Description
This article describes limitations with software switches.
Scope
FortiAP, FortiWiFi, FortiGate.
Solution
It is possible to make an internal zone a part of a software switch in FortiWiFi. as described in related links below.
However, this is not possible in FortiGate.
The scenario outlined in this article is ideal when assigning DHCP leases to wireless clients via a DHCP server that is located in a LAN.
In order to make an internal interface part of a software switch, it is important to get rid of any IP address assigned to it and remove any references to this interface.
See the example below, where they are marked in yellow.
Create a WiFi interface named ‘wifi_int’ with SSID ‘wireless_network’ using passphrase ‘Fortinet1234’:
config wireless-controller vap
edit "wifi_int"
set vdom "root"
set ssid " wireless_network"
set security wpa-personal
set passphrase "Fortinet1234"
end
config wireless-controller wtp
edit FAPxxxx
set admin enable
set vaps "wifi_int"
end
edit "wifi_int"
set vdom "root"
set ssid " wireless_network"
set security wpa-personal
set passphrase "Fortinet1234"
end
config wireless-controller wtp
edit FAPxxxx
set admin enable
set vaps "wifi_int"
end
Note: the SSID must be created using 'TUNNEL' mode. It is not necessary to assign an IP address or configure a DHCP server under a wireless interface.
As it will be a part of a software switch, an interface with an IP address will not be added.
Also, the DHCP leases will take place through the DHCP server in a LAN, meaning it is not necessary to configure DHCP.
As it will be a part of a software switch, an interface with an IP address will not be added.
Also, the DHCP leases will take place through the DHCP server in a LAN, meaning it is not necessary to configure DHCP.
Create a new software switch and add both the internal interface and SSID interface to it.
Through the CLI:
config system interface
edit lan
set ip 192.168.1.10 255.255.255.0
set type switch
set member "wifi_int" "internal"
end
edit lan
set ip 192.168.1.10 255.255.255.0
set type switch
set member "wifi_int" "internal"
end
Connect the wireless client to the SSID ‘wireless_network’ using the passphrase ‘Fortinet1234’.
Upon trying to connect, the wireless client will reach the DHCP server as the packets are treated the same as on the switch and forwarded to the correct destination, which is the DHCP server.
Troubleshooting
diag sniffer packet any ‘port 67 or port 68’ 4 0 a
diag debug application dhcpc -1
diag debug enable
diag debug application dhcpc -1
diag debug enable
Related document:
