Using Remote WLAN FortiAPs
Remote WLAN FortiAP models enable you to provide a pre-configured WiFi access point to a remote or traveling employee. Once plugged in at home or in a hotel room, the FortiAP automatically discovers the enterprise FortiGate WiFi controller over the Internet and broadcasts the same wireless SSID used in the corporate office. Communication between the WiFi controller and the FortiAP is secure, eliminating the need for a VPN.
Split tunneling
By default, all traffic from the remote FortiAP is sent to the FortiGate WiFi controller. If split tunneling is configured, only traffic destined for the corporate office networks is routed to the FortiGate unit. Other general Internet traffic is routed unencrypted through the local gateway. Split tunneling avoids loading the FortiGate unit with unnecessary traffic and allows direct access to local private networks at the FortiAP’s location even if the connection to the WiFi controller goes down.
Note: Split tunneling in WiFi networks differs in implementation from split tunneling in VPN configurations.
By default, split tunneling options are not visible in the FortiGate GUI. You can make these options visible using the following CLI command:
config system settings set gui-fortiap-split-tunneling enable
end
Split tunneling is configured in Managed FortiAPs, FortiAP Profiles, and enabled in the SSID.
Configuring the FortiGate for remote FortiAPs
This section assumes that you have already defined SSIDs and now want to make them available to remote FortiAPs.
- Create FortiAP profiles for the Remote LAN FortiAP models l If split tunneling will be used l configure override split tunneling in Managed FortiAPs l enable Split Tunneling in the SSID
- configure the split tunnel networks in the FortiAP profile
Override Split Tunneling
Go to WiFi & Switch Controller > Managed FortiAPs and edit your managed APs. When preconfiguring the AP to connect to your FortiGate WiFi controller, you can choose to override split tunneling, optionally including the local subnet of the FortiAP.
Creating FortiAP profiles
If you were not already using Remote LAN FortiAP models, you will need to create FortiAP profiles for them. In the FortiAP profile, you specify the SSIDs that the FortiAP will broadcast. For more information, see “Creating a FortiAP Profile” on page 43.
Configuring the FortiGate for remote FortiAPs Using Remote WLAN FortiAPs
Configuring split tunneling – FortiGate GUI
Go to WiFi & Switch Controller > SSID and edit your SSID. In the WiFi Settings section, enable Split Tunneling.
Go to WiFi Controller > FortiAP Profiles and edit the FortiAP Profile(s) that apply to the AP types used in the WiFi network. In the Split Tunneling section, enable Include Local Subnet and Split Tunneling Subnet(s), where you can enter a list all of the destination IP address ranges that should not be routed through the the FortiGate WiFi controller. Packets for these destinations will instead be routed through the remote gateway local to the FortiAP.
The list of split tunneling subnets includes public Internet destinations and private subnets local to the FortiAP. Split tunneling public Internet destinations reduces traffic through the FortiGate unit. Split tunneling local private subnets allows these networks to be accessible to the client behind the FortiAP. Otherwise, private network IP destinations are assumed to be behind the FortiGate WiFi controller.
Configuring split tunneling – FortiGate CLI
In this example, split tunneling is configured on the example-ssid WiFi network. On FortiAP model 21D, traffic destined for the 192.168.x.x range will not be routed through the FortiGate WiFi controller. This private IP address range is typically used as a LAN by home routers.
config wireless-controller vap edit example-ssid set split-tunneling enable
end
config wireless-controller wtp-profile edit FAP21D-default set split-tunneling-acl-local-ap-subnet enable config split-tunneling-acl edit 1 set dest-ip 192.168.0.0 255.255.0.0
end
end
To enter multiple subnets, create a split-tunneling-acl entry for each one.
