Monday, September 30, 2013

The Mad Scientist's Lab

From time to time I need to setup lab devices to troubleshoot particular scenarios. Since it is pretty impractical to have "one of each" I use a lot of virtualization technology for this. Here are some handy pointers if you have ever wanted to setup your own lab to test things out.

VMware vSphere Hypervisor
http://www.vmware.com/products/vsphere-hypervisor/

VMware ESXi is the free version of the popular hypervisor. You can load this on most any hardware and have a system ready to host your virtual lab setup in minutes.

Fortigate / FortiAnalyzer / FortiManager
http://support.fortinet.com

These and an increasing number of other Fortinet products are available in a VMware version. Head on over to the support site, look for the firmware images section and get yourself a copy. They are valid for 14 days as an evaluation version. Note that FortiOS is limited to a single VDOM when in eval mode.

Vyatta Router
http://www.vyatta.org

To make things more realistic I tend to throw a router in between two firewalls. Vyatta has a free version of their routing software available which runs nicely inside the ESXi hypervisor. Their CLI is very JunOS like. So if you're already familiar with Juniper gear that helps immensely. It's significantly different from Cisco's IOS but well worth jumping into.

Thursday, September 12, 2013

Abort - Abort - Abort

Ever found yourself editing a config via the command line and you just noticed that you made a mistake? Wouldn't it be nice to not have to change everything back to the way it was before you commit with "next" or "end"? Simply use the "abort" command and it will kick you straight back to the main menu without making any changes.

Friday, September 6, 2013

Wireless Mesh Gotcha

FortiAP wireless access points have the ability to create a full mesh. This is a pretty nifty feature as described in the FortiOS Wireless Deployment Guide:

The access points of a WiFi network are usually connected to the WiFi controller through Ethernet wiring. A wireless mesh eliminates the need for Ethernet wiring by connecting WiFi access points to the controller by radio. This is useful where installation of Ethernet wiring is impractical. 

The AP that is connected to the network by Ethernet is called the Mesh Root node. It is configured with an SSID (also called a virtual access point or VAP) dedicated to backhaul communication with the remote FortiAP units. The backhaul SSID carries CAPWAP discovery, configuration, and other communications that would usually be carried on an Ethernet connection. Regular WiFi clients cannot connect to the backhaul SSID. They connect to the regular SSIDs carried on the access points.
The root node can be a FortiAP unit or the built-in AP of a FortiWiFi unit. APs that serve only regular WiFi clients are called Leaf nodes. Leaf APs that also carry the mesh SSID for more distant Leaf nodes are called Leaf/branch nodes.


In other words you can have the APs all wirelessly connected to each other and APs that are not wired into the network can backhaul their traffic via other APs. The requirement is that at least one of the APs in the chain is hard-wired to the network.

A small gotcha is that by default the wireless mesh uses its own internal IP addressing scheme. The default IP address for the full-mesh interface is 192.168.3.99/24. I found this out the hard way because I have a VPN tunnel to a remote network which also uses 192.168.3.x/24. Looking at the routing table it was easy to see why I could no longer reach the remote VPN network after I had setup my new wireless access points.

FGT # get router info routing-table database
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
       O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       > - selected route, * - FIB route, p - stale info

S    *> 0.0.0.0/0 [5/0] via 1.2.3.4, wan1
C    *> 10.1.1.0/24 is directly connected, Internal
S    * 192.168.3.0/24 [1/0] is directly connected, FW_VPN_2_0
C    *> 192.168.3.0/24 is directly connected, wl.mesh


There are two routes available in the routing database to 192.168.3.0/24, the ">" in front of the route shows which one has been selected as the active route. Simply changing the network of the mesh interface to something like 192.168.254.99/24 will resolve the issue. This can be done in the GUI via "System -> Network -> Interfaces"