FortiOS 5.4 Online Help Link FortiOS 5.2 Online Help Link FortiOS 5.0 Online Help Link FortiOS 4.3 Online Help Link

Home > Online Help

> Chapter 8 - Deploying Wireless Networks > Wireless Mesh > Configuring a meshed WiFi network

Configuring a meshed WiFi network

Each VDOM on the FortiGate unit contains a predefined WiFi mesh interface named wl.mesh and a predefined SSID (which cannot be deleted) named fortinet.mesh.<vdom‑name>. You can create additional mesh SSIDs. Create the SSID with Traffic Mode set to Mesh Downlink.

You need to:

  • Create custom AP profiles, if you are not using the automatic AP profile.
  • Configure the mesh root AP, either a FortiWiFi unit’s Local Radio or a FortiAP unit.
  • Configure mesh branch/leaf AP units.
  • Authorize the mesh branch/leaf units when they connect to the WiFi Controller.

Creating custom AP profiles

You can apply the automatic AP profile or create one or more custom AP profiles for the mesh root and branch/leaf APs. A custom profile provides more control over which radio channels are used, intrustion protection, load balancing, background rogue AP scanning, and so on. Typically, the custom profiles are configured so that Radio 1 (5GHz) carries the mesh backhaul SSID while Radio 2 (2.4GHz) carries the SSIDs to which users connect.

For more information, see Configuring a WiFi LAN.

Configuring the mesh root AP

The mesh root AP can be either a FortiWiFi unit’s built-in AP or a FortiAP unit.

To enable a FortiWiFi unit’s Local Radio as mesh root - web-based manager
  1. Go to WiFi Controller > Managed Access Points > Local WiFi Radio.
  2. Select Enable WiFi Radio.
  3. In SSID, select Select SSIDs, then select fortinet.mesh.root.
  4. Optionally, adjust TX Power or select Auto Tx Power Control.
  5. Select Apply.
In a network with multiple wireless controllers, you need to change the mesh SSID so that each mesh root has a unique SSID. Other controllers using the same mesh root SSID might be detected as fake or rogue APs. Go to WiFi Controller > WiFI Network > SSID to change the SSID.

Fortinet also recommends that you create a new preshared key instead of using the default.
To configure a network interface for the FortiAP unit
  1. On the FortiGate unit, go to System > Network > Interfaces.
  2. Select the interface where you will connect the FortiAP unit and edit it.
  3. In Addressing mode, select Manual.
  4. In IP/Network Mask, enter an IP address and netmask for the interface.
    To maximize the number of addresses available for clients, the interface address should end with 1, for example
  5. In DHCP Server select Enable.
    An Address Range is entered automatically. It consists of the subnet address space above the interface address. For example, if the interface IP/mask is, the DHCP address range is through
  6. Select OK.
To enable a FortiAP unit as mesh root - web-based manager
  1. Connect the root FortiAP unit’s Ethernet port to the FortiGate network interface that you configured for it. Connect the FortiAP unit to its power source.
  2. Go to WiFi Controller > Managed Access Points > Managed FortiAP.
    If the root FortiAP unit is not listed, wait 15 seconds and select Refresh. Repeat if necessary. If the unit is still missing after a minute or two, power cycle the root FortiAP unit and try again.
  3. Select the discovered FortiAP unit and edit its settings.
  4. Select the FortiAP Profile to apply.
  5. In State, select Authorize.
  6. Select OK.

You need to create firewall policies to permit traffic to flow from the network interface where the FortiAP unit is connected to the network interfaces for the Internet and other networks. Enable NAT.

Configuring the mesh branches or leaves

The FortiAP units that will serve as branch/leaf nodes must be preconfigured.

  1. Connect to the FortiAP unit web-based manager on its default Ethernet interface IP address,
  2. In the Connectivity section enter:
Uplink Mesh
Mesh AP SSID fortinet.mesh.<vdom-name>
For example, for the root domain, fortinet.mesh.root.
Mesh AP Password Same as Mesh AP SSID.
Ethernet Bridge Select
  1. Select Apply and then select Logout.

Authorizing mesh branch/leaf APs

The pre-configured branch/leaf FortiAP units will connect themselves wirelessly to the WiFi Controller through the mesh network. You must authorize each unit

  1. Go to WiFi Controller > Managed Access Points > Managed FortiAP. Periodically select Refresh until the FortiAP unit is listed.
    The State of the FortiAP unit should be Waiting for Authorization.
  2. Open the FortiAP entry for editing.
  3. Select the FortiAP Profile to apply.
  4. Select Authorize.
  5. Select OK.
    Initially, the State of the FortiAP unit is Offline. Periodically select Refresh to update the status. Within about two minutes, the state changes to Online.
FortiWiFi unit as root mesh with FortiAP unit as branch/leaf node

Viewing the status of the mesh network

Go to WiFi Controller > Managed Access Points > Managed FortiAP to view the list of APs. The Connected Via field shows Mesh for mesh-connected units and lists the IP address to which they connect.

In the FortiAP CLI, you can check the main ip field in the output from the command

cw_diag -c mesh