Overriding the split tunneling settings on a FortiAP
If the FortiAP Profile split tunneling settings are not appropriate for a particular FortiAP, you can override the settings on that unit.
config wireless-controller wtp edit FAP321C3X14019926 set override-split-tunnel enable
set split-tunneling-acl-local-ap-subnet enable config split-tunneling-acl edit 1 set dest-ip 192.168.10.0 255.255.255.0
end end
Using Remote WLAN FortiAPs Configuring the FortiAP units
Configuring the FortiAP units
Prior to providing a Remote WLAN FortiAP unit to an employee, you need to preconfigure the AP to connect to your FortiGate WiFi controller.
To pre-configure a FortiAP
- Connect the FortiAP to the FortiGate unit.
- Go to WiFi & Switch Controller > Managed FortiAPs and wait for the FortiAP to be listed. Click Refresh periodically to see the latest information. Note the Connected Via IP address.
- Go to Dashboard. In the CLI Console, log into the FortiAP CLI. For example, if the IP address is 192.168.1.4, enter:
exec telnet 192.168.1.4
Enter admin at the login prompt. By default, no password is set.
- Enter the following commands to set the FortiGate WiFi controller IP address. This should be the FortiGate Internet-facing IP address, in this example 172.20.120.142.
cfg -a AC_IPADDR_1=172.20.120.142 cfg -c
- Enter exit to log out of the FortiAP CLI.
Preauthorizing FortiAP units
By preauthorizing FortiAP units, you facilitate their automatic authorization on the network. Also, you can assign each unit a unique name, such as the employee’s name, for easier tracking.
- Go to WiFi & Switch Controller > Managed FortiAPs and create a new entry.
- Enter the Serial Number of the FortiAP unit and give it a Name. Select the appropriate FortiAP Profile.
- Click OK.
Repeat this process for each FortiAP.
Features for high-density deployments
High-density environments such as auditoriums, classrooms, and meeting rooms present a challenge to WiFi providers. When a large number of mobile devices try to connect to a WiFi network, difficulties arise because of the limited number of radio channels and interference between devices.
FortiOS and FortiAP devices provide several tools to mitigate the difficulties of high-density environments.
Power save feature
Occasionally, voice calls can become disrupted. One way to alleviate this issue is by controlling the power save feature, or to disable it altogether.
Manually configure packet transmit optimization settings by entering the following command:
config wireless-controller wtp-profile edit <name> config <radio-1> | <radio-2> set transmit-optimize {disable | power-save | aggr-limit | retry-limit | sendbar}
l disable: Disable transmit optimization. l power-save: Mark a client as power save mode if excessive transmit retries happen. l aggr-limit: Set aggregation limit to a lower value when data rate is low. l retry-limit: Set software retry limit to a lower value when data rate is low. l send-bar: Do not send BAR frame too often.
Broadcast packet suppression
Broadcast packets are sent at a low data rate in WiFi networks, consuming valuable air time. Some broadcast packets are unnecessary or even potentially detrimental to the network and should be suppressed.
ARP requests and replies could allow clients to discover each other’s IP addresses. On most WiFi networks, intraclient communication is not allowed, so these ARP requests are of no use, but they occupy air time.
DHCP (upstream) should be allowed so that clients can request an IP address using DHCP.
DHCP (downstream) should be suppressed because it would allow a client to provide DHCP service to other clients. Only the AP should do this.
NetBIOS is a Microsoft Windows protocol for intra-application communication. Usually this is not required in highdensity deployments.
IPv6 broadcast packets can be suppressed if your network uses IPv4 addressing.
You can configure broadcast packet suppression in the CLI. The following options are available for broadcast suppression:
config wireless-controller vap edit <name>
Features for high-density deployments Multicast to unicast conversion
set broadcast-suppression {dhcp-up | dhcp-down | dhcp-starvation | arp-known | arpunknown | arp-reply | arp-poison | arp-proxy | netbios-ns | netbios-ds | ipv6 | all-other-mc | all-other-bc}
end
dhcp-starvation helps prevent clients from depleting the DHCP address pool by making multiple requests. arp-poison helps prevent clients from spoofing ARP messages.
Because of all these specific multicast and broadcast packet types, the two options all-other-mc and allother-bc help suppress multicast (mc) and broadcast (bc) packets that are not covered by any of the specific options.
