policy
    edit 1
        set name "LAN-EXT"
        set uuid 8b7c21e4-221e-51ec-0a0d-34e7b478557b
        set srcintf "FX0015919000027"
        set dstintf "wan1"
        set action accept
        set srcaddr "all"
        set dstaddr "all"
        set schedule "always"
        set service "ALL"
        set nat enable
    next
end

On the FortiExtender side, the "lan" interface will be mapped to the "lan-extension" interface on the FortiGate. You can have computers directly connected to any of the LAN ports on the FortiExtender, or have a switch between the LAN and the computers. The computers will get IPs from the DHCP server configured in "lan-extenson" interface and can forward traffic out through the FortiGate based on the firewall policy.

Data transportation over the LAN extension interface

FortiGate automatically generates a "lan-extension" interface for each FortiExtender that it has authorized. The name of the interface is the same as the FortiExtender entry name.

config extender-controller extender
    edit "FX0015919000027"
        set id "FX201E5919000027"
        set authorized enable
        set device-id 1
        set extension-type lan-extension
        set override-allowaccess enable
        set profile "FX201E-lanext-default"
    next
end
config system interface
    edit "FX0015919000027"
        set vdom "root"
        set type lan-extension
        set role lan
        set snmp-index 26
        set interface "fext-ipsec-ut4Z"
    next
end

This interface is the virtual interface that abstracts all the details of the underlying transportation tunneling protocol. You can view the interface as a LAN interface in the FortiGate. Unlike a real LAN interface, this "lan-extension" interface will connect the FortiExtender across the internet.

It is transparent to users to provide a reliable, secure interface. For example, you can configure the "ip" of this interface and enable DHCP server on it.

config system interface
        edit "FX0015919000027"
            set vdom "root"
            set ip 192.168.3.99 255.255.255.0
            set allowaccess ping https ssh snmp http telnet
            set type lan-extension
            set role lan
            set snmp-index 26
           set interface "fext-ipsec-ut4Z"
        next
    end
    config system dhcp server
        edit 3
            set default-gateway 192.168.3.99
            set netmask 255.255.255.0
            set interface "FX0015919000027"
            config ip-range
                edit 1
                    set start-ip 192.168.3.2
                    set end-ip 192.168.3.98
                next
            end
        next
    end

An appropriate firewall policy can be used to forward traffic out of the FortiGate's WAN interface. Suppose that "wan1" is the WAN interface of the FortiGate, you can configure it as follows. You can also apply a more strict firewall policy based on your need.

config firewall policy
    edit 1
        set name "LAN-EXT"
        set uuid 8b7c21e4-221e-51ec-0a0d-34e7b478557b
        set srcintf "FX0015919000027"
        set dstintf "wan1"
        set action accept
        set srcaddr "all"
        set dstaddr "all"
        set schedule "always"
        set service "ALL"
        set nat enable
    next
end

On the FortiExtender side, the "lan" interface will be mapped to the "lan-extension" interface on the FortiGate. You can have computers directly connected to any of the LAN ports on the FortiExtender, or have a switch between the LAN and the computers. The computers will get IPs from the DHCP server configured in "lan-extenson" interface and can forward traffic out through the FortiGate based on the firewall policy.