Help
FortiAP
FortiAP devices are thin wireless access points (AP) supporting the latest Wi-Fi technologies (multi-user MIMO 802.11ac Wave 1 and Wave 2, 4x4), as well as 802.11n, 802.11AX , and the demand for plug and play deployment.
Jean-Philippe_P
Moderator
Moderator

Created on ‎07-25-2023 11:43 PM Edited on ‎07-26-2023 10:40 PM

Article Id 265725

Technical Tip: How to allow multiple bridge mode SSID from FortiAP

Description This article describes how to configure to bridge multiple internal networks wirelessly.
Scope FortiAP managed by FortiGate.
Solution

When SSID is configured in bridge mode. It allows devices to connect seamlessly to the network using either wired or wireless means while maintaining a unified network environment. It allows wired and wireless networks to be on the same subnet.


Bridge mode is commonly used in scenarios where network administrators want to extend the coverage of the wired network to areas where it is not feasible to run Ethernet cables, such as in large homes, office buildings, or campuses. 


In this case, it is wanted to bridge all the production VLAN networks present in the trunk interface of FortiGate.

 

JeanPhilippe_P_0-1690353089979.png

 

  1. FortiAP.

Configure Management VLAN .

Any VLAN that is passed from the trunk interface can be assigned as management VLAN for the FortiAP. However, in this case, a separate Management VLAN 40 is configured for ease of understanding. On the interface (Management VLAN), Security Fabric must be enabled for the CAPWAP connection.

 

Assign Management VLAN in FortiAP:

 

JeanPhilippe_P_0-1690353205175.png

 

Here, FortiAP must be connected to a trunk interface that allows all the production VLANs 10, 20, 30 as well as management VLAN 40.

 

  1. FortiGate.

Configure VLAN on Bridge SSID. 

Since it is necessary to bridge the internal VLAN networks through wireless.

 

JeanPhilippe_P_1-1690353315870.png

 

It is necessary to assign a VLAN ID on the 'Optional VLAN ID' of the Bridge Mode SSID.

 

JeanPhilippe_P_2-1690353422573.png

 

Respectively, assign VLAN ID to the SSIDs wanted to bridge wirelessly.

 

JeanPhilippe_P_3-1690353446253.png

 

Assign Bridged SSID to Managed FortiAP.

Assign the Bridged SSID to the FortiAP profile and attach the profile to the Managed FortiAP.

 

JeanPhilippe_P_4-1690353651541.png

 

Configure Firewall Policy.

Allow wired and wireless devices to access external resources by configuring firewall policy facing toward the internet.

 

JeanPhilippe_P_5-1690353651591.png

 

  1. Switch.

Configure trunk interfaces on the switch.

Connect both FortiAP and FortiGate into two separate trunk interfaces of the switch. Allow all the VLANs including management VLAN through the trunk interface. 

 

switch# configure terminal 

switch(config)# interface ethernet 0/1 

switch(config-if)# description “Connected to FGT”

switch(config-if)# switchport trunk allow vlan 10,20,30,40

switch(config-if)# end

 

switch# configure terminal 

switch(config)# interface ethernet 0/2 

switch(config-if)# description “Connected to FortiAP”

switch(config-if)# switchport trunk allow vlan 10,20,30,40

switch(config-if)# end

 

Related Document:

WiFi network with wired LAN configuration.

 

Setting up a WiFi Bridge with a FortiAP.
4683
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.