Select Page

FortiGate 90D-POE with FortiAP on 5.4.1

Okay, I feel the need to write this because I just upgraded from FortiOS 5.4.0 to FortiOS 5.4.1 on my FortiGate 90D-POE, and my FortiAP couldn’t handle it. I actually had to completely reconfigure my FortiGate from scratch, as I lost everything but console access whenever I would attempt to import my configuration.

Before we begin:

  • You have two SSID types you can configure
  • I chose “Bridge to FortiAP’s local interface” for my main WiFi network for two reasons:
    • This Fortinet doc says “Bridge mode is more efficient than Tunnel mode, as it uses the CAPWAP tunnel for authentication only”
    • A post in this Reddit thread suggests that tunneled APs use more system resources than a bridged AP
  • I chose “Tunnel to wireless controller” for my guest network because I want to apply different levels of UTM to guests than I do to my own WiFi traffic, and if I bridge both SSIDs to the FortiAP interface, I can’t apply separate UTM policies.

Step 1: Set up your POE interface

Note: I use the term “bridged wireless clients” here for settings that specifically apply to devices connected to my private WiFi network that will have access to my wired devices through a firewall policy. If you create a guest network (tunnel to wireless controller), it will have its own subnet and DHCP server as explained in a later step. Even without a tunneled SSID, you still need a DHCP server on your POE interface for your FortiAP to receive an IP address.

  1. Network > Interfaces
    1. Edit the POE interface where you connect your FortiAP.
    2. Select LAN role, Manual addressing mode, type an IP/Netmask that will act as a gateway for your bridged wireless clients (I chose 172.17.100.1/255.255.255.0), select only CAPWAP for administrative access, and create a DHCP server for your bridged wireless clients.

Step 2: Create SSID(s)

  1. WiFi & Switch Controller > SSID
    1. Create New > SSID
    2. Assign a name for the interface (never visible to public), type WiFi SSID, traffic mode “Local bridge with FortiAP’s Interface”, SSID name (visible to public by default but can be made private), security mode, security mode options, and click OK.
    3. If you wish to create a guest WiFi network, create a new SSID, choose traffic mode “Tunnel to Wireless Controller,” and create a unique IP/Netmask for this subnet, a DHCP server, and finally name your SSID and configure security before clicking OK.

Step 3: Create FortiAP Profile

  1. WiFi & Switch Controller > FortiAP Profiles
    1. Create New, assign a name, **select your model of FortiAP next to platform (DO NOT SKIP THIS STEP)**, choose your radio settings, choose “Select SSIDs,” and select both SSIDs you created in step 2.
    2. You are welcome to limit one or more SSIDs to specific bands if you wish.

Step 4: Assign FortiAP Profile to FortiAP

  1. WiFi & Switch Controller > Managed FortiAPs
    1. By now, your FortiAP should have received an IP address from the DHCP server on the POE interface you configured in step 1. If it still does not have an IP address, wait. Periodically, click Refresh. Eventually, it will get an IP. This should not take more than 5 minutes, but the time can vary by model.
    2. Double click your FortiAP.
    3. Assign a name (optional), Authorize the AP, assign the FortiAP Profile you configured in step 2, and configure any override settings as you wish.
    4. With my FortiGate 90D-POE on firmware v5.4.1-build1064, a Fortinet support representative had me upgrade my FortiAP OS version to FP321C-v5.4-build0339.
    5. Click OK to finish.

Step 5: Create addresses (subnets) to be used with firewall policies

  1. Policy & Objects > Addresses
    1. Create New > Address.
    2. Create a name for your bridged (private) WLAN, put in the same subnet you created in step 1-1-B, and assign it to your POE interface. Click OK.
    3. Create New > Address.
    4. Create a name for your tunneled (guest) WLAN, put in the same subnet you created in step 2-1-C, and assign it to your guest SSID. Click OK.
    5. Create an address for your internal hardware switch if you don’t already have one!

Step 6: Create Firewall policy

  1. Policy & Objects > IPv4 Policy
    1. Create New, assign a name, POE interface as incoming interface, internal hardware switch as outgoing interface, address you created in step 4-1-B as source, address you created in step 4-1-E as destination, service ALL, uncheck NAT if selected, ensure “Enable this policy” is checked and click OK.

