Fortinet black logo

New Features

Support Layer 3 roaming for tunnel mode

Copy Link
Copy Doc ID 77966226-6996-11ec-bdf2-fa163e15d75b:461028
Download PDF

Support Layer 3 roaming for tunnel mode

This feature supports Layer 3 roaming between different VLANs and subnets on the same or different Wireless Controller. A client connected to the tunnel mode SSID on one FortiAP can roam to the same SSID on another FortiAP managed by the same or different FortiGate Wireless Controller, and continue to use the same IP. When the client idles longer than the client-idle-rehome-timeout, the client will rehome and receive an address on the new subnet from the new FortiAP.

Currently, this feature can only be configured using the CLI on the FortiGate Wireless Controllers.

This feature supports two topologies:

  • L3 roaming intra-controller

    In this example, there are two FortiAPs (FAP1 and FAP2) being managed by a controller. The FortiAPs are located on different floors of the same building. Each FAP is mapped to a different VLAN, but are on the same SSID. The client roams from FAP1 to FAP 2 and the L3 handoff is handled by the controller. The client maintains the same IP address.

  • L3 roaming inter-controller

    In this example, there are two controllers (Controller1 and Controller2) each managing a FortiAP (FAP1 and FAP2) respectively. The L3 client roams from Controller1's FAP1 to Controller 2's FAP2. Both FAPs have the same SSID, and each FAP has the SSID tied to a different VLAN. The client roams between the two FAPs and the L3 handoff is handled by Controller1 and Controller2's mobility tunnel. The client maintains the same IP address.

Configuring L3 Roaming for Tunnel Mode SSIDs

To configure Intra-Controller L3 roaming - CLI:
  1. Configure the client-idle-rehome-timeout (default is 20 seconds):

    config wireless-controller timers
      set client-idle-rehome-timeout 20
    end
  2. configure the L3 roaming support SSID:

    config wireless-controller vap
      edit "l3_rm1"
        set ssid "l3.roaming"
        set passphrase ENC 
        set schedule "always"
        set l3-roaming enable
      next
    end
    config system interface
      edit "l3_rm1"
        set vdom "root"
        set ip 10.40.1.1 255.255.255.0
        set allowaccess ping
        set type vap-switch
        set role lan
        set snmp-index 18
      next
    end
  3. Assign L3 roaming VAP to FAP433F:

    config wireless-controller wtp-profile
      edit "433F"
        config platform
          set type 433F
          set ddscan enable
        end
        set handoff-sta-thresh 55
        set allowaccess ssh
        config radio-1
          set mode disabled
        end
        config radio-2
          set band 802.11ax-5G
          set power-mode dBm
          set power-value 1
          set channel "36"
          set vap-all manual
          set vaps "13_rm1"
        end
        config radio-3
          set mode monitor
        end
      next
    end
    config wireless-controller wtp
      edit "FP433FXX00000000"
        set uuid b04f1cca-8528-51ec-2dc0-c744cbef4179
        set admin enable
        set wtp-profile "433F"
        config radio-2
        end
      next
    end
  4. Assign L3 roaming VAP to FAP831F:

    config wireless-controller wtp-profile
      edit "831F"
        config platform
          set type 831F
          set ddscan enable
        end
        set handoff-sta-thresh 55
        set allowaccess ssh
        config radio-1
          set mode disabled
        end
        config radio-2
          set band 802.11ax-5G
          set channel "36" "40"
          set vap-all manual
          set vaps "13_rm1"					
        end
        config radio-3
          set mode disabled
        end
      next
    end
    config wireless-controller wtp
      edit "FP831FXX00000000"
        set uuid 23ed4966-af92-51ec-44e8-3c1318698661
        set admin enable
        set wtp-profile "831F"
        config radio-2
        end
      next
    end
To configure Inter-Controller L3 roaming - CLI:

This configuration requires two FortiGate units. In order to enable L3 roaming supported VAP, both FortiGate units must have the same SSID, security, and passphrase.

