New Member

Question

Implementing VLANs in Guest Wireless Network

Forum|Forum|6 months ago
November 13, 2025
2 replies
934 views

I have been tasked with deploying a guest wireless network for a facility my company is contracting for. I have a background working with Cisco, but I'm still fairly new to the Fortinet portfolio.

The infrastructure is going to be a FG400F connecting to a FS424E (functioning as the core) which will then connect to however many FS124F (access switches) and then from there a plethora of FAPs. I want to use a VLAN scheme along the lines of this:

VLAN 5 (APs) — 10.0.5.0/23
VLAN 20 (Wireless Client ) — 10.0.10.0/22
VLAN 30 (Wired Client) — 10.0.20.0/23
VLAN 40 (Splash Exempt) — 10.0.30.0/24

I've set up the FG, Core SW, and an Access SW already to practice configuring (it's my first time doing anything with a Fortiswitch!) My issue now is that when I create VLANs on the FortiSwitch, I'm not sure how to propagate them to the FAPs. It doesn't seem like I can apply any IPs to the APs themselves (perhaps thats all managed by FortiLink, rendering VLAN 5 moot) but I also don't understand how to make the SSID IPs the same as the VLAN 20 space, as using the same addressing leads to a subnet conflict.

Where I also have confusion is, not only can I create VLANs in the FortiSwitches, I can create them on the FortiGate. Are those relevant? I'm just struggling to wrap my head around all of it.

AEK

SuperUser

If you can do it with Cisco then it will be 10 times easier with Fortinet.

Here you start:

https://docs.fortinet.com/document/fortiap/7.6.4/fortiwifi-and-fortiap-configuration-guide/405097/wireless-network-example-with-fortiswitch

Then go to here:

https://docs.fortinet.com/document/fortiap/7.6.4/fortiwifi-and-fortiap-configuration-guide/210779/wireless-network-configuration-tasks

Regarding your VLAN related question, with FSW/FAP you work only on the FortiLink. All VLANs you need you create them on FortiLink, which is the trunk interface in this case.

Besides, the VLANs that you create on FGT physical interfaces are usually trunk links to connect to non-Fortinet switches.

AEK

wrlangstonAuthor

New Member

Thank you! I think I may have over complicated it in my head...

I am curious about the SSIDs though. As I understand it from the documentation, this assigns IPs to the APs themselves. Is there any way to assign a VLAN to an SSID?

For example, If I create VLAN 20 for wireless users with a pool thats 10.50.20.2-254, can I make an SSID broadcast that pool without a subnet conflict?

Toshi_Esumi

SuperUser

If a tunnel mode, the SSID becomes a separate interface that you can assign a VLAN ID optionally and you can/have to assign a separate subnet for DHCP IP handout per SSID.
Since it's a separate interface, you don't have to use VLAN though. The traffic is encapsulated (separated) in CAPWAP already.
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Use-of-Optional-VLAN-ID-in-Tunnel-type-Wireless/ta-p/275908

Toshi

ElwinBERRAR

Explorer III

You don’t assign VLANs directly on the FAPs in FortiLink mode because all VLANs are created on the FortiGate and automatically propagated down the FortiLink trunk. For the SSID, use tunnel mode and give that SSID its own interface and subnet, which keeps wireless users separated without creating IP conflicts.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded