Helpful ReplyHot!Remote WLANs and split-tunneling subnets

Author
=sergey=
New Member
  • Total Posts : 12
  • Scores: 0
  • Reward points: 0
  • Joined: 2016/10/09 12:55:20
  • Status: offline
2017/11/04 10:09:42 (permalink) 5.6
0

Remote WLANs and split-tunneling subnets

Hi all,
 
I've already checked tons of manuals, forums, kbs and cookbooks, made hundreds of experiments on live hardware, but can't find the way to do very simple thing - negating defined split-tunneling subnets for remote WLANs. I mean subnets, which are defined in config wireless-controller wtp-profile / edit <profile> / conf split-tunneling-acl. It is nice feature but working opposite way it should - defined subnets are NOT routed to wireless controller.
 
In most cases, traveler with FAP expecting direct access to corp network without other external resources slowdowns, which is 100% occurs, if we route all SSID traffic to WLC. Just imagine, how slow it could be, if remote WLAN deployed in hotel in Hong Kong, but WLC is on duty at Portugal.
 
So I think it is quite normal to define just one (or few) subnets (internal corporate network) to route via WLC, and rest of traffic should go through local FAP GW. For now, to implement this, and make just one subnet (192.168.0.0/16) to be routed to WLC, I should define 15 subnets in wtp-profile, and it is almost maximum supported number (you can't define more than 16 subnets there). So it is not possible to add even one more routable subnet (lets say, 10.11.232.0/24).
 
Hope I'm missing something, that's why I decided to post it here - maybe someone already knows how to ...
 
Thanks!
post edited by crasher - 2017/11/04 12:33:09
#1
Toshi Esumi
Platinum Member
  • Total Posts : 485
  • Scores: 26
  • Reward points: 0
  • Joined: 2014/11/06 09:56:42
  • Status: offline
Re: Remote WLANs and split-tunneling subnets 2017/11/05 09:57:06 (permalink)
0
As you've already figured through documentation you went through, FortiAP's sprit-tunnel seemed to have been designed to split local sutnet access from the rest going over the CAPWAP tunnel. I'm afraid it wouldn't work for you.
#2
=sergey=
New Member
  • Total Posts : 12
  • Scores: 0
  • Reward points: 0
  • Joined: 2016/10/09 12:55:20
  • Status: offline
Re: Remote WLANs and split-tunneling subnets 2017/11/05 10:05:17 (permalink)
0
toshiesumi
As you've already figured through documentation you went through, FortiAP's sprit-tunnel seemed to have been designed to split local sutnet access from the rest going over the CAPWAP tunnel. I'm afraid it wouldn't work for you.


CAPWAP is not a tunnel, its just provisioning protocol, but thanks for answer.
#3
wanglei_FTNT
Bronze Member
  • Total Posts : 32
  • Scores: 9
  • Reward points: 0
  • Joined: 2015/07/20 10:10:18
  • Status: offline
Re: Remote WLANs and split-tunneling subnets 2017/11/06 09:46:27 (permalink) ☄ Helpfulby crasher 2017/11/06 11:24:53
5 (1)
From release 5.4.6 and 5.6.3, an enhancement in this area has been added.  You can set a default action to either Local or tunnel and use ACL to configure exception. 
 
FW80CM3913601573 (S321C) # set split-tunneling-acl-path ?
tunnel Split tunneling ACL list traffic will be tunnel.
local Split tunneling ACL list traffic will be local NATed
post edited by wanglei_FTNT - 2017/11/06 12:14:07
#4
=sergey=
New Member
  • Total Posts : 12
  • Scores: 0
  • Reward points: 0
  • Joined: 2016/10/09 12:55:20
  • Status: offline
Re: Remote WLANs and split-tunneling subnets 2017/11/06 11:35:56 (permalink)
0
wanglei@fortinet.com
From release 5.4.6 and 5.6.2, an enhancement in this area has been added.  You can set a default action to either Local or tunnel and use ACL to configure exception. 
FW80CM3913601573 (S321C) # set split-tunneling-acl-path ?
tunnel Split tunneling ACL list traffic will be tunnel.
local Split tunneling ACL list traffic will be local NATed



Hi Wanglei, thank you for help, but unfortunately I don't have such command in 5.6.2, at least on fgt240d.
 
pmk240d (fap21d-split) # set ?
comment Comment.
dtls-policy WTP data channel DTLS policy.
max-clients Maximum number of STAs supported by the WTP.
handoff-rssi Minimum RSSI value for handoff.
handoff-sta-thresh Threshold value for AP handoff.
handoff-roaming Enable/disable handoff when a client is roaming.
ap-country AP country code.
ip-fragment-preventing Prevent IP fragmentation for CAPWAP tunneled control and data packets.
tun-mtu-uplink Uplink tunnel MTU.
tun-mtu-downlink Downlink tunnel MTU.
split-tunneling-acl-local-ap-subnet Enable/disable split tunneling ACL local AP subnet.
allowaccess Allow management access to managed AP.
login-passwd-change Configuration options for login password of managed AP.
lldp Enable/disable LLDP.
pmk240d (fap21d-split) # set split-tunneling-acl-path
command parse error before 'split-tunneling-acl-path'

 
I have also 100d with same result on 5.6.2, but have no plans to downgrade to 5.4 branch. Should I additionally set something somewhere to enable this piece of magic?
 
Thanks!
post edited by crasher - 2017/11/06 11:37:29
#5
wanglei_FTNT
Bronze Member
  • Total Posts : 32
  • Scores: 9
  • Reward points: 0
  • Joined: 2015/07/20 10:10:18
  • Status: offline
Re: Remote WLANs and split-tunneling subnets 2017/11/06 12:15:43 (permalink) ☄ Helpfulby crasher 2017/11/06 13:06:58
5 (1)
Hi crasher, 
 
For 5.6, it will be in 5.6.3 I have corrected original post. 
 
 
#6
=sergey=
New Member
  • Total Posts : 12
  • Scores: 0
  • Reward points: 0
  • Joined: 2016/10/09 12:55:20
  • Status: offline
Re: Remote WLANs and split-tunneling subnets 2017/11/06 13:12:36 (permalink)
0
wanglei@fortinet.com
Hi crasher, 
For 5.6, it will be in 5.6.3 I have corrected original post. 



Wow, thanks a lot, it is just great! Hope you release 5.6.3 soon, keeping eye on it.
 
By the way, I've created Telegram channel with automated firmware releases feed to simplify monitoring on fresh ftnt firmwares. Initially I've done it for myself, but if anyone interested, just join https://t.me/fortifw.
 
Cheers.
post edited by crasher - 2017/11/06 13:18:54
#7
=sergey=
New Member
  • Total Posts : 12
  • Scores: 0
  • Reward points: 0
  • Joined: 2016/10/09 12:55:20
  • Status: offline
Re: Remote WLANs and split-tunneling subnets 2017/12/06 16:49:47 (permalink)
0
Wanglei, hello again, I'm back. :)
 
wanglei@fortinet.com
Hi crasher, 
For 5.6, it will be in 5.6.3 I have corrected original post. 

 
Upgraded to 5.6.3 and tried to use split-tunneling-acl-path with no luck. In my case this command just do nothing. I've made different tests on 100d/240d with fap21d, but unfortunately can't get it work as expected. I've even rebooted AP after modifying wtp-profile, but it does not help (and seems not needed, because changes in profile propagated to AP immediately after clicking OK/pressing Enter after next in cli).
 
I've made very simple tests just trying to tunnel 192.168.1.0/24 and right after I add it to split-tunnel-acl, it becomes unreachable - it is normal. But no changes after setting split-tunneling-acl-path to tunnel OR local - everything works same way as before, even after reboots/reconnects. So still impossible to invert (negate) ACLs for split tunneling.
 
Maybe I missing something because there is no any docs available for this feature at this moment?
 
Thanks in advance for your kind help!
#8
=sergey=
New Member
  • Total Posts : 12
  • Scores: 0
  • Reward points: 0
  • Joined: 2016/10/09 12:55:20
  • Status: offline
Re: Remote WLANs and split-tunneling subnets 2017/12/06 17:12:33 (permalink)
0
This one from another message thread you answered me
 
wanglei@fortinet.com
Please post your complete config and we will check it out and get back to you. 
Thanks,
Lei

 
I think it is better to keep everything here.
 