The following example uses:

  • AC1 as FGT40F
    • FAP1 as FAP433E
  • AC2 as FGT81EP
    • FAP2 as FAP831F
  1. Configure the L3 roaming peer IP for AC1 (FGT-40F):

    config system interface
      edit "wan"
        set vdom "root"
        set ip 10.43.1.40 255.255.255.0
        set allowaccess ping https ssh http fabric
        set type physical
        set role wan
        set snmp-index 1
      next
    end
    config wireless-controller inter-controller
      set l3-roaming enable
      config inter-controller-peer
        edit 1
          set peer-ip 10.43.1.81
        next
      end
    end
    1. Configure the client-idle-rehome-timeout (default is 20 seconds):

      config wireless-controller timers
        set client-idle-rehome-timeout 20
      end
    2. configure the L3 roaming support SSID:

      config wireless-controller vap
        edit "l3_rm1"
          set ssid "l3.roaming"
          set passphrase ENC 
          set schedule "always"
          set l3-roaming enable
        next
      end
      config system interface
        edit "l3_rm1"
          set vdom "root"
          set ip 10.40.1.1 255.255.255.0
          set allowaccess ping
          set type vap-switch
          set role lan
          set snmp-index 18
        next
      end
    3. Assign L3 roaming VAP to FAP433F:

      config wireless-controller wtp-profile
        edit "433F"
          config platform
            set type 433F
            set ddscan enable
          end
          set handoff-sta-thresh 55
          set allowaccess ssh
          config radio-1
            set mode disabled
          end
          config radio-2
            set band 802.11ax-5G
            set power-mode dBm
            set power-value 1
            set channel "36"
            set vap-all manual
            set vaps "13_rm1"							
          end
          config radio-3
            set mode monitor
          end
        next
      end
      config wireless-controller wtp
        edit "FP433FXX00000000"
          set uuid b04f1cca-8528-51ec-2dc0-c744cbef4179
          set admin enable
          set wtp-profile "433F"
          config radio-2
          end
        next
      end
  2. Configure the L3 roaming peer IP for AC2 (FGT-81EP):

    config system interface
      edit "wan"
        set vdom "root"
        set ip 10.43.1.81 255.255.255.0
        set allowaccess ping https ssh http fabric
        set type physical
        set role wan
        set snmp-index 1
      next
    end
    config wireless-controller inter-controller
      set l3-roaming enable
      config inter-controller-peer
        edit 1
          set peer-ip 10.43.1.40
        next
      end
    end
    1. Configure the client-idle-rehome-timeout (default is 20 seconds):

      config wireless-controller timers
        set client-idle-rehome-timeout 20
      end
    2. configure the L3 roaming support SSID:

      config wireless-controller vap
        edit "l3_rm1"
          set ssid "l3.roaming"
          set passphrase ENC 
          set schedule "always"
          set l3-roaming enable
        next
      end
      config system interface
        edit "l3_rm1"
          set vdom "root"
          set 10.81.2.1 255.255.255.0
          set allowaccess ping speed-test
          set type vap-switch
          set role lan
          set snmp-index 23
        next
      end
    3. Assign L3 roaming VAP to FAP831F:

      config wireless-controller wtp-profile
        edit "831F"
          config platform
            set type 831F
            set ddscan enable
          end
          set handoff-sta-thresh 55
          set allowaccess ssh
          config radio-1
            set mode disabled
          end
          config radio-2
            set band 802.11ax-5G
            set channel "36" "40"
            set vap-all manual
            set vaps "l3_rm1"
          end
          config radio-3
            set mode disabled
          end
        next
      end
      config wireless-controller wtp
        edit "FP831FXX00000000"
          set uuid 23ed4966-af92-51ec-44e8-3c1318698661
          set admin enable
          set wtp-profile "831F"
          config radio-2
          end
        next
      end
  3. Check the peer status from AC1 (FGT-40F):

    FortiGate-40F  # diagnose wireless-controller wlac -c ha
    WC fast failover info
        mode    : disabled 
        l3r     : enabled 
        peer cnt: 1 
                  FG81EPXX00000000 10.43.1.81:5246       UP 2
  4. Check the peer status from AC2 (FGT-81EP):

    FortiGate-81E-POE # diagnose wireless-controller wlac -c ha
    WC fast failover info
        mode    : disabled 
        l3r     : enabled 
        peer cnt: 1 
                  FGT40FXX00000000 10.43.1.40:5246       UP 3

Understanding L3 roaming events for inter-controller L3 roaming for a tunnel mode SSID

When the wireless client is connected with "l3.roaming" on AP1 in AC1, the client receives IP 10.40.1.10 from AP1 in AC1:

FortiGate-40F # diagnose wireless-controller wlac -d sta online
   vf=0 wtp=2 rId=2 wlan=l3_rm1 vlan_id=0 ip=10.40.1.10 ip6=fe80::7766:7ffe:ee4d:c396 mac=a4:c3:f0:6d:69:33 vci= host=test-wifi user= group= signal=-65 noise=-95 idle=1 bw=3 use=7 chan=36 radio_type=11AC(wave2) security=wpa2_only_personal mpsk= encrypt=aes cp_authed=no l3r=1,1 10.43.1.81:5247 -- 10.43.1.40:5247 33,0 online=yes mimo=2

When the client leaves AP1 and roams towards AP2, it connects with the same SSID "l3.roaming" on AP2. Wireless traffic passed from AP2 and is sent to AC2. Eventually the wireless traffic is transferred from AC2 to AC1 and traffic is maintained from AC1. The wireless client maintains the original IP of 10.40.1.10:

FortiGate-81E-POE # diagnose wireless-controller wlac -d sta online
   vf=0 wtp=3 rId=2 wlan=l3_rm1 vlan_id=0 ip=10.40.1.10 ip6=:: mac=a4:c3:f0:6d:69:33 vci= host= user= group= signal=-66 noise=-95 idle=0 bw=2 use=7 chan=36 radio_type=11AC(wave2) security=wpa2_only_personal mpsk= encrypt=aes cp_authed=no l3r=0,1 0.0.0.0:0 -- 0.0.0.0:0 0,0 online=yes mimo=2

If the wireless client idle time exceeds client-idle-rehome-timeout, it triggers the rehome event. The wireless client will send a DHCP request and obtain a new IP address from AC2 (10.81.2.20). Now the wireless client traffic is maintained from AC2:

FortiGate-81E-POE # diagnose wireless-controller wlac -d sta online
   vf=0 wtp=3 rId=2 wlan=l3_rm1 vlan_id=0 ip=10.81.2.20 ip6=:: mac=a4:c3:f0:6d:69:33 vci= host=test-wifi user= group= signal=-65 noise=-95 idle=0 bw=0 use=6 chan=36 radio_type=11AC(wave2) security=wpa2_only_personal mpsk= encrypt=aes cp_authed=no l3r=1,0 0.0.0.0:0 -- 0.0.0.0:0 0,0 online=yes mimo=2

Support Layer 3 roaming for tunnel mode

This feature supports Layer 3 roaming between different VLANs and subnets on the same or different Wireless Controller. A client connected to the tunnel mode SSID on one FortiAP can roam to the same SSID on another FortiAP managed by the same or different FortiGate Wireless Controller, and continue to use the same IP. When the client idles longer than the client-idle-rehome-timeout, the client will rehome and receive an address on the new subnet from the new FortiAP.

Currently, this feature can only be configured using the CLI on the FortiGate Wireless Controllers.

This feature supports two topologies:

  • L3 roaming intra-controller

    In this example, there are two FortiAPs (FAP1 and FAP2) being managed by a controller. The FortiAPs are located on different floors of the same building. Each FAP is mapped to a different VLAN, but are on the same SSID. The client roams from FAP1 to FAP 2 and the L3 handoff is handled by the controller. The client maintains the same IP address.

  • L3 roaming inter-controller

    In this example, there are two controllers (Controller1 and Controller2) each managing a FortiAP (FAP1 and FAP2) respectively. The L3 client roams from Controller1's FAP1 to Controller 2's FAP2. Both FAPs have the same SSID, and each FAP has the SSID tied to a different VLAN. The client roams between the two FAPs and the L3 handoff is handled by Controller1 and Controller2's mobility tunnel. The client maintains the same IP address.

Configuring L3 Roaming for Tunnel Mode SSIDs

To configure Intra-Controller L3 roaming - CLI:
  1. Configure the client-idle-rehome-timeout (default is 20 seconds):

    config wireless-controller timers
      set client-idle-rehome-timeout 20
    end
  2. configure the L3 roaming support SSID:

    config wireless-controller vap
      edit "l3_rm1"
        set ssid "l3.roaming"
        set passphrase ENC 
        set schedule "always"
        set l3-roaming enable
      next
    end
    config system interface
      edit "l3_rm1"
        set vdom "root"
        set ip 10.40.1.1 255.255.255.0
        set allowaccess ping
        set type vap-switch
        set role lan
        set snmp-index 18
      next
    end
  3. Assign L3 roaming VAP to FAP433F:

    config wireless-controller wtp-profile
      edit "433F"
        config platform
          set type 433F
          set ddscan enable
        end
        set handoff-sta-thresh 55
        set allowaccess ssh
        config radio-1
          set mode disabled
        end
        config radio-2
          set band 802.11ax-5G
          set power-mode dBm
          set power-value 1
          set channel "36"
          set vap-all manual
          set vaps "13_rm1"
        end
        config radio-3
          set mode monitor
        end
      next
    end
    config wireless-controller wtp
      edit "FP433FXX00000000"
        set uuid b04f1cca-8528-51ec-2dc0-c744cbef4179
        set admin enable
        set wtp-profile "433F"
        config radio-2
        end
      next
    end
  4. Assign L3 roaming VAP to FAP831F:

    config wireless-controller wtp-profile
      edit "831F"
        config platform
          set type 831F
          set ddscan enable
        end
        set handoff-sta-thresh 55
        set allowaccess ssh
        config radio-1
          set mode disabled
        end
        config radio-2
          set band 802.11ax-5G
          set channel "36" "40"
          set vap-all manual
          set vaps "13_rm1"					
        end
        config radio-3
          set mode disabled
        end
      next
    end
    config wireless-controller wtp
      edit "FP831FXX00000000"
        set uuid 23ed4966-af92-51ec-44e8-3c1318698661
        set admin enable
        set wtp-profile "831F"
        config radio-2
        end
      next
    end
To configure Inter-Controller L3 roaming - CLI:

This configuration requires two FortiGate units. In order to enable L3 roaming supported VAP, both FortiGate units must have the same SSID, security, and passphrase.

The following example uses:

  • AC1 as FGT40F
    • FAP1 as FAP433E
  • AC2 as FGT81EP
    • FAP2 as FAP831F
  1. Configure the L3 roaming peer IP for AC1 (FGT-40F):

    config system interface
      edit "wan"
        set vdom "root"
        set ip 10.43.1.40 255.255.255.0
        set allowaccess ping https ssh http fabric
        set type physical
        set role wan
        set snmp-index 1
      next
    end
    config wireless-controller inter-controller
      set l3-roaming enable
      config inter-controller-peer
        edit 1
          set peer-ip 10.43.1.81
        next
      end
    end
    1. Configure the client-idle-rehome-timeout (default is 20 seconds):

      config wireless-controller timers
        set client-idle-rehome-timeout 20
      end
    2. configure the L3 roaming support SSID:

      config wireless-controller vap
        edit "l3_rm1"
          set ssid "l3.roaming"
          set passphrase ENC 
          set schedule "always"
          set l3-roaming enable
        next
      end
      config system interface
        edit "l3_rm1"
          set vdom "root"
          set ip 10.40.1.1 255.255.255.0
          set allowaccess ping
          set type vap-switch
          set role lan
          set snmp-index 18
        next
      end
    3. Assign L3 roaming VAP to FAP433F:

      config wireless-controller wtp-profile
        edit "433F"
          config platform
            set type 433F
            set ddscan enable
          end
          set handoff-sta-thresh 55
          set allowaccess ssh
          config radio-1
            set mode disabled
          end
          config radio-2
            set band 802.11ax-5G
            set power-mode dBm
            set power-value 1
            set channel "36"
            set vap-all manual
            set vaps "13_rm1"							
          end
          config radio-3
            set mode monitor
          end
        next
      end
      config wireless-controller wtp
        edit "FP433FXX00000000"
          set uuid b04f1cca-8528-51ec-2dc0-c744cbef4179
          set admin enable
          set wtp-profile "433F"
          config radio-2
          end
        next
      end
  2. Configure the L3 roaming peer IP for AC2 (FGT-81EP):

    config system interface
      edit "wan"
        set vdom "root"
        set ip 10.43.1.81 255.255.255.0
        set allowaccess ping https ssh http fabric
        set type physical
        set role wan
        set snmp-index 1
      next
    end
    config wireless-controller inter-controller
      set l3-roaming enable
      config inter-controller-peer
        edit 1
          set peer-ip 10.43.1.40
        next
      end
    end
    1. Configure the client-idle-rehome-timeout (default is 20 seconds):

      config wireless-controller timers
        set client-idle-rehome-timeout 20
      end
    2. configure the L3 roaming support SSID:

      config wireless-controller vap
        edit "l3_rm1"
          set ssid "l3.roaming"
          set passphrase ENC 
          set schedule "always"
          set l3-roaming enable
        next
      end
      config system interface
        edit "l3_rm1"
          set vdom "root"
          set 10.81.2.1 255.255.255.0
          set allowaccess ping speed-test
          set type vap-switch
          set role lan
          set snmp-index 23
        next
      end
    3. Assign L3 roaming VAP to FAP831F:

      config wireless-controller wtp-profile
        edit "831F"
          config platform
            set type 831F
            set ddscan enable
          end
          set handoff-sta-thresh 55
          set allowaccess ssh
          config radio-1
            set mode disabled
          end
          config radio-2
            set band 802.11ax-5G
            set channel "36" "40"
            set vap-all manual
            set vaps "l3_rm1"
          end
          config radio-3
            set mode disabled
          end
        next
      end
      config wireless-controller wtp
        edit "FP831FXX00000000"
          set uuid 23ed4966-af92-51ec-44e8-3c1318698661
          set admin enable
          set wtp-profile "831F"
          config radio-2
          end
        next
      end
  3. Check the peer status from AC1 (FGT-40F):

    FortiGate-40F  # diagnose wireless-controller wlac -c ha
    WC fast failover info
        mode    : disabled 
        l3r     : enabled 
        peer cnt: 1 
                  FG81EPXX00000000 10.43.1.81:5246       UP 2
  4. Check the peer status from AC2 (FGT-81EP):

    FortiGate-81E-POE # diagnose wireless-controller wlac -c ha
    WC fast failover info
        mode    : disabled 
        l3r     : enabled 
        peer cnt: 1 
                  FGT40FXX00000000 10.43.1.40:5246       UP 3

Understanding L3 roaming events for inter-controller L3 roaming for a tunnel mode SSID

When the wireless client is connected with "l3.roaming" on AP1 in AC1, the client receives IP 10.40.1.10 from AP1 in AC1:

FortiGate-40F # diagnose wireless-controller wlac -d sta online
   vf=0 wtp=2 rId=2 wlan=l3_rm1 vlan_id=0 ip=10.40.1.10 ip6=fe80::7766:7ffe:ee4d:c396 mac=a4:c3:f0:6d:69:33 vci= host=test-wifi user= group= signal=-65 noise=-95 idle=1 bw=3 use=7 chan=36 radio_type=11AC(wave2) security=wpa2_only_personal mpsk= encrypt=aes cp_authed=no l3r=1,1 10.43.1.81:5247 -- 10.43.1.40:5247 33,0 online=yes mimo=2

When the client leaves AP1 and roams towards AP2, it connects with the same SSID "l3.roaming" on AP2. Wireless traffic passed from AP2 and is sent to AC2. Eventually the wireless traffic is transferred from AC2 to AC1 and traffic is maintained from AC1. The wireless client maintains the original IP of 10.40.1.10:

FortiGate-81E-POE # diagnose wireless-controller wlac -d sta online
   vf=0 wtp=3 rId=2 wlan=l3_rm1 vlan_id=0 ip=10.40.1.10 ip6=:: mac=a4:c3:f0:6d:69:33 vci= host= user= group= signal=-66 noise=-95 idle=0 bw=2 use=7 chan=36 radio_type=11AC(wave2) security=wpa2_only_personal mpsk= encrypt=aes cp_authed=no l3r=0,1 0.0.0.0:0 -- 0.0.0.0:0 0,0 online=yes mimo=2

If the wireless client idle time exceeds client-idle-rehome-timeout, it triggers the rehome event. The wireless client will send a DHCP request and obtain a new IP address from AC2 (10.81.2.20). Now the wireless client traffic is maintained from AC2:

FortiGate-81E-POE # diagnose wireless-controller wlac -d sta online
   vf=0 wtp=3 rId=2 wlan=l3_rm1 vlan_id=0 ip=10.81.2.20 ip6=:: mac=a4:c3:f0:6d:69:33 vci= host=test-wifi user= group= signal=-65 noise=-95 idle=0 bw=0 use=6 chan=36 radio_type=11AC(wave2) security=wpa2_only_personal mpsk= encrypt=aes cp_authed=no l3r=1,0 0.0.0.0:0 -- 0.0.0.0:0 0,0 online=yes mimo=2