Configuring a FortiWiFi unit as a wireless client
Wireless client configuration is only available on select FortiWiFi models. See FortiWiFi unit as a wireless client for the list of supported models. For most models, the FortiWiFi unit cannot operate as an AP while also operating in client mode. However, select models such as the FortiWiFi 80F series can support AP and client mode concurrently. |
Before setting up the FortiWiFi unit as a wireless client using the steps described below, make sure to remove any AP WiFi configurations such as SSIDs, DHCP servers, policies, and software switch members using the CLI or GUI. |
To configure wireless client mode - GUI:
-
Go to WiFi and Switch Controller > Local WiFi Radio and change the Mode to Wireless Client.
Note: You must remove any AP WiFi configurations such as SSIDs, DHCP servers, policies, and software switch members before you can change the mode to Wireless Client. Once you select Wireless Client, the FortiWiFi unit will reboot.
- Click Add Network and enter the name of the SSID you want to use.
- On 8xF/6xF/40F models, you can select a Security mode; other models will default to WPA/WPA2 Personal.
-
-
Enter a Passphrase if needed.
- Click OK to save the WiFi Network Connection Setting.
-
From the Local WiFi Radio page, verify that the WiFi network is connected.
-
Go to Policy & Object > Firewall Policy and click Create New to create a firewall policy.
-
Enter the following policy information:
Incoming Interface (srcintf)
wifi
Source Address (srcaddr)
all
For FortiWiFi 80F series models, you must select "aplink" as the destination interface in the firewall policy. Older FortiWiFi models must select "wifi" as the destination interface.
For more information on the aplink interface, see Understanding FortiWiFi aplink interface.
-
Configure remaining fields as needed, when you are finished, click OK.
To configure wireless client mode - CLI:
-
Change the wireless mode to client.
config system global set wireless-mode client end
Note: You must remove any AP WiFi configurations such as SSIDs, DHCP servers, policies, and software switch members before you can change the mode to Wireless Client. Once you select Wireless Client, the FortiWiFi unit will reboot.
-
Set up a wifi-network entry under interface "wifi".
config system interface edit "wifi" config wifi-networks edit 1 set wifi-ssid "FOS_61F_psk" set wifi-passphrase * next end next end
-
Create a firewall policy from "internal" to "wifi".
For FortiWiFi 80F series models, you must select "aplink" as the destination interface in the firewall policy. Older FortiWiFi models must select "wifi" as the destination interface.
config firewall policy edit 1 set name "lan" set srcintf "internal" set dstintf "wifi" set action accept set srcaddr "all" set dstaddr "all" set schedule "always" set service "ALL" set nat enable next end
-
Connect a wired client to the internal ports of the FortiWiFi to verify that it can pass traffic to the Internet.
Controlled AP selection support in FortiWiFi client mode
Use the following CLI commands to provide a more controlled AP selection method (supported in FortiWiFi client mode).
Syntax:
config system interface
edit {name}
set wifi-ap-band {any | 5g-preferred | 5g-only}
next
end
Configuring a FortiWiFi unit to run in concurrent AP and wireless client mode
FortiWiFi 80F/81F-2R-XX models support concurrent AP and Client mode. When the FortiWiFi is configured to run in wireless client mode and the FortiWiFi local radio connects to a third-party SSID, the local radio can concurrently operate in AP mode to provide service to wireless clients.
To configure concurrent AP and wireless client mode - CLI:
-
Configure the FortiWiFi unit to operate in client mode.
config system global set wireless-mode client end
-
Connect to a third-party SSID, in this example FOS_101F_psk.
config system interface edit "wifi" config wifi-networks edit 1 set wifi-ssid "FOS_101F_psk" set wifi-passphrase * next end next end
Optionally, you can configure the wireless client to use a static IP or DHCP by modifying the addressing mode of the WiFi interface:
config system interface edit "wifi" set vdom "root" set mode static # For static IP. Use “set mode dhcp” for DHCP set ip 10.20.80.3 255.255.255.0 # For static IP only set allowaccess ping fabric set type wireless config wifi-networks edit 1 set wifi-ssid "FOS_101F_psk" set wifi-passphrase * next end next end
-
Verify the connection between the local radio and the third-party SSID with
diag wireless-controller wlsta cfg
.FortiWiFi-81F-2R-POE # diagnose wireless-controller wlsta cfg STA intf name: wlan17 status: up ip: 192.168.81.2 mac: d4:76:a0:18:e0:8f auto connect: yes auto save: no ap band: any wifi network cnt: 1 1: FOS_101F_psk, 8, 1 connected: FOS_101F_ psk
-
Verify the local radio status when working in AP mode with
diag wireless-controller wlac -c wtp
.FortiWiFi-81F-2R-POE # diagnose wireless-controller wlac -c wtp FW81FP-WIFI0 | grep connection connection state : Connected
The FortiWiFi unit can now operate in both AP mode and client mode.
To configure VAP and SSID interfaces on the FortiWiFi local radio profile - CLI:
By default, the FortiWiFi local radio has a FWF-default profile; no other profiles can be applied to the local radio. You can modify the band, channel, and SSID selections in the FWF-default profile to apply to the local radio. Wireless clients that connect to the local radio are subject to the FortiWiFi firewall policies.
-
Create a new VAP interface and select it in the FWF-default profile.
config wireless-controller vap edit "wifi1" set ssid "FOS_lab_psk" set passphrase * next end config wireless-controller wtp-profile edit "FWF-default" config radio-1 set vap-all manual set vaps "wifi1" end config radio-2 set vap-all manual set vaps "wifi1" end next end
The local radio applies the profile setting when broadcasting SSIDs.
-
Verify that these settings are applied with
diag wireless-controller wlac -c wtp
. -
Create a firewall policy from "wifi1" to the "aplink" interface to allow wireless clients to pass traffic from the unit.
config firewall policy edit 1 set name "wifi1" set uuid e0140546-1d0d-51ee-da6c-53fb724051ac set srcintf "wifi1" set dstintf "aplink" set action accept set srcaddr "all" set dstaddr "all" set schedule "always" set service "ALL" set nat enable next end
-
Connect a wireless client through the local radio of the FortiWiFi and verify that it has the correct IP and can pass traffic to the Internet with
diagnose wireless-controller wlac -d sta online
.FortiWiFi-81F-2R-POE # diagnose wireless-controller wlac -d sta online vf=0 mpId=0 wtp=1 rId=2 wlan=wifi1 vlan_id=0 ip=10.10.80.2 ip6=:: mac=f8:e4:e3:d8:5e:af vci= host=WiFi-Client-2 user= group= signal=-45 noise=-95 idle=0 bw=0 use=5 chan=108 radio_type=11AX_5G security=wpa2_only_personal mpsk= encrypt=aes cp_authed=no l3r=1,0 G=0.0.0.0:0,0.0.0.0:0-0-0 -- 0.0.0.0:0 0,0 online=yes mimo=2