So, I'm not sure you want complete FG config, or just wireless part? So here it is:
 
config wireless-controller wtp-profile
edit "fap21d-new"
config platform
set type 21D
end
config lan
set port-mode bridge-to-ssid
set port-ssid "MyFAP21"
end
set ap-country US
set split-tunneling-acl-path tunnel
set split-tunneling-acl-local-ap-subnet enable
config split-tunneling-acl
edit 1
set dest-ip 192.168.1.0 255.255.255.0
next
end
set lldp enable
config radio-1
set band 802.11n-only
set short-guard-interval enable
set auto-power-level enable
set auto-power-high 20
set auto-power-low 2
set wids-profile "default"
set vap-all disable
set vaps "MyFAP21"
set channel "1" "6" "11"
end
next
end

 
config wireless-controller wtp
edit "FAP21D3U16002729"
set admin enable
set name "fap21d-fortik"
set wtp-profile "fap21d-new"
config radio-1
end
next
end

 
config wireless-controller vap
edit "MyFAP21"
set vdom "root"
set ssid "fortik"
set schedule "always"
set split-tunneling enable
set multicast-enhance enable
unset broadcast-suppression
set passphrase ENC =*=
next
end

 
config wireless-controller wids-profile
edit "default"
set comment "Default WIDS profile."
set ap-scan enable
set ap-bgscan-period 300
set ap-scan-passive enable
set wireless-bridge enable
set deauth-broadcast enable
set null-ssid-probe-resp enable
set long-duration-attack enable
set invalid-mac-oui enable
set weak-wep-iv enable
set auth-frame-flood enable
set assoc-frame-flood enable
set spoofed-deauth enable
set asleap-attack enable
set eapol-start-flood enable
set eapol-logoff-flood enable
set eapol-succ-flood enable
set eapol-fail-flood enable
set eapol-pre-succ-flood enable
set eapol-pre-fail-flood enable
next
end

 

config system interface
edit "MyFAP21"
set vdom "root"
set ip 192.168.22.254 255.255.255.0
set allowaccess ping
set type vap-switch
set scan-botnet-connections block
set device-identification enable
set role lan
set snmp-index 14
config ipv6
set ip6-address 2xxx:xx0:xx41:xx8x::1/64
set ip6-allowaccess ping
set ip6-send-adv enable
set ip6-other-flag enable
config ip6-prefix-list
edit 2xxx:xx0:xx41:xx8x::/64
set autonomous-flag enable
set onlink-flag enable
next
end
end
next
end

post edited by =sergey= - 2017/12/06 17:15:50
#9
wanglei_FTNT
Bronze Member
  • Total Posts : 32
  • Scores: 9
  • Reward points: 0
  • Joined: 2015/07/20 10:10:18
  • Status: offline
Re: Remote WLANs and split-tunneling subnets 2017/12/07 15:03:35 (permalink)
0
Tested with below config and it's working fine. 
 
-------------------------- config wtp-profile ------------
FG100D3G15802056 # show wireless-controller wtp-profile FAP14C-default
config wireless-controller wtp-profile
    edit "FAP14C-default"
        config platform
            set type 14C
        end
        config lan
            set port-mode bridge-to-ssid
            set port-ssid "splittun"
        end
        set ap-country US
        set split-tunneling-acl-path tunnel
        set split-tunneling-acl-local-ap-subnet enable
        config split-tunneling-acl
            edit 1
                set dest-ip 90.90.90.0 255.255.255.0
            next
            edit 3
                set dest-ip 8.8.8.8 255.255.255.255
            next
        end
        set allowaccess telnet http https ssh
        config radio-1
            set band 802.11n
            set darrp enable
            set frequency-handoff enable
            set vap-all disable
            set vaps "splittun"
            set channel "1" "6" "11"
        end
    next
end
 
---------------- config vap --------------
config wireless-controller vap
    edit "splittun"
        set vdom "root"
        set ssid "spltun-rt"
        set schedule "always"
        set split-tunneling enable
        unset broadcast-suppression
        set passphrase ENC U2NJE/4uVNzCEBCtXn8MK6kiSLYqY9z8RUHKg97F9+6hJvsy31Srowzk2/OH2Yv2jbWN00uIdW2miyxw7UVBSqKIJU9g98Vv+dP7QqqJ8WyRkSikML35iThKOuxa2biqCSbHdX/IcAhA1BBGHEuV/fVMbuOpxmEK4HVHpQnBDsRu5PC2ppvZ57vbDtCZl8qrKWIOeQ==
    next
end
 
Maybe you can let me know the AP version and output of  ifconfig br0, ifconfig br.ts.0 and vcfg from FAP. You can telnet into the AP 
#10
=sergey=
New Member
  • Total Posts : 12
  • Scores: 0
  • Reward points: 0
  • Joined: 2016/10/09 12:55:20
  • Status: offline
Re: Remote WLANs and split-tunneling subnets 2017/12/07 17:47:57 (permalink)
0
Same cfg as yours, but absolutely no effect on set split-tunneling-acl-path local or tunnel - ACL works as before, subnets in ACL are excluded from tunnel routing, not included not matters which setting is in use.
 
