Extending WiFi range with mesh topology


In this example, a second FortiAP are used to extend the range of a WiFi network. The second FortiAP is connected to the FortiGate WiFi controller through a dedicated WiFi backhaul network.

In this example, both FortiAPs provide the example-staff network to clients that are in range.

More mesh-connected FortiAPs could be added to further expand the coverage range of the network. Each AP must be within range of at least one other FortiAP. Mesh operation requires FortiAP models with two radios, such as the FortiAP-221C units used here.

Find this recipe for other FortiOS versions
5.2 | 5.4

1. Creating the backhaul SSID

Go to WiFi Controller > SSID.

Create a new SSID. Set Traffic Mode to Mesh Downlink.

You will need the pre-shared key when configuring the mesh-connected FortiAP.


2. Creating the client SSID

 Go to WiFi Controller > SSID. Create the WiFi network (SSID) that clients will use. client-ssid
Configure DHCP to provide IP addresses for  your clients. client-dhcp

3. Creating the FortiAP Profile

Go to WiFi Controller > FortiAP Profiles and create a profile for the Platform (FortiAP model) that you are using.

Configure Radio 1 for the client channel on the 2.4GHz 802.11n/g Band.

Configure Radio 2 for the backhaul channel on the 5GHz 802.11ac/n Band.


4. Configuring the security policy

Go to Policy & Objects > IPv4 Policy and create a new policy. policy

5. Configuring an interface dedicated to FortiAP

Go to Network > Interfaces and edit an available interface (in this example, port 15). Set Addressing mode to Dedicate to Extension Device. devintf

6. Preauthorizing FortiAP-1

Go to WiFi Controller > Managed FortiAPs and create a new entry.

Enter the serial number of the FortiAP unit and give it a name. Select the FortiAP profile that you created earlier.

Doing this will allow FortiAP-1 to go online as soon as it is connected to the FortiGate. Optionally, you could connect the FortiAP to the FortiGate and then manually authorize it at that point, as will be done with FortiAP-2.


7. Configuring FortiAP-2 for mesh operation

Connect FortiAP-2’s Ethernet port to the FortiGate network interface that you configured for FortiAPs.
Go to WiFi Controller > Managed FortiAPs. Click Refresh every 15 seconds until FortiAP-2 is listed. Select the AP, then select Authorize. AP2-detect
Edit FortiAP-2. Under Managed AP Status, select Connect to CLI.  

Log in with the username admin, then enter the following CLI commands, substituting your SSID and password where necessary:

cfg -a MESH_AP_TYPE=1
 cfg -a MESH_AP_SSID=fortinet.mesh.root
 cfg -a MESH_AP_PASSWD=hardtoguess
 cfg -c

Disconnect FortiAP-2 from the FortiGate.

8. Connecting and authorizing the FortiAPs

Connect FortiAP-1. Go to WiFi Controller > Managed FortiAPs. Click Refresh every 15 seconds until FortiAP-1 is listed.

Power up FortiAP-2. Periodically click Refresh. With a minute or two, Radio 2 of FortiAP-1 will indicate 1 client and FortiAP-2 will be listed as mesh-connected. AP1+2-detect

Go to WiFi Controller > Managed FortiAPs. Edit FortiAP-2. Enter the Name and select the FortiAP Profile that you created earlier.


Click Refresh to update the display as needed. Within a minute or two, FortiAP-2 will be listed as Online. 


9. Results

Go to Monitor > WiFi Client Monitor. Both backhaul and client SSIDs are shown. Click Refresh as needed to see updated information.

Connect to the network near FortiAP-2. The FortiAP column shows  the client is associated with the mesh-connected FortiAP-2.


Connect to the network near FortiAP-1. The FortiAP column shows  the client is associated with FortiAP-1.



Jonathan Coles

Jonathan Coles

Technical Writer at Fortinet
Jonathan Coles is part of the FortiOS Technical Documentation team in Ottawa. He has a B.A. in English from the University of Waterloo and an Electronics Technologist diploma from Conestoga College. Long ago at another company he convinced a documentation manager that he could write. After writing about telephone PBXs, text search software, cell tower planning software, and some less memorable things, he joined Fortinet around the time that FortiOS 3.0 was released.
Jonathan Coles

Latest posts by Jonathan Coles (see all)

  • Was this helpful?
  • Yes   No
  • Andrew Salm

    Am I assuming correctly here that by implementing this I am sacrificing my 5GHz radio for the BackHaul connection and only providing the 2.4GHz (So, no wireless ac) SSID to clients?

    • Victoria Martin

      Hi Andrew,

      You can switch it so that 2.4GHz is used for the BackHaul channel; however, since the BackHaul is likely to have more traffic than the SSID for clients, you may experience performance issues with that set-up.

  • Andres Pantoja

    I have a FortiWIFI 60D (v.5.4.0, build 1011 (GA)) and I’m attempting to configure my FAP221C (v5.2-build0245). My screens don’t see to be matching up. Step 2 – creating the SSID – there is no “role” under traffic mode. In step 5 – I can select the LAN role. More importantly – step 6 – you are configuring to Preauthorize then in the following step 6, you telnet into the device (which seems easier to just right click the AP in the managed FortiAPs and select “edit in CLI”). Anyway – when you enter the commands, there is no cfg command. And if you use the config command, the only option is for radio-1 or radio-2. once in radio, I dont see any options for the commands you listed.

    Your steps are a bit confusing since either parts are missing/different, commands seem to be different and when during step 6 – your preauth? then next step 6, don’t preauth.

    The FortiOS Handbook (for FortiOS 5.4) does not spell it out very clearly at all. I’m new to Fortinet and at this point am unsure if the commands vary upon firmware version and build number; even though I really won’t think so.

    I suppose my best option might be to open a ticket?

    Any direction as to where I am going wrong would be greatly appreciated.

    Thank you!


    • Victoria Martin

      Hello Andres,

      We are going to make sure to review this recipe in the near future, to make sure that all of its steps are still accurate. In the meanwhile, I would recommend getting in touch with Support. We do you have a useful article about working with them that you may be interesting in: cookbook.fortinet.com/how-to-work-with-fortinet-support/

      I hope that helps!

    • Victoria Martin

      Hello again, Andres,

      I just wanted to let you know that we have reviewed this recipe and made some changes to address your comments.