      What this policy does: Allows devices on your private, bridged WiFi network to communicate with devices on your internal hardware switch.
  2. Policy & Objects > IPv4 Policy
    1. Create another policy for the reverse direction (internal to WiFi). See screenshot.

Step 7: Allow WiFi subnets access to the internet using firewall policy

  1. WiFi & Switch Controller > SSID
    1. Because you already have a firewall policy that allows devices physically connected to your internal hardware switch access to the internet, you can simply add your POE interface and guest SSID to this policy. Personally, I created a separate policy for my guest WiFi so I can apply more granular control in the future.

      Shown above is my policy for all traffic from my wired devices and private WiFi clients to the internet
      Shown above is my policy for all traffic from my guest WiFi clients to the internet

That’s it! If this helped you, please consider a donation of any amount at all via the PayPal or Bitcoin buttons on the left side of the page. Comments and criticisms are welcome in the comment section.

Google Fiber with Fortigate 90D

Goal:Replace Google Fiber Network Box with your own FortiGate router

Note: I do not know how to get TV working if you use that service. This tutorial covers internet only.

In this tutorial, I am using the following hardware:

  • Google Fiber fiber jack
  • Fortinet FortiGate 90D-POE Firewall

Before we begin:

  • I am using the Web-based Manager in FortiExplorer version 2.6.1083 while connected via the USB management port
  • My internal LAN is already set up to use the default hardware switch utilizing all ten LAN ports and custom DHCP settings for my personal network
  • I configured the internalA interface for my FortiAP 321C and disabled internalB, C, and D.
  • I disabled wan2
  • I have successfully tested the following configuration under firmwares 5.4.0-build1011 and 5.4.1-build1064.

Step 1: Set up your wan1 subinterface

  1. Network > Interfaces
    1. Create New > Interfaces
    2. Assign a name, type VLAN, interface wan1, VLAN ID 2, role WAN, addressing mode DHCP, click OK. I called mine GFIBER.

Step 2: Create IGMP service and set up your firewall policies

    1. Policy & Objects > Services
      1. Create New > Service
      2. Assign IGMP as the name, protocol type IP, Protocol Number 2, click OK.
    2. Policy & Objects > IPv4 Policy
      1. Create New.
      2. Assign a name (I chose “QoS DHCP”), select your internal subnet(s) for incoming interface, select the VLAN interface you created in last step for outgoing interface, source all, destination all, schedule always, service DHCP, action accept, NAT enabled, do not assign any security policies, click OK.
    3. Policy & Objects > IPv4 Policy
      1. Create New.
      2. Assign a name (I chose “QoS IGMP”), select your internal subnet(s) for incoming interface, select the VLAN interface you created in last step for outgoing interface, source all, destination all, schedule always, service IGMP, action accept, NAT enabled, do not assign any security policies, click OK.
    4. Policy & Objects > IPv4 Policy
      1. Create New.
      2. Assign a name (I chose “QoS All Others”), select your internal subnet(s) for incoming interface, select the VLAN interface you created in last step for outgoing interface, source all, destination all, schedule always, service ALL, action accept, NAT enabled, select the security policies you wish to use on the traffic between your LAN and the WAN, click OK.
  1. Make sure “QoS All Others” comes after the first two policies in the list of policies. I put them in the order of IGMP>DHCP>ALL. I’m not sure if the order of the first two matters, but both of them must be processed before the third policy, as you want IGMP and DHCP services to match in their own respective policies before the third policy, which includes them, has a chance to match them. This is because each policy will have a unique QoS bit.

Step 3: Use CLI to assign QoS bits to your three QoS policies

Note: The QoS bits come from here. Each policy has a unique number assigned to it, and they may be different from mine. My IGMP policy is 9, DHCP is 8, and All Others is 2.

  1. Login to the CLI of your FortiGate
    1. Enter the following commands using your own policy numbers as determined by the “show” command after “config firewall policy”:
      config firewall policy
      show
      edit 9
      set vlan-cos-fwd 6
      end
      config firewall policy
      edit 8
      set vlan-cos-fwd 2
      end
      config firewall policy
      edit 2
      set vlan-cos-fwd 3
      end

That’s it! With these firewall rules in place, I get over 900 Mbps down/up. Please leave a comment if this worked for you!