Difference between "Bridge SSID to FortiGate wired network" and "FortiAP local bridging"

Not sure example #1 is correct.... vlans should be used there not the software switch... I'll check on this.

Thanks for your answers. I understand the difference between the tunnel and the bridge approach. And I was aware of loosing all UTM functionality in bridge mode.

What I don't understood was why Fortinet propose to create an interface on the Fortigate for a bridge approach because the traffic will "leave" the FAP but will still be routed by the Fortigate. I discussed the situation with another person and I might begin to understand:

In the example provided by Fortinet they have a captive portal in use. My read is that you cannot setup a captive portal some other way in a bridge environment. One have to create a switch. From my point of view smaller Fortigate appliances might impact the performance as well because all the traffic is then routed again through a software switch.

I am confident now that the solution without the switch is the right one for me. Thanks for your time and help!

Frederik

Hi

in general you got it...if you use a Captive Portal you have to use tunneled because the Captive Portal is running on the FGT and not on the FAP. In general DO NOT USE software switches is absolutly not recommended and neccessary. Again if you use bridge there is a GOAL to reach meaning like performance isseu getting NOT TO FGT bringen NOT THE traffic to FGT instead go directly. Again in GENERAL you do not need bridge normaly by standard use tunneled on a seperated interface meaning for Captive Portal guest and for internal use. Of course you can mix the stuff meaning using bridge for internal use getting direct to server and Captive Portal tunneled for guest access.

hope this helps

Andrea

Hi

if you like to have the SSID on the same subnet as your LAN for example do following:

- place your AP on the same subnet as your internal LAN. Because -or hopefully- within the internal LAN there is a DHCP server for your client the AP will receive the IP for mgmt. from your DHCP server.

- create a SSID and if you create the SSID set it to bridge as assing the VLAN ID if neccessary (default is 0). Actually if you place the FAP in the same subnet as your client/server you do not need a VLAN ID this is only neccessary if your clients/server are connected to different stuff mixing up on one switch segment. For the SSID define the DHCP server as relay and point it to the DHCP server within the internal LAN.

If the FAP is coming up in this constellation it will request by DHCP a IP for mgmt. only. The SSID is configured with the DHCP relay etc. from this point of view all in the same segment and no traffic goes to the FGT because of the SSID bridged.

Of course you can add another SSID for guest in tunnel mode and with a seperated IP range DHCP server served by SSID meaning FGT.

More or less that's it.....internal use can go directly disadvantage you use all UTM features. Guest must go to FGT because of tunneled and UTM feature can be fully used.

I personaly would never use bridge if I do not have to use for some reason but is my last option :)

Hope this helps

have fun

Andrea

Hi Andrea

I personaly would never use bridge if I do not have to use for some reason but is my last option :)

One example: if you want to add 3 FAPs to a 60D and a 60D has only 175 MBps (roughly 21 MB/s) CAPWAP throughput I have the strong feeling that I will make my internal staff not really happy .

I would love to use a tunnel but my Fortigate just don't have the power for this particular setup - or do I miss something?

Best regards

Frederik

Hi

I understand your doubts but do a test...nothing easier as connect all FAP's to one interface and tunnel all SSID's and go ahead for a test. We have many many customers which are using this config and nobody complains about performance. Keep in mind that this setup is for not only wirlesss meaning all this customers are using by standard cabling for the internal access and the SSID's are used for devices which do not have cabling which means IOS device, android etc. A setup for internal based on -only wireless- I would never do because to many factors are impacting wirless like interferences etc. From this point of view this stuff is mainly used for guest access and for internal access and/or outside world for devices which do not have a cabling etc. Go ahead and do a test...is configured in 5 minutes and you can test and try. Keep in mind that if you do test that UTM features are mainly impacting also the performance like Antivirus, WebFilter etc. If you do test do not doing test with Internet based tools etc. use test tool which you have full controll like:

           http://www.metageek.net/support/downloads                    (inSSIDer für Windows / Mac / Android)            http://www.nirsoft.net/network_tools.html                    (WifiInfoView für Windows)            http://www.ekahau.com/products/heatmapper/overview.html      (HeatMapper für Windows XP / Windows Vista / Windows 7)

or to test over internal server:

http://sourceforge.net/projects/jperf)

Try to eliminate every factor which means UTM feature, duplex mismatch or not known factors like ISP etc.

hope this helps

Andrea