So, lets say, I'm pinging 192.168.198.1 from FAP-side OK, but right after adding 192.168.198.1/32 in ACL, pings are stopped immediately (actually, started to be routed via default FAP gw, and it says "network unreachable" after some delay).
 
I've latest 5.6.1 FW on FAP21D, but very strange - I can't telnet/ssh to it even after set allowaccess telnet http ssh  (just timeouts) when it operates in normal mode (associated with FG and got two IPs with one last digit difference in MACs from FG's dhcp), only in standalone mode to 192.168.1.2. But in this mode ifconfigs shows nothing interesting. :(
#11
wanglei_FTNT
Bronze Member
  • Total Posts : 32
  • Scores: 9
  • Reward points: 0
  • Joined: 2015/07/20 10:10:18
  • Status: offline
Re: Remote WLANs and split-tunneling subnets 2017/12/07 18:07:00 (permalink)
0
 
This new enhancement requires FAP code to be upgraded as well. The FAP GA is not released yet. current 5.6.1 doesn't have the FAP side change. 
 
As for allow-access, please make sure you can ping the AP with the address that you can see under FGT GUI/Managed AP page. 
#12
=sergey=
New Member
  • Total Posts : 12
  • Scores: 0
  • Reward points: 0
  • Joined: 2016/10/09 12:55:20
  • Status: offline
Re: Remote WLANs and split-tunneling subnets 2017/12/07 21:33:12 (permalink)
0
Wow... I think that should be mentioned first, about FAP FW which is not released yet. :)))
So all that I trying to do should not work until new FW released? Current GA is 5.6.1 Build 0476 which I'm playing with, and it does not support this enhancement, right?
 
As for allow-access, I have simple config:
 
FAP21D(LAN) <==> (LAN)ROUTER(WAN) <==> [INTERNET] <==> (WAN)FGT
 
So it is normal that you can't ping and interact with FAP LAN IP (which is displayed in FGT GUI/Managed AP) from FGT. But from FAP-side LAN, yes, I can ping FAP LAN IP, but any connections to it are refused (telnet/ssh/http).
 
Also I see two FAP tunnel IPs on FGT's DHCP leases, and that IPs I can ping from FGT side, but it is also not possible to connect to FAP using that IPs (timeouts).
#13
wanglei_FTNT
Bronze Member
  • Total Posts : 32
  • Scores: 9
  • Reward points: 0
  • Joined: 2015/07/20 10:10:18
  • Status: offline
Re: Remote WLANs and split-tunneling subnets 2017/12/07 22:23:05 (permalink)
0
Hi Sergey,
 
Yes. In order for the new enhancement to work, FAP side has to support this. 
 
For telnet/ssh/http access, I noticed that you didn't enable them from wtp-profile, Please try to add that in the wtp-profile using command "set allow-access telnet http ssh" and you should be good to go
 
Lei
 
 
 
#14
=sergey=
New Member
  • Total Posts : 12
  • Scores: 0
  • Reward points: 0
  • Joined: 2016/10/09 12:55:20
  • Status: offline
Re: Remote WLANs and split-tunneling subnets 2017/12/10 03:45:02 (permalink)
0
Hi Lei,
 
wanglei@fortinet.com Yes. In order for the new enhancement to work, FAP side has to support this. 

 
Maybe you have any ETA for this update? :)
 
wanglei@fortinet.com For telnet/ssh/http access, I noticed that you didn't enable them from wtp-profile, Please try to add that in the wtp-profile using command "set allow-access telnet http ssh" and you should be good to go

 
Yes, my previous config I've posted was missing allowaccess, but later I've added it and mentioned it in my previous msg: "I can't telnet/ssh to it even after set allowaccess telnet http ssh  (just timeouts) when it operates in normal mode". But still no access to FAP from any side (FAP's LAN IP or tunnel IPs on FG-side). FAP LAN IP gives connection refused, tunnel IPs - timeouts, but at the same time, they are all pingable.
 
#15
wanglei_FTNT
Bronze Member
  • Total Posts : 32
  • Scores: 9
  • Reward points: 0
  • Joined: 2015/07/20 10:10:18
  • Status: offline
Re: Remote WLANs and split-tunneling subnets 2017/12/11 09:38:49 (permalink)
0
Hi Crasher,
 
I don't have that info on when the next release will be but it should be soon : )
 
As for allowaccess, we only allow remote access to AP via AP's management IP ( the one shows  up in FGT managed AP page). It should be very straightforward configuration. Once you enable it, you can telnet into the box. Please bind a default profile to the AP and see whether it works. 
#16
Jump to:
© 2017 APG vNext Commercial Version 5.5