FortiExtender Support
FortiOS 5.2 supports the new FortiExtender unit, which provides internet connectivity via 4G/LTE network to a FortiGate unit.
To connect a FortiGate and FortiExtender, a new tap interface is created on the FortiGate unit, which receives the IP address from the cellular service provider via the FortiExtender, using a CAPWAP data channel. All the packets sent to the tap interface are received by the extender module on the FortiGate and are then sent to the FortiExtender, which then sends the packets out on the 4G/LTE network.
When data packets are received from the cellular network, the FortiExtender passes the packets to the FortiGate via the CAPWAP data channel. These packets are written to the tap interface and the FortiGate IP stack will process them.
The options to configure a FortiExtender unit can be found by going to System > Network > FortiExtender.
| The configuration of a FortiExtender interface is restricted to the root VDOM. |
Connecting a FortiExtender unit to a FortiGate unit
1. If you are using the provided PoE injector:
a. Plug the provided Ethernet cable into the Ethernet port of the FortiExtender and insert the other end of the Ethernet cable into the AP/Bridge port on the injector, then plug the injector into an electrical outlet.
b. Connect the LAN port of the PoE injector to a FortiGate, FortiWifi, or FortiSwitch device.
2. If you are not using the PoE injector, insert the other end of the Ethernet cable into a PoE LAN port on an appropriate FortiGate, FortiWiFi or FortiSwitch device.
For more information on connecting the FortiExtender unit, see the QuickStart Guide.
3. By default, the options for the FortiExtender are hidden and disabled. Enable them in FortiGate’s CLI:
config system global
set fortiextender enable
set wireless-controller enable
end
4. Enable the control and provisioning of Wireless Access Point (CAPWAP) service on the port to which the FortiExtender unit is connected (lan interface in this example) using the following CLI commands:
config system interface
edit lan
set allowaccess capwap
end
end
Once enabled, it appears as a virtual WAN interface in the FortiGate, such as fext-wan1.
Configuring the FortiExtender unit
1. At this point, you can fully manage the FortiExtender from the FortiGate unit. To achieve this, you need to authorize the FortiExtender by going to System > Network > FortiExtender and click on Authorize. Once authorized, you can configure the following settings as required:
• Link Status: Shows you if the link is Up or Down, click on Details to see the System and Modem Status.
• IP Address: Shows you the current FortiExtender’s IP address, click on the link of the IP address to connect to the FortiExtender GUI.
• OS Version: Shows the current FortiExtender’s build, click on Upgrade if you wish to upgrade the Firmware.
• Configure Settings: Allows you to configure the Modem Settings (for more information, see below), PPP Authentication, General, GSM / LTE, and CDMA.
• Diagnostics: Allows you to diagnose the FortiExtender unit, you can choose a command form the existing commands and click on Run. Existing commands are: Show device info, Show data session connection status, test connection, test disconnection, Get signal strength, AT Command.
The FortiExtender unit allows for two modes of operation for the modem; On Demand and Always Connect. In On Demand mode, the modem connects to a dialup ISP account to provide the connection to the Internet when needed. In Always Connect mode, the modem is always connected to the internet, it can acts as a primary or backup method of connecting to the Internet. To configure the dial mode as needed, do the following:
2. Select Configure Settings.
3. Extend Modem Settings.
4. Select the Dial Mode of Always Connect or On Demand.
5. Enter the Quota Limit to the desired limit in Mega Byte.
6. Select OK.
Configuring the FortiGate unit
1. Go to Router > Static > Static Routes or System > Network > Routing, depending on your FortiGate model, and select Create New.
| If your network will be using IPv6 addresses, go to Router > Static > Static Routes or System > Network > Routing and select IPv6 Route. |
2. Set the Destination IP/Mask to 0.0.0.0/0.0.0.0, Device to fext-wan1, and set the Gateway to your gateway IP or to the next hop router, depending on your network requirements.
3. Select OK.
4. Go to Policy & Objects > Policy > IPv4 and select Create New.
| If your network will be using IPv6 addresses, go to Policy & Objects > Policy > IPv6 and select Create New. |
5. Set the Incoming Interface to the internal interface and the Outgoing Interface to fext-wan1 interface. You will also need to set Source Address, Destination Address, Schedule, and Service according to your network requirements.
6. Make sure the Action is set to ACCEPT. Turn on NAT and make sure Use Destination Interface Address is selected.
7. Select OK.