JUVE Consulting BVBA ∙ Roosgrachtlaan 27, B-3400 Landen ∙ Tel.: +32 (491) 56.35.96 ∙
FortiAP 221C, 11C & Fortigate 60D/Fortinet wireless
Table of Contents
Table of Contents
1 INTRODUCTION ...................................................................................................................... 1
6 CONCLUSION ........................................................................................................................ 19
1 Introduction
I’ve been running a Fortigate 60D firewall for a while now and was looking to replace my home
wireless by a more stable solution. Since my Fortigate can also be used as a WLC for FortiAP access
points, I decided to give them a try.
The main focus on the document will be on basic installation and performance, but there are more
features available. The test setup will have 2 SSIDs configured on the local LAN (bridged and
tunneled), and the tunneled SSID will be made available for remote users using the FortiAP 11C.
2 Test setup
For this test, I used 2 FortiAP 221C units. The main specs are:
- Dual radio.
- Internal antenna’s
- 802.1 AC capable (on 2nd radio)
- POE capable
- 1 Gbps connection
- Firmware 5.2.0
One AP is located on the ground floor, 1 AP is located on the first floor. A mounting bracket is
provided in the package, a power adapter isn’t. I have mine powered by a POE switch, but you can
use a POE injector as well (GPI-115).
As remote AP, I’ll be using a FortiAP 11C unit. This is the entry level thin AP and has the following
specs:
- Single radio.
- Internal antenna
- Wireless b/g/N on 2,4 GHz.
- 2 Gbps connections: LAN & WAN
- Firmware 5.2
This AP will be used in a road warrior setup and connected to some DSL and cable home Internet
connections for testing.
Unfortunately, I don’t have any AC capable equipment today, so I wasn’t able to test this.
3 Test configuration
Under Monitor -> wireless health you can get an overview of generic wireless related data:
Under Client monitor, you get an overview of all wireless clients that are currently connected:
Spectrum analysis will give you readings on rogue access points and can help you determine which
are the best wireless channels to use. I disabled channel 11 on radio 1, as it is the most used in my
neighbourhood and using it has a performance impact.
The client load balancing features allow for the access points to pass clients to least used nodes or to
spread the frequencies between the different access points.
By default, the AP and Fortinet support both clear text or DTLS encryption channels. If both are
available, clear text will be chosen automatically. You can force encryption by either changing the AP
or WLC profile configuration. Using DTLS combined with tunneled traffic (see below) does have a
performance impact.
For the FortiAP 11C, since this will be used off-site and it needs to connect to the firewall over the
Internet, we will statically configure the controller’s IP or hostname. Connect to the AP using HTTP
and modify the AC address accordingly:
This will allow the AP to connect to the Fortigate on its internal or external interface, no matter
where it is located. For a remote AP, you should use DTLS, but I choose to force this on the Fortigate
side on the WTP profile, for increased flexibility.
- Bridged to local interface: this will use the AP’s LAN interface to send data to the network.
You can use this mode when the AP is connected directly to your LAN and you want to avoid
the overhead of tunneling traffic towards the Fortigate.
- Tunneled mode: all traffic from and to clients connected to these SSIDs will be sent through
a tunnel between the AP and firewall. You can create several networks assigned to different
profiles and these networks only need to exist at the firewall, not on the AP’s LAN connection
point.
There’s little overhead and you don’t notice any difference when connected to this SSID. Video kept
playing smoothly as well.
Both the AP’s and the Fortigate’s CPU went very high. While this speed is more than enough to do
some surfing and office work, don’t expect to stream full HD content over the DTLS link without any
issues. If the AP is located remotely and needs to connect over an untrusted connection, DTLS is a
must have, so keep this in mind when scaling the equipment.
4.3 Range
One of the main drawbacks of my old wifi equipment was range. I used to have a Linksys WRT54GS,
flashed DD-WRT on it and boosted transmit power to maximum to get some decent coverage. My
second AP was a Netgear router with Wireless-N, dual band radio and that was barely able to server
1 floor in the house. Roaming between them was also impossible.
I was pleasantly surprised that with 2 access points, I now have decent wireless coverage throughout
the entire house (ground floor, first floor and second floor), while having a lot of concrete and metal
used throughout the house. Roaming is also working very well, thanks to the cooperation between
the access points. I didn’t perform any VOIP tests yet, but I don’t get disconnected for a minute
anymore when moving from one floor to another.
4.4.3 Firmware
The FAP 221C is a new product and the FortiOS 5.2.0 being a new ‘major’ release, there still are some
hiccups. The AP’s second radio sometimes doesn’t appear as functional in the Managed AP view,
while it seems active on the AP itself, performing frequent changes confuse the AP and Fortigate, and
I had to do 2 or 3 reboots of the AP’s because of some weird behavior.
Once I put on a final configuration and didn’t fiddle with it every couple of minutes, the setup was
very stable though. These are some minor issues that should disappear in the coming firmware
updates.
5.1 Introduction
After conducting the LAN tests, I setup the FortiAP 11C to be used as a secure connection to the main
network from any remote location. I did perform a speed test with DTLS disabled to show the
difference in speed, however in this scenario you should really go for security over performance.
Performance is pretty good for a remote user, even with DTLS enabled. In any case, it is more than
enough to be able to work and have a video call. When taking Belgium into account, most home
Internet lines do have very high download bandwidth (10 to 160 Mbps), but limited upload
bandwidth of around 4 to 6 Mbps.
5.4 Range
Range is pretty good considering the form factor of the device. It doesn’t go as far as a regular AP,
but I was able to move around on the same floor without losing connectivity. Don’t expect any
decent signal when moving up or down a floor though.
6 Conclusion
I’m very happy with the performance of the AP’s and the interconnection between wireless and
security. Range and throughput on the AP’s is very good, there are some minor bugs present in the
current firmware but nothing shocking and It is very easy to deploy. I didn’t test every feature yet
and focused on performance for now, but I’m very impressed with what you get for the money. Most
AP’s are a lot more expensive and having to manage a separate WLC can be a hurdle. Another option
are cloud-managed networks using Meraki/Aerohive/… but if you already have Fortinet equipment
installed, the seamless integration is a real plus.
As for the FortiAP 11C, it is a really cheap solution to allow people to work remotely without the
hassle of VPN clients, overlapping subnets, … It really is plug&play and very portable.
7 More information
For more information, a live demo or quote, don’t hesitate to contact us:
JUVE Consulting
Jurgen Vermeulen
Jurgen@juve-consulting.be
+32 (491) 56.35.96