Support internet connectivity for WiFi clients through FortiExtender in LAN-extension mode 7.4.4

This information is also available in the FortiOS 7.4 Administration Guide: WiFi access point with internet connectivity

Clients connected to a WiFi access point on a managed FortiExtender can now access the internet, even when FortiGate is in LAN extension mode. This enhancement ensures seamless internet connectivity for WiFi clients through FortiGate's LAN extension interface.

Example

This example describes how to configure a WiFi access point with internet access for a managed FortiExtender (FVA-212F). Following is a summary of the steps:

1. Create a LAN extension SSID for FortiExtender.

2. Configure a FortiExtender profile.

3. Apply the profile to FortiExtender and authorize the device.

4. Configure the LAN extension interface as a DHCP server.

5. Configure a firewall policy to allow internet access.

6. Verify settings.

Creating a LAN extension SSID for FortiExtender

Use the FortiExtender SSIDs tab to create a LAN extension SSID for a managed FortiExtender device.

In this The SSID name in this example is 2G-lanext.

To create a LAN extension SSID for FortiExtender in the GUI:

1. Go to Network > FortiExtenders > FortiExtender SSIDs, and click Create New.

2. Set the following options:

   Type	Select LAN extension.
   SSID	Enter a name, such as 2G-lanext.
   Security Type	Select a type of security.
   Passphrase	Enter a passphrase.

   

3. Set the remaining options as desired, and click OK.

To create a LAN extension SSID for FortiExtender in the CLI:

config extension-controller extender-vap
    edit "2G-lan"
        set type lan-ext-vap
        set ssid "2G-lanext"
        set max-clients 0
        set broadcast-ssid enable
        set security WPA2-Personal
        set passphrase 12345678
    next
end

Configuring a FortiExtender profile

Use a FortiExtender profile to define the LAN extension settings, such as the radio band for the LAN extension SSID, to create a WiFi SSID.

The FortiExtender profile in this example is named FVA22F-lanext-default, and the LAN extension named 2G-lanext is selected to create a WiFi SSID named 2G-lanext (2G-lan).

To configure a FortiExtender profile in the GUI:

1. Go to Network > FortiExtenders, and create a new profile or double-click an existing profile to open it for editing.

2. Expand WiFi and set the following options:

   2.4 GHz WiFi Radio	Click to display 2 GHz radio band options.
   5 GHz WiFi Radio	Click to display 5 GHz radio band options.
   LAN extension SSID	Select the LAN extension SSID, for example, 2G-lanext.
   Local SSID	Select an SSID.

   

3. Set the remaining options as desired, and click OK.

To configure a FortiExtender profile in the CLI:

config extension-controller extender-profile
    edit "FVA22F-lanext-default"
        set id 5
        set model FVA22F
        set extension lan-extension
        config cellular
            config sms-notification
            end
            config modem1
            end
            config modem2
            end
        end
        config lan-extension
            set ipsec-tunnel "fext-ipsec-g18O"
            set backhaul-interface "lan"
            config backhaul
                edit "1"
                    set port wan
                    set role primary
                next
                edit "2"
                    set port lte1
                    set role secondary
                next
        config wifi
            set country CA
            config radio-1
                set mode AP
                set band 2.4GHz
                set status enable
                set operating-standard auto
                set lan-ext-vap "2G-lan"
                set local-vaps "2G"
            end
            config radio-2
                set mode AP
                set band 5GHz
                set status enable
                set operating-standard auto
                set local-vaps "5G"
            end
        end
    next
end

Apply the profile to FortiExtender and authorize the device

Associate the profile with FortiExtender and authorize the device. The profile settings are applied to the device during the authorization process.

