Using Remote WLAN FortiAPs

6 Replies

Creating FortiAP profiles

If you were not already using Remote LAN FortiAP models, you will need to create FortiAP profiles for them. In the FortiAP profile, you specify the SSIDs that the FortiAP will broadcast. For more information, see “Creating a FortiAP Profile” on page 830.

 

Configuring split tunneling – FortiGate GUI

Go to WiFi & Switch Controller > SSID and edit your SSID. In the WiFi Settings section, enable SpliTunneling.

Go to WiFi Controller > FortiAP Profiles and edit the FortiAP Profile(s) that apply to the AP types used in the WiFi network. In Split Tunneling Subnets, enter a comma-separated list all of the destination IP address ranges that should not be routed through the the FortiGate WiFi controller. Packets for these destinations will instead be routed through the remote gateway local to the FortiAP.

The list of split tunneling subnets includes public Internet destinations and private subnets local to the FortiAP. Split tunneling public Internet destinations reduces traffic through the FortiGate unit. Split tunneling local private subnets allows these networks to be accessible to the client behind the FortiAP. Otherwise, private network IP destinations are assumed to be behind the FortiGate WiFi controller.

 

Configuring split tunneling – FortiGate CLI

In this example, split tunneling is configured on the example-ssid WiFi network. On FortiAP model 21D, traffic destined for the 192.168.x.x range will not be routed through the FortiGate WiFi controller. This private IP address range is typically used as a LAN by home routers.

config wireless-controller vap edit example-ssid

set split-tunneling enable end

 

config wireless-controller wtp-profile edit FAP21D-default

set split-tunneling-acl-local-ap-subnet enable config split-tunneling-acl

edit 1

set dest-ip 192.168.0.0 255.255.0.0 end

end

To enter multiple subnets, create a split-tunneling-acl entry for each one.

 

Overriding the split tunneling settings on a FortiAP

If the FortiAP Profile split tunneling settings are not appropriate for a particular FortiAP, you can override the settings on that unit.

config wireless-controller wtp edit FAP321C3X14019926

set override-split-tunnel enable

set split-tunneling-acl-local-ap-subnet enable config split-tunneling-acl

edit 1

set dest-ip 192.168.10.0 255.255.255.0 end

end

Pages: 1 2 3 4 5 6

6 thoughts on “Using Remote WLAN FortiAPs

  1. Milutin

    How to set split tunneling to public Internet destinations. There is no unique subnet for that. I want all traffic to Internet to go locally.

    Reply
    1. Mike Post author

      Just to clarify, you are wanting all NON enterprise network (or organization etc) traffic to flow out the local internet connection instead of going over the tunnel back to HQ and out their pipe?

      Reply
      1. Milutin

        Please, see our conversation above. I need to split tunnel all NON enterprise traffic to the local internet instead of going over the tunnel back to the HQ and out their pipe. It is possible with IPSec VPN, but I am not sure how to do this with RemoteAP. In my case it is FortiAP25D.
        Do you have any idea?

        Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.