Multicast to unicast conversion
Multicast data such as streaming audio or video are sent at a low data rate in WiFi networks. This causes them to occupy considerable air time. FortiOS provides a multicast enhancement option that converts multicast streams to unicast. A unicast stream is sent to each client at high data rate that makes more efficient use of air time. You can configure multicast-to-unicast conversion in the CLI:
config wireless-controller vap edit <vap_name> set multicast-enhance enable
end
Ignore weak or distant clients
Clients beyond the intended coverage area can have some impact on your high-density network. Your APs will respond to these clients’ probe signals, consuming valuable air time. You can configure your WiFi network to ignore weak signals that most likely come from beyond the intended coverage area. The settings are available in the CLI:
config wireless-controller vap edit <vap_name> set probe-resp-suppression enable set probe-resp-threshold <level_int>
end vap_name is the SSID name.
probe-resp-threshold is the signal strength in dBm below which the client is ignored. The range is -95 to 20dBm. The default level is -80dBm.
Turn off 802.11b protocol
By disabling support for the obsolete 802.11b protocol, you can reduce the air time that beacons and management frames occupy. These signals will now be sent at a minimum of 6Mbps, instead of 1Mbps. You can set this for each radio in the FortiAP profile, using the CLI:
config wireless-controller wtp-profile edit <name_string>
Disable low data rates Features for high-density deployments
config radio-1 set powersave-optimize no-11b-rate
end
Disable low data rates
Each of the 802.11 protocols supports several data rates. By disabling the lowest rates, air time is conserved, allowing the channel to serve more users. You can set the available rates for each 802.11 protocol: a, b, g, n, ac. Data rates set as Basic are mandatory for clients to support. Other specified rates are supported.
The 802.11 a, b, and g protocols are specified by data rate. 802.11a can support 6,9,12, 18, 24, 36, 48, and 54
Mb/s. 802.11b/g can support 1, 2, 5.5, 6, 9,12, 18, 24, 36, 48, 54 Mb/s. Basic rates are specified with the suffix “basic”, “12-basic” for example. The capabilities of expected client devices need to be considered when deciding the lowest Basic rate.
The 802.11n and ac protocols are specified by the Modulation and Coding Scheme (MCS) Index and the number of spatial streams.
- 11n with 1 or 2 spatial streams can support mcs0/1, mcs1/1, mcs2/1, mcs3/1, mcs4/1, mcs5/1, mcs6/1, mcs7/1,mcs8/2,mcs9/2, mcs10/2, mcs11/2, mcs12/2, mcs13/2, mcs14/2, mcs15/2.
- 11n with 3 or 4 spatial streams can support mcs16/3, mcs17/3, mcs18/3, mcs19/3, mcs20/3, mcs21/3, mcs22/3, mcs23/3, mcs24/4, mcs25/4, mcs26/4, mcs27/4, mcs28/4, mcs29/4, mcs30/4, mcs31/4.
- 11ac with 1 or 2 spatial streams can support mcs0/1, mcs1/1, mcs2/1, mcs3/1, mcs4/1, mcs5/1, mcs6/1, mcs7/1, mcs8/1, mcs9/1, mcs0/2, mcs1/2, mcs2/2, mcs3/2, mcs4/2, mcs5/2, mcs6/2, mcs7/2, mcs8/2, mcs9/2.
- 11ac with 3 or 4 spatial streams can support mcs0/3, mcs1/3, mcs2/3, mcs3/3, mcs4/3, mcs5/3, mcs6/3, mcs7/3, mcs8/3, mcs9/3, mcs0/4, mcs1/4, mcs2/4, mcs3/4, mcs4/4, mcs5/4, mcs6/4, mcs7/4, mcs8/4, mcs9/4 Here are some examples of setting basic and supported rates.
config wireless-controller vap edit <vap_name> set rates-11a 12-basic 18 24 36 48 54 set rates-11bg 12-basic 18 24 36 48 54
set rates-11n-ss34 mcs16/3 mcs18/3 mcs20/3 mcs21/3 mcs22/3 mcs23/3 mcs24/4 mcs25/4 set rates-11ac-ss34 mcs0/3 mcs1/3 mcs2/3 mcs9/4 mcs9/3
end
Limit power
High-density deployments usually cover a small area that has many clients. Maximum AP signal power is usually not required. Reducing the power reduces interference between APs. Fortinet recommends that you use FortiAP automatic power control. You can set this in the FortiAP profile.
