Skip to main content
Pham_Phu_Cuong
Pham_Phu_Cuong
New Member
September 23, 2016
Question

Clarification on Bridge mode

  • September 23, 2016
  • 1 reply
  • 6866 views

Hi everyone,

I need some clarification on the Bridge mode (when create the SSID).

It's a Fortigate 90D running firmware version 5.2.7. The FortiAP is connected to the Internal interface

 

When a SSID is created, it is shown as a new interface in the Network section. But I don't how it actually works.

I mean:

- Should the 'Internal' interface option (in the Policy) includes all the bridged interface? Or you have to add all the bridged interface together with the Internal.

- Does it inherit all the properties of the Internal interface (DHCP, Allowed Protocols, ...) ?

- Does a policy created for a particular bridged interface apply only for that interface? Really?

- Does the traffic from the bridged interface to the internal (and vice versa) travel through the FGT? Do we need a policy for that? or is it just implicitly allowed?

 

Regards,

Cuong Pham

    1 reply

    tanr
    tanr
    New Member
    October 15, 2016

    I realise this is an old post, but just in case you or others are still working on this, I'll list what I've found, at least for 5.4.1.  On your version of 5.2.7 it might be different.

     

    A bridged SSID means that a client connected to the FAP will act like it is directly connected to the physical lan interface the FAP is connected to.  

     

    If you specify a vlan for the bridged SSID the physical port needs to support tagged vlan packets for that vlan ID.

     

    In my experience (all my bridged SSIDs specify a vlan) the bridged SSID interface is just a place holder.  I do not refer to it in security policies, nor in DNS servers, nor in NTP, nor in DHCP, nor in routes.  Instead, all of these (including DHCP) are handled by my rules for the interface object associated with the vlan interface on the physical lan interface.

     

    You can specify WPA2 Personal on the bridged SSID to allow initial authentication and still have your actual vlan interface require WPA2 Enterprise.

    Pham_Phu_Cuong
    Pham_Phu_CuongAuthor
    New Member
    October 17, 2016

    Hi,

    Thank you for replying.

    I don't know what is wrong with my post. And I'm still waiting for the information.

     

    Regards,

    Cuong

    tanr
    tanr
    New Member
    October 17, 2016

    Hi Cuong,

     

    Again, this is from my 5.4.1 experience so your version may be different. I'm also assuming you're talking about a *separate* FortiAP connected to a FortiGate 90D, not a FortiWiFi 90D.

     

    My understanding of bridge mode is that, once your client has connected to the FortiAP's bridge mode SSID, it is like they are directly connected to the same network cable the FortiAP is connected to.  The FortiAP is just functioning as a bridge (and adding/removing vlan tags for you if you've specified a vlan for that SSID). The bridged SSID interface object is just a placeholder and you don't do anything with it.

     

    One not very detailed reference to this.

    http://kb.fortinet.com/kb....do?externalId=FD35115

     

    Please note that I'm not a Fortinet employee, so if you need more clarification on this, you should probably open a ticket with Fortinet support.

    Terms & ConditionsAccessibility statement