FortiAP
FortiAP devices are thin wireless access points (AP) supporting the latest Wi-Fi technologies (multi-user MIMO 802.11ac Wave 1 and Wave 2, 4x4), as well as 802.11n, 802.11AX , and the demand for plug and play deployment.
laltuzar
Staff
Staff
Article Id 272838
Description

 

This article describes the distinction between SSIDs in Local Bridge and Tunnel modes.

 

Scope

 

FortiAP 5.x or earlier.

FortiOS 6.x or earlier.

 

Solution

 

Bridge Mode (Local Bridge):

  • How it Works: In Bridge mode, the SSID is like a bridge between the wireless and wired networks. It allows wireless devices to be part of the same network as wired devices. See how to configure one Bridge SSID on FortiGate here: Technical Tip: How to create a new Bridge SSID with its VLAN dedicated for users.

  • What does work:
    • All devices, wired and wireless, are in the same local network.
    • Devices can easily communicate with each other.
    • Useful for simple, flat network setups.

  • What does not Work:
    • Traffic from wireless devices still needs to go through the local network router.
    • Limited control over wireless traffic, which can impact performance and security.
    • Not ideal for large or complex networks.
    • While performing client debugs on FortiGate (diagnose wireless-controller wlac sta_filter <mac> 255) the output will only show the authentication process, leaving unknown the DHCP messages.

  • Performance: Good for small networks, but as the network grows, it can become congested and less efficient.

 

Tunnel Mode:

  • How it works: In Tunnel mode, the SSID creates a separate network (like a tunnel) for wireless devices. All wireless traffic is encapsulated and sent to the central device (FortiGate) for processing. In fact, a new interface will be created on FortiGate with the SSID name. This will behave as a FortiGate VLAN. See how to configure one Tunnel SSID on FortiGate here: Defining a wireless network interface (SSID).

  • What does work:
    • Enhanced security: All traffic is inspected and controlled at the FortiGate.
    • Better isolation: Wireless devices are separated from the wired network.
    • Easier to manage: Granular control over traffic and policies.
    • Ideal for larger, more complex networks.

  • What does not work:
    • Devices on the wireless network cannot directly communicate with devices on the wired network without going through the central firewall.

  • Performance: Generally delivers better performance and security for larger and more secure network setups.

 

Recommendation:

  • If it is needed simplicity and all devices on the same network, bridge mode can work well for smaller setups.
  • For larger networks with stricter security and traffic control requirements, tunnel mode is recommended. It allows for better management, security, and scalability.

It is important to choose the mode that best suits the network's needs and security requirements. If unsure, reach out to the local Sales Engineer to design the solution that best suits the need or create a new ticket with the Technical Assistance Center through FortiCare.