- Go to WiFi & Switch Controller > FortiAP Profiles and edit the profile for your AP model.
- For each radio, enable Auto TX Power Control and set the TX Power Low and TX Power High The default range of 10 to 17dBm is recommended.
Features for high-density deployments Use frequency band load-balancing
Use frequency band load-balancing
In a high-density environment is important to make the best use of the two WiFi bands, 2.4GHz and 5GHz. The 5GHz band has more non-overlapping channels and receives less interference from non-WiFi devices, but not all devices support it. Clients that are capable of 5GHz operation should be encouraged to use 5GHz rather than the 2.4GHz band.
To load-balance the WiFi bands, you enable Frequency Handoff in the FortiAP profile. In the FortiGate webbased manager, go to WiFi & Switch Controller > FortiAP Profiles and edit the relevant profile. Or, you can use the CLI:
config wireless-controller wtp-profile edit FAP221C-default config radio-1 set frequency-handoff enable
end
The FortiGate wireless controller continuously performs a scan of all clients in the area and records their signal strength (RSSI) on each band. When Frequency Handoff is enabled, the AP does not reply to clients on the
2.4GHz band that have sufficient signal strength on the 5GHz band. These clients can associate only on the 5GHz band. Devices that support only 2.4GHz receive replies and associate with the AP on the 2.4GHz band.
Setting the handoff RSSI threshold
The FortiAP applies load balancing to a client only if the client has a sufficient signal level on 5GHz. The minimum signal strength threshold is set in the FortiAP profile, but is accessible only through the CLI:
config wireless-controller wtp-profile edit FAP221C-default set handoff-rssi 25
end
handoff-rssi has a range of 20 to 30. RSSI is a relative measure. The higher the number, the stronger the signal.
AP load balancing
The performance of an AP is degraded if it attempts to serve too many clients. In high-density environments, multiple access points are deployed with some overlap in their coverage areas. The WiFi controller can manage the association of new clients with APs to prevent overloading.
To load-balance between APs, enable AP Handoff in the FortiAP profile. In the FortiGate web-based manager, go to WiFi & Switch Controller > FortiAP Profiles and edit the relevant profile. Or, you can use the CLI:
config wireless-controller wtp-profile edit FAP221C-default config radio-1 set ap-handoff enable
end
When an AP exceeds the threshold (the default is 30 clients), the overloaded AP does not reply to a new client that has a sufficient signal at another AP.
Application rate-limiting Features for high-density deployments
Setting the AP load balance threshold
The thresholds for AP handoff are set in the FortiAP profile, but is accessible only through the CLI:
config wireless-controller wtp-profile edit FAP221C-default set handoff-sta-thresh 30 set handoff-rssi 25
end
handoff-sta-thresh sets the number of clients at which AP load balancing begins. It has a range of 5 to 35.
handoff-rssi Sets the minimum signal strength that a new client must have at an alternate AP for the overloaded AP to ignore the client. It has a range of 20 to 30. RSSI is a relative measure. The higher the number, the stronger the signal.
Application rate-limiting
To prevent particular application types from consuming too much bandwidth, you can use the FortiOS Application Control feature.
- Go to Security Profiles > Application Control.
You can use the default profile or create a new one.
- Click the category, select Traffic Shaping and then select the priority for the category.
Repeat for each category to be controlled.
- Select Apply.
- Go to Policy & Objects > IPv4 Policy and edit your WiFi security policy.
- In Security Profiles, set Application Control ON and select the security profile that you edited.
- Select OK.