In this recipe, you will set up a WiFi network with a FortiGate managing a FortiAP in Tunnel mode.
You can configure a FortiAP unit in either Tunnel mode or Bridge mode. Tunnel mode is the default mode for a FortiAP. A FortiAP in Tunnel mode uses a wireless-only subnet for wireless traffic. When a FortiAP is in Bridge mode, the Ethernet and WiFi interfaces are connected (or bridged), allowing wired and wireless networks to be on the same subnet.
For information about using a FortiAP in Bridge mode, see Setting up a WiFi Bridge with a FortiAP.
Go to Network > Interfaces and edit the interface that will connect to the FortiAP (in this example, port 16).
Set Addressing Mode to Dedicate to Extension Device and set an IP/Network Mask.
Connect the FortiAP unit to the interface.
Go to WiFi & Switch Controller > Managed FortiAPs. The FortiAP is listed. It may take a few minutes for the FortiAP to appear. The device is not yet authorized, as indicated by the in the State column.
By default, FortiGate adds newly discovered FortiAPs to the Managed FortiAPs list but does not authorize them. You can disable this in the CLI. See Deploying Wireless Networks.
Highlight the FortiAP unit on the list and select Authorize.
After a few minutes, hit the Refresh button and will appear to tell you that the device is authorized.
Go to WiFi Controller > WiFi Network > SSID and create a new SSID.
Set Traffic Mode to Tunnel to Wireless Controller.
Select an IP/Network Mask for the wireless interface and enable DHCP Server.
Set the WiFi Settings as required and set a secure Pre-shared Key.
Go to WiFi & Switch Controller > FortiAP Profiles and create a new profile.
Set Platform to the FortiAP model you are using (FAP11C in this recipe).
The SSID defaults to Automatically assign Tunnel-mode SSIDs. Your network is assigned.
Go to WiFi Controller > Managed Access Points > Managed FortiAPs and edit the FortiAP. Set FortiAP Profile to use the new profile.
By default, the FortiGate assigns all SSIDs to this profile.
Go to Policy & Objects > IPv4 Policy and create a new policy.
Set Incoming Interface to the SSID and Outgoing Interface to your Internet-facing interface. Confirm that NAT is enabled.
Connect to the SSID with a wireless device. After a connection is established, you are able to browse the Internet.
Go to FortiView > All Sessions to see the traffic allowed by the wireless policy.