Help
FortiAP
FortiAP devices are thin wireless access points (AP) supporting the latest Wi-Fi technologies (multi-user MIMO 802.11ac Wave 1 and Wave 2, 4x4), as well as 802.11n, 802.11AX , and the demand for plug and play deployment.
sagha
Staff
Staff

Created on ‎04-08-2020 03:08 AM Edited on ‎09-11-2025 02:37 AM By Moderator

Article Id 196399

Technical Tip: Combining WiFi network and wired LAN with a software switch for DHCP leases

Description

 

This article describes limitations with software switches.

 

Scope

 

FortiAP, FortiWiFi, FortiGate.

Solution

 

It is possible to make an internal zone a part of a software switch in FortiWiFi, as described in the related links below.
However, this is not possible in FortiGate.

The scenario outlined in this article is ideal when assigning DHCP leases to wireless clients via a DHCP server that is located in a LAN.

 

In order to make an internal interface part of a software switch, it is important to get rid of any IP address assigned to it and remove any references to this interface.


See the example below, where they are marked in yellow.

 

Stephen_G_0-1689342726830.png

 

Create a WiFi interface named ‘wifi_int’ with SSID ‘wireless_network’ using  passphrase ‘Fortinet1234’:
 
config wireless-controller vap
    edit "wifi_int"
        set vdom "root"
        set ssid " wireless_network"
        set security wpa-personal
        set passphrase "Fortinet1234"
end

config wireless-controller wtp
    edit FAPxxxx
        set admin enable
        set vaps "wifi_int"
end
 
Note:
The SSID must be created using 'TUNNEL' mode. It is not necessary to assign an IP address or configure a DHCP server under a wireless interface. As it will be a part of a software switch, an interface with an IP address will not be added.
The DHCP leases will take place through the DHCP server in a LAN, meaning it is not necessary to configure DHCP.
Untitled1.gif
 
Note: The above images show an address object created when creating an SSID. It is important that the SSID created does not have any references, so it can be added to the software switch, similar to the image below. 'Create address object matching subnet' must be disabled in this case. 
 
SSID_Interface.png

 

To create a new software switch, select in the left main menu: Network -> Interfaces -> Create New ->  Interface and add both the internal interface and SSID interface to it.
 
 
Through the CLI:
 
config system interface
    edit lan
        set ip 192.168.1.10 255.255.255.0
        set type switch
        set member "wifi_int" "internal"
end

Connect the wireless client to the SSID ‘wireless_network’ using the passphrase ‘Fortinet1234’.

Upon trying to connect, the wireless client will reach the DHCP server as the packets are treated the same as on the switch and forwarded to the correct destination, which is the DHCP server.
 
Troubleshooting:
 
diagnose sniffer packet any ‘port 67 or port 68’ 4 0 a
diagnose debug application dhcpc -1
diagnose debug enable
 
Related document:
Labels:
11662
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.