Combining WiFi network and wired LAN within a software switch is a common configuration when an administrator of a network wants to simplify the network administration (same rights of wired/wireless users, fewer policies to administer). It can be achieved as per Technical Tip: How to bridge a FortiGate WiFi network to a wired network or VLAN network.

One of the topics that needs to handled is DHCP assignment, which can be achieved by following the instructions outlined in

Technical Tip: Combining WiFi network and wired LAN with a software switch for DHCP leases.

The purpose of this KB article is to give an idea what potential issues might arise and the troubleshooting steps on how to locate the issue.

In this particular case study  the following configuration was in place

config system interface
    edit "THE_LAN"
        set vdom "root"
        set ip 192.168.44.1 255.255.255.0
        set allowaccess ping https ssh
        set type switch
        set device-identification enable
        set lldp-reception enable
        set lldp-transmission enable
        set role lan
        set snmp-index 21
    next
    edit "THE_WiFi"
        set vdom "root"
        set type vap-switch
        set role lan
        set snmp-index 17
    next

config system dhcp server
    edit 1

        set lease-time 86400

        set dns-service default

        set default-gateway 192.168.44.1

        set netmask 255.255.255.0

        set interface "THE_LAN"
            config ip-range

                edit 1
                    set start-ip 192.168.44.100

                    set end-ip 192.168.44.150

                next

            end

config system switch-interface
    edit "THE_LAN"

        set vdom "root"

        set member "THE_WiFi" "port1"

    next
end

config wireless-controller vap

    edit "THE_WiFi"

        set ssid "THE_WiFi"

        set passphrase ENC ****

        set schedule "always"

        set broadcast-suppression dhcp-up dhcp-down dhcp-starvation dhcp-ucast arp-known arp-unknown arp-reply arp-poison arp-proxy netbios-ns netbios-ds ipv6 all-other-mc all-other-bc

        set beacon-advertising name model serial-number

    next
end

The following symptoms are perceived:

• The WiFi client has no problem getting an IP address, confirmed with  'execute dhcp lease-list' - 192.168.44.101 (mac address 01:23:45:67:89:