Friday, September 6, 2013

Wireless Mesh Gotcha

FortiAP wireless access points have the ability to create a full mesh. This is a pretty nifty feature as described in the FortiOS Wireless Deployment Guide:

The access points of a WiFi network are usually connected to the WiFi controller through Ethernet wiring. A wireless mesh eliminates the need for Ethernet wiring by connecting WiFi access points to the controller by radio. This is useful where installation of Ethernet wiring is impractical. 

The AP that is connected to the network by Ethernet is called the Mesh Root node. It is configured with an SSID (also called a virtual access point or VAP) dedicated to backhaul communication with the remote FortiAP units. The backhaul SSID carries CAPWAP discovery, configuration, and other communications that would usually be carried on an Ethernet connection. Regular WiFi clients cannot connect to the backhaul SSID. They connect to the regular SSIDs carried on the access points.
The root node can be a FortiAP unit or the built-in AP of a FortiWiFi unit. APs that serve only regular WiFi clients are called Leaf nodes. Leaf APs that also carry the mesh SSID for more distant Leaf nodes are called Leaf/branch nodes.


In other words you can have the APs all wirelessly connected to each other and APs that are not wired into the network can backhaul their traffic via other APs. The requirement is that at least one of the APs in the chain is hard-wired to the network.

A small gotcha is that by default the wireless mesh uses its own internal IP addressing scheme. The default IP address for the full-mesh interface is 192.168.3.99/24. I found this out the hard way because I have a VPN tunnel to a remote network which also uses 192.168.3.x/24. Looking at the routing table it was easy to see why I could no longer reach the remote VPN network after I had setup my new wireless access points.

FGT # get router info routing-table database
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
       O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       > - selected route, * - FIB route, p - stale info

S    *> 0.0.0.0/0 [5/0] via 1.2.3.4, wan1
C    *> 10.1.1.0/24 is directly connected, Internal
S    * 192.168.3.0/24 [1/0] is directly connected, FW_VPN_2_0
C    *> 192.168.3.0/24 is directly connected, wl.mesh


There are two routes available in the routing database to 192.168.3.0/24, the ">" in front of the route shows which one has been selected as the active route. Simply changing the network of the mesh interface to something like 192.168.254.99/24 will resolve the issue. This can be done in the GUI via "System -> Network -> Interfaces"

2 comments:

Anonymous said...

Is there any way to change the distance of a connected route so that a static one takes precedence?

I had a case where I wanted to go to subnet 192.168.5.0 via 192.168.1.2 BUT the fortigate also had an interface in the 192.168.1.0 network so a static route was never the preferred route due to the connected route. In the end I had to shutdown the interface to take the connected route out, but ideally I'd rather have the option to set the distance and keep the interface up

Sebastian said...

Try using a policy route. A directly connected interface will always have the lowest distance.