Wireless mesh

Wireless mesh

The access points of a WiFi network are usually connected to the WiFi controller through Ethernet wiring. A wireless mesh eliminates the need for Ethernet wiring by connecting WiFi access points to the controller by radio. This is useful where installation of Ethernet wiring is impractical.

Overview of Wireless mesh

Configuring a meshed WiFi network

Configuring a point-to-point bridge

Overview of Wireless mesh

The figure below shows a wireless mesh topology.

A wireless mesh is a multiple AP network in which only one FortiAP unit is connected to the wired network. The other FortiAPs communicate with the controller over a separate backhaul SSID that is not available to regular WiFi clients. The AP that is connected to the network by Ethernet is called the Mesh Root node. The backhaul SSID carries CAPWAP discovery, configuration, and other communications that would usually be carried on an Ethernet connection.

The root node can be a FortiAP unit or the built-in AP of a FortiWiFi unit. APs that serve regular WiFi clients are called Leaf nodes. Leaf APs also carry the mesh SSID for more distant leaf nodes. A leaf node can connect to the mesh SSID directly from the root node or from any of the other leaf nodes. This provides redundancy in case of an AP failure.

All access points in a wireless mesh configuration must have at least one of their radios configured to provide mesh backhaul communication. As with wired APs, when mesh APs start up they can be discovered by a FortiGate or FortiWiFi unit WiFi controller and authorized to join the network.

Overview of

The backhaul SSID delivers the best performance when it is carried on a dedicated radio. On a two-radio FortiAP unit, for example, the 5GHz radio could carry only the backhaul SSID while the 2.4GHz radio carries one or more SSIDs that serve users. Background WiFi scanning is possible in this mode.

The backhaul SSID can also share the same radio with SSIDs that serve users. Performance is reduced because the backhaul and user traffic compete for the available bandwidth. Background WiFi scanning is not available in this mode. One advantage of this mode is that a two-radio AP can offer WiFi coverage on both bands.

Wireless mesh deployment modes

There are two common wireless mesh deployment modes:

Wireless Mesh Access points are wirelessly connected to a FortiGate or FortiWiFi unit WiFi controller. WiFi users connect to wireless SSIDs in the same way as on non-mesh WiFi networks.
Wireless bridging Two LAN segments are connected together over a wireless link (the backhaul SSID).

On the leaf AP, the Ethernet connection can be used to provide a wired network. Both WiFi and wired users on the leaf AP are connected to the LAN segment to which the root AP is connected.

Firmware requirements

All FortiAP units that will be part of the wireless mesh network must be upgraded to FAP firmware version 5.0 build 003. FortiAP-222B units must have their BIOS upgraded to version 400012. The FortiWiFi or FortiGate unit used as the WiFi controller must be running FortiOS 5.0.

Types of wireless mesh

A WiFi mesh can provide access to widely-distributed clients. The root mesh AP which is directly connected to the WiFi controller can be either a FortiAP unit or the built-in AP of a FortiWiFi unit that is also the WiFi controller.

FortiAP units used as both mesh root AP and leaf AP

Overview of Wireless mesh

FortiWiFi unit as root mesh AP with FortiAP units as leaf APs

An alternate use of the wireless mesh functionality is as a point-to-point relay. Both wired and WiFi users on the leaf AP side are connected to the LAN segment on the root mesh side.

Overview of

Point-to-point wireless mesh

Fast-roaming for mesh backhaul link

Mesh implementations for leaf FortiAP can perform background scan when the leaf AP is associated to root. Various options for background scanning can be configured with the CLI. See Mesh variables on page 189 for more details.

Configuring a meshed WiFi network

You need to:

  • Create the mesh root SSID. l Create the FortiAP profile. l Configure mesh leaf AP units. l Configure the mesh root AP, either a FortiWiFi unit’s Local Radio or a FortiAP unit. l Authorize the mesh branch/leaf units when they connect to the WiFi Controller.
  • Create security policies.

This section assumes that the end-user SSIDs already exist.

Creating the mesh root SSID

The mesh route SSID is the radio backhaul that conveys the user SSID traffic to the leaf FortiAPs.

To configure the mesh root SSID

  1. Go to WiFi & Switch Controller > SSID and select Create New > SSID.
  2. Enter a Name for the WiFi interface.
  3. In Traffic Mode, select Mesh Downlink.
  4. Enter the SSID.
  5. Set Security Mode to WPA2 Personal and enter the Pre-shared key.

Remember the key, you need to enter it into the configurations of the leaf FortiAPs.

  1. Select OK.

Creating the FortiAP profile

Create a FortiAP profile for the meshed FortiAPs. If more than one FortiAP model is involved, you need to create a profile for each model. Typically, the profile is configured so that Radio 1 (5GHz) carries the mesh backhaul SSID while Radio 2 (2.4GHz) carries the SSIDs to which users connect.

The radio that carries the backhaul traffic must not carry other SSIDs. Use the Select SSIDs option and choose only the backhaul SSID. Similarly, the radio that carries user SSIDs, should not carry the backhaul. Use the Select SSIDs option and choose the networks that you want to provide.

For more information, see Configuring a WiFi LAN on page 30.

Configuring the mesh root FortiAP

The mesh root AP can be either a FortiWiFi unit’s built-in AP or a FortiAP unit.

Configuring a meshed WiFi network

To enable a FortiWiFi unit’s Local Radio as mesh root – web-based manager

  1. Go to WiFi Controller > Local WiFi Radio.
  2. Select Enable WiFi Radio.
  3. In SSID, select Select SSIDs, then select the mesh root SSID.
  4. Optionally, adjust TX Power or select Auto Tx Power Control.
  5. Select Apply.

In a network with multiple wireless controllers, make sure that each mesh root has a unique SSID. Other controllers using the same mesh root SSID might be detected as fake or rogue APs. Go to WiFi & Switch Controller > SSID to change the SSID.

To configure a network interface for the mesh root FortiAP unit

  1. On the FortiGate unit, go to Network > Interfaces.
  2. Select the interface where you will connect the FortiAP unit, and edit it.
  3. Make sure that Role is LAN.
  4. In Addressing mode, select Dedicated to Extension Device.
  5. In IP/Network Mask, enter an IP address and netmask for the interface.

DHCP will provide addresses to connected devices. To maximize the number of available addresses, the interface address should end with 1, for example 192.168.10.1.

  1. Select OK.

At this point you can connect the mesh root FortiAP, as described next. If you are going to configure leaf FortiAPs through the wireless controller (see “Configuring a meshed WiFi network” on page 82), it would be convenient to leave connecting the root unit for later.

To enable the root FortiAP unit

  1. Connect the root FortiAP unit’s Ethernet port to the FortiGate network interface that you configured for it.
  2. Go to WiFi & Switch Controller > Managed FortiAPs.

If the root FortiAP unit is not listed, wait 15 seconds and select Refresh. Repeat if necessary. If the unit is still missing after a minute or two, power cycle the root FortiAP unit and try again.

  1. Right-click the FortiAP entry and choose your profile from the Assign Profile
  2. Right-click the FortiAP entry and select Authorize.

Initially, the State of the FortiAP unit is Offline. Periodically click Refresh to update the status. Within about two minutes, the state changes to Online.

  1. Select OK.

You might need to select Refresh a few times before the FortiAP shows as Online.

Configuring the leaf mesh FortiAPs

The FortiAP units that will serve as leaf nodes must be preconfigured. This involves changing the FortiAP unit internal configuration.You can do this by direct connection or through the FortiGate wireless controller. meshed WiFi network

Method 1: Direct connection to the FortiAP

  1. Connect a computer to the FortiAP unit’s Ethernet port. Configure the computer’s IP as 192.168.1.3.
  2. Telnet to 192.168.1.2. Login as admin. By default, no password is set.
  3. Enter the following commands, substituting your own SSID and password (pre-shared key):

cfg -a MESH_AP_TYPE=1 cfg -a MESH_AP_SSID=fortinet.mesh.root cfg -a MESH_AP_PASSWD=hardtoguess

cfg -c exit

  1. Disconnect the computer.
  2. Power down the FortiAP.
  3. Repeat the preceding steps for each branch FortiAP.

Method 2: Connecting through the FortiGate unit

  1. Connect the branch FortiAP unit’s Ethernet port to the FortiGate network interface that you configured for FortiAPs. Connect the FortiAP unit to a power source unless POE is used.
  2. Go to WiFi & Switch Controller > Managed FortiAPs.

If the FortiAP unit is not listed, wait 15 seconds and select Refresh. Repeat if necessary. If the unit is still missing after a minute or two, power cycle the FortiAP unit and try again.

  1. Select the discovered FortiAP unit and authorize it. Click Refresh every 10 seconds until the State indicator is green.
  2. Right-click the FortiAP and select >_Connect to CLI. The CLI Console window opens. Log in as “admin”.
  3. Enter the following commands, substituting your own SSID and password (pre-shared key):

cfg -a MESH_AP_TYPE=1 cfg -a MESH_AP_SSID=fortinet.mesh.root cfg -a MESH_AP_PASSWD=hardtoguess

cfg -c exit

  1. Disconnect the branch FortiAP and delete it from the Managed FortiAP list.
  2. Repeat the preceding steps for each branch FortiAP.

Authorizing leaf APs

When the root FortiAP is connected and online, apply power to the pre-configured leaf FortiAPs. The leaf FortiAPs will connect themselves wirelessly to the WiFi Controller through the mesh network. You must authorize each unit.

  1. Go to WiFi & Switch Controller > Managed FortiAPs. Periodically select Refresh until the FortiAP unit is listed. This can take up to three minutes.

The State of the FortiAP unit should be Waiting for Authorization.

  1. Right-click the FortiAP entry and choose your profile from the Assign Profile
  2. Right-click the FortiAP entry and select Authorize.

Initially, the State of the FortiAP unit is Offline. Periodically click Refresh to update the status. Within about two minutes, the state changes to Online.

Creating security policies

You need to create security policies to permit traffic to flow from the end-user WiFi network to the network interfaces for the Internet and other networks. Enable NAT.

Viewing the status of the mesh network

Go to WiFi & Switch Controller > Managed FortiAPs to view the list of APs.

The Connected Via field lists the IP address of each FortiAP and uses icons to show whether the FortiAP is connected by Ethernet or Mesh.

Ethernet
Mesh

If you mouse over the Connected Via information, a topology displays, showing how the FortiGate wireless controller connects to the FortiAP.

Configuring a point-to-point bridge

You can create a point-to-point bridge to connect two wired network segments using a WiFi link. The effect is the same as connecting the two network segments to the same wired switch.

You need to:

point-to-point bridge

l Configure a backhaul link and root mesh AP as described in Configuring a point-to-point bridge on page 84.

Note: The root mesh AP for a point-to-point bridge must be a FortiAP unit, not the internal AP of a FortiWiFi unit. l Configure bridging on the leaf AP unit.

To configure the leaf AP unit for bridged operation – FortiAP web-based manager

  1. With your browser, connect to the FortiAP unit web-based manager.

You can temporarily connect to the unit’s Ethernet port and use its default address: 192.168.1.2.

  1. Enter:
Operation Mode Mesh
Mesh AP SSID fortinet-ap
Mesh AP Password fortinet
Ethernet Bridge Select
  1. Select Apply.
  2. Connect the local wired network to the Ethernet port on the FortiAP unit.

Users are assigned IP addresses from the DHCP server on the wired network connected to the root mesh AP unit.

To configure a FortiAP unit as a leaf AP – FortiAP CLI

cfg -a MESH_AP_SSID=fortinet-ap cfg -a MESH_AP_PASSWD=fortinet cfg -a MESH_ETH_BRIDGE=1 cfg -a MESH_AP_TYPE=1 cfg -c

 

Hotspot 2.0

Hotspot 2.0 Access Network Query Protocol (ANQP) is a query and response protocol that defines seamless roaming services offered by an AP. The following CLI commands are available under config wirelesscontroller, to configure Hotspot 2.0 ANQP.

Syntax

config wireless-controller hotspot20 anqp-3gpp-cellular edit {name} config mcc-mnc-list edit {id} set id {integer} set mcc {string} set mnc {string}

next

next

end

config wireless-controller hotspot20 anqp-ip-address-type edit {name} set ipv6-address-type {option} set ipv4-address-type {option}

next

end

config wireless-controller hotspot20 anqp-nai-realm edit {name} config nai-list edit {name} set encoding {enable | disable} set nai-realm {string} config eap-method edit {index} set index {integer} set method {option} config auth-param edit {index} set index {integer} set id {option} set val {option}

next

next

next

next

end

config wireless-controller hotspot20 anqp-network-auth-type edit {name} set auth-type {option} set url {string}

next end

Hotspot 2.0

config wireless-controller hotspot20 anqp-roaming-consortium edit {name} config oi-list edit {index} set index {integer} set oi {string} set comment {string}

next

next

end

config wireless-controller hotspot20 anqp-venue-name edit {name} config value-list edit {index} set index {integer} set lang {string} set value {string}

next

next

end

config wireless-controller hotspot20 h2qp-conn-capability edit {name} set icmp-port {option} set ftp-port {option} set ssh-port {option} set http-port {option} set tls-port {option} set pptp-vpn-port {option} set voip-tcp-port {option} set voip-udp-port {option} set ikev2-port {option} set ikev2-xx-port {option} set esp-port {option}

next

end

config wireless-controller hotspot20 h2qp-operator-name edit {name} config value-list edit {index} set index {integer} set lang {string} set value {string}

next

next

end config wireless-controller hotspot20 h2qp-osu-provider

Configuring a point-to-point bridge

edit {name} config friendly-name edit {index} set index {integer} set lang {string} set friendly-name {string}

Configuring a point-to-point bridge                                                                                                         Hotspot 2.0

next set server-uri {string} set osu-method {option} set osu-nai {string} config service-description edit {service-id} set service-id {integer} set lang {string}

set service-description {string}

next

set icon {string}

next

end

config wireless-controller hotspot20 h2qp-wan-metric edit {name} set link-status {option} set symmetric-wan-link {option} set link-at-capacity {enable | disable} set uplink-speed {integer} set downlink-speed {integer} set uplink-load {integer} set downlink-load {integer} set load-measurement-duration {integer}

next

end

config wireless-controller hotspot20 hs-profile edit {name} set access-network-type {option} set access-network-internet {enable | disable} set access-network-asra {enable | disable} set access-network-esr {enable | disable} set access-network-uesa {enable | disable} set venue-group {option} set venue-type {option} set hessid {mac address} set proxy-arp {enable | disable} set l2tif {enable | disable} set pame-bi {enable | disable} set anqp-domain-id {integer} set domain-name {string} set osu-ssid {string} set gas-comeback-delay {integer} set gas-fragmentation-limit {integer} set dgaf {enable | disable} set deauth-request-timeout {integer} set wnm-sleep-mode {enable | disable} set bss-transition {enable | disable} set venue-name {string} set roaming-consortium {string} set nai-realm {string} set oper-friendly-name {string} config osu-provider edit {name} next set wan-metrics {string}

Hotspot 2.0                                                                                                         Configuring a point-to-point bridge

set network-auth {string} set 3gpp-plmn {string} set conn-cap {string} set qos-map {string} set ip-addr-type {string}

next

end

config wireless-controller hotspot20 icon edit {name} config icon-list edit {name} set lang {string} set file {string} set type {option} set width {integer} set height {integer}

next

next

end

config wireless-controller hotspot20 qos-map edit {name} config dscp-except edit {index} set index set dscp set up

next

config dscp-range edit {index} set index set up set low set high

next

next end


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

This entry was posted in Administration Guides, FortiGate, FortiOS, FortiWLC on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

One thought on “Wireless mesh

  1. Eric Morrison

    Hello, I’m using the point-2-point setup with mesh on two FAP321-C APs. I’m trying to get a FortiSwitch 124D to link up using FortLink on the Leaf side. Do you know if this is possible? It will not show up in my gate.

    Reply

Leave a Reply to Eric Morrison Cancel reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.