To apply the profile and authorize FortiExtender in the GUI:

1. Go to Network > FortiExtenders, and double-click a FortiExtender device to open its settings.

2. In the Profile list, select the profile.

3. Click Authorize.

   

4. Set the remaining settings as desired, and click OK.

To apply the profile and authorize FortiExtender in the CLI:

config extension-controller extender
    edit "FV017TF23000004"
        set id "FVA22FTF23000004"
        set authorized enable
        set device-id 0
        set extension-type lan-extension
        set profile "FVA22F-lanext-default"
    next
end

Configuring the LAN extension interface as a DHCP server

Configure the LAN extension interface as an DHCP server to assign IP addresses to WiFi clients.

To configure the LAN extension interface as a DHCP server in the GUI:

1. Go to Network > Interfaces, and double-click the LAN extension interface to open it for editing.

2. Enable DHCP Server.

3. Set Address range, Netmask, and Default gateway.

   

4. Set the remaining options as desired, and click OK.

To configure the LAN extension interface as a DHCP server in the CLI:

1. Assign an IP address to the LAN extension interface:

   config system interface
       edit "FV017TF23000004"
           set vdom "root"
           set ip 172.31.0.254 255.255.255.0
           set allowaccess ping ssh
           set type lan-extension
           set role lan
           set snmp-index 27
           set ip-managed-by-fortiipam enable
           config ipv6
               set ip6-send-adv enable
               set ip6-other-flag enable
           end
           set interface "fext-ipsec-wiUx"
       next
   end

2. Configure the DHCP server on the LAN extension interface:

   config system dhcp server
       edit 3
           set dns-service default
           set default-gateway 172.31.0.254
           set netmask 255.255.255.0
           set interface "FV017TF23000004"
           config ip-range
               edit 1
                   set start-ip 172.31.0.1
                   set end-ip 172.31.0.254
               next
           end
           set dhcp-settings-from-fortiipam enable
           config exclude-range
               edit 1
                   set start-ip 172.31.0.254
                   set end-ip 172.31.0.254
               next
           end
       next
   end

3. Confirm that the DHCP server can assign IP addresses to clients connecting to the FortiExtender Virtual Access Point (VAP).

   In this example, an iPhone connects to the FortiExtender 2.4GHz radio VAP named 2G-lan and receives an IP address of 172.31.0.3 from the LAN extension interface.

   execute dhcp lease-list 
   FV017TF23000004
     IP            MAC-Address             Hostname            VCI                 SSID                AP                  SERVER-ID           Expiry
     172.31.0.2    74:78:a6:8b:52:ff       FVA22FTF23000004    FortiExtenderVehicl                                         3                   Fri Apr 19 13:30:48 2024
     172.31.0.3    0a:ba:c9:5f:47:4d

Configuring a firewall policy

Configure a firewall policy with incoming interface set to the LAN extension interface to allow FortiExtender WiFi clients to reach the internet.

To configure a firewall policy to use the LAN extension interface in the GUI:

1. Go to Policy & Objects > Firewall Policy and double-click the LAN extension policy to open it for editing.

2. Set Incoming interface to the LAN extension interface.

3. Set Outgoing Interface.

   

4. Set the remaining options as desired, and click OK.

To configure a firewall policy to use the LAN extension interface in the GUI:

config firewall policy
...
    edit 4
        set name "lan-ext"
        set uuid 341c7010-270b-51ec-16b6-309891e3e880
        set srcintf "FV017TF23000004"
        set dstintf "dmz"
        set action accept
        set srcaddr "all"
        set dstaddr "all"
        set schedule "always"
        set service "ALL"
        set nat enable
    next
end

Verifying FortiExtender received the configuration

Verify that FortiExtender received the configuration from FortiGate.

To verify FortiExtender received the configuration:

1. On FortiExtender GUI, go to SSIDs, and verify that the device received a LAN extension type of SSID. In this example, the LAN extension type of SSID is named 2G-lanext.

   

2. Go to Switch Interface, and verify that the device received the WiFi interface for the LAN extension. In this example, the WiFi interface is named 2G-lan.

   

3. Go to Wi-Fi Status, and verify that the WiFi client is connected to the LAN extension SSID. In this example, the client is connected to 2G-lanext.

   

4. Confirm the FortiExtender WiFi client can reach the internet.