FortiOS 5.6 Online Help Link FortiOS 5.4 Online Help Link FortiOS 5.2 Online Help Link FortiOS 5.0 Online Help Link

Home > Online Help

> Chapter 12 - FortiWiFi and FortiAP Configuration Guide > Wireless Mesh > Configuring a meshed WiFi network

Configuring a meshed WiFi network

You need to:

  • Create the mesh root SSID.
  • Create the FortiAP profile.
  • Configure mesh leaf AP units.
  • Configure the mesh root AP, either a FortiWiFi unit’s Local Radio or a FortiAP unit.
  • Authorize the mesh branch/leaf units when they connect to the WiFi Controller.
  • Create security policies.

This section assumes that the end-user SSIDs already exist.

Creating the mesh root SSID

The mesh route SSID is the radio backhaul that conveys the user SSID traffic to the leaf FortiAPs.

To configure the mesh root SSID
  1. Go to WiFi & Switch Controller > SSID and select Create New > SSID.
  2. Enter a Name for the WiFi interface.
  3. In Traffic Mode, select Mesh Downlink.
  4. Enter the SSID.
  5. Set Security Mode to WPA2 Personal and enter the Pre-shared key.
    Remember the key, you need to enter it into the configurations of the leaf FortiAPs.
  6. Select OK.

Creating the FortiAP profile

Create a FortiAP profile for the meshed FortiAPs. If more than one FortiAP model is involved, you need to create a profile for each model. Typically, the profile is configured so that Radio 1 (5GHz) carries the mesh backhaul SSID while Radio 2 (2.4GHz) carries the SSIDs to which users connect.

The radio that carries the backhaul traffic must not carry other SSIDs. Use the Select SSIDs option and choose only the backhaul SSID. Similarly, the radio that carries user SSIDs, should not carry the backhaul. Use the Select SSIDs option and choose the networks that you want to provide.

For more information, see Configuring a WiFi LAN.

Configuring the mesh root FortiAP

The mesh root AP can be either a FortiWiFi unit’s built-in AP or a FortiAP unit.

To enable a FortiWiFi unit’s Local Radio as mesh root - web-based manager
  1. Go to WiFi Controller > Local WiFi Radio.
  2. Select Enable WiFi Radio.
  3. In SSID, select Select SSIDs, then select the mesh root SSID.
  4. Optionally, adjust TX Power or select Auto Tx Power Control.
  5. Select Apply.
note icon In a network with multiple wireless controllers, make sure that each mesh root has a unique SSID. Other controllers using the same mesh root SSID might be detected as fake or rogue APs. Go to WiFi & Switch Controller > SSID to change the SSID.
To configure a network interface for the mesh root FortiAP unit
  1. On the FortiGate unit, go to Network > Interfaces.
  2. Select the interface where you will connect the FortiAP unit, and edit it.
  3. Make sure that Role is LAN.
  4. In Addressing mode, select Dedicated to Extension Device.
  5. In IP/Network Mask, enter an IP address and netmask for the interface.
    DHCP will provide addresses to connected devices. To maximize the number of available addresses, the interface address should end with 1, for example 192.168.10.1.
  6. Select OK.

At this point you can connect the mesh root FortiAP, as described next. If you are going to configure leaf FortiAPs through the wireless controller (see Configuring the leaf mesh FortiAPs), it would be convenient to leave connecting the root unit for later.

To enable the root FortiAP unit
  1. Connect the root FortiAP unit’s Ethernet port to the FortiGate network interface that you configured for it.
  2. Go to WiFi & Switch Controller > Managed FortiAPs.

If the root FortiAP unit is not listed, wait 15 seconds and select Refresh. Repeat if necessary. If the unit is still missing after a minute or two, power cycle the root FortiAP unit and try again.

  1. Right-click the FortiAP entry and choose your profile from the Assign Profile submenu.
  2. Right-click the FortiAP entry and select Authorize.

Initially, the State of the FortiAP unit is Offline. Periodically click Refresh to update the status. Within about two minutes, the state changes to Online.

  1. Select OK.

You might need to select Refresh a few times before the FortiAP shows as Online.

Configuring the leaf mesh FortiAPs

The FortiAP units that will serve as leaf nodes must be preconfigured. This involves changing the FortiAP unit internal configuration.You can do this by direct connection or through the FortiGate wireless controller.

Method 1: Direct connection to the FortiAP
  1. Connect a computer to the FortiAP unit's Ethernet port. Configure the computer's IP as 192.168.1.3.
  2. Telnet to 192.168.1.2. Login as admin. By default, no password is set.
  3. Enter the following commands, substituting your own SSID and password (pre-shared key):

cfg -a MESH_AP_TYPE=1

cfg -a MESH_AP_SSID=fortinet.mesh.root

cfg -a MESH_AP_PASSWD=hardtoguess

cfg -c

exit

  1. Disconnect the computer.
  2. Power down the FortiAP.
  3. Repeat the preceding steps for each branch FortiAP.
Method 2: Connecting through the FortiGate unit
  1. Connect the branch FortiAP unit’s Ethernet port to the FortiGate network interface that you configured for FortiAPs. Connect the FortiAP unit to a power source unless POE is used.
  2. Go to WiFi & Switch Controller > Managed FortiAPs.
    If the FortiAP unit is not listed, wait 15 seconds and select Refresh. Repeat if necessary. If the unit is still missing after a minute or two, power cycle the FortiAP unit and try again.
  3. Select the discovered FortiAP unit and authorize it. Click Refresh every 10 seconds until the State indicator is green.
  4. Right-click the FortiAP and select >_Connect to CLI. The CLI Console window opens. Log in as "admin".
  5. Enter the following commands, substituting your own SSID and password (pre-shared key):

cfg -a MESH_AP_TYPE=1

cfg -a MESH_AP_SSID=fortinet.mesh.root

cfg -a MESH_AP_PASSWD=hardtoguess

cfg -c

exit

  1. Disconnect the branch FortiAP and delete it from the Managed FortiAP list.
  2. Repeat the preceding steps for each branch FortiAP.

Authorizing leaf APs

When the root FortiAP is connected and online, apply power to the pre-configured leaf FortiAPs. The leaf FortiAPs will connect themselves wirelessly to the WiFi Controller through the mesh network. You must authorize each unit.

  1. Go to WiFi & Switch Controller > Managed FortiAPs. Periodically select Refresh until the FortiAP unit is listed. This can take up to three minutes.
    The State of the FortiAP unit should be Waiting for Authorization.
  2. Right-click the FortiAP entry and choose your profile from the Assign Profile submenu.
  3. Right-click the FortiAP entry and select Authorize.

Initially, the State of the FortiAP unit is Offline. Periodically click Refresh to update the status. Within about two minutes, the state changes to Online.

Creating security policies

You need to create security policies to permit traffic to flow from the end-user WiFi network to the network interfaces for the Internet and other networks. Enable NAT.

Viewing the status of the mesh network

Go to WiFi & Switch Controller > Managed FortiAPs to view the list of APs.

The Connected Via field lists the IP address of each FortiAP and uses icons to show whether the FortiAP is connected by Ethernet or Mesh.

Ethernet
Mesh

If you mouse over the Connected Via information, a topology displays, showing how the FortiGate wireless controller connects to the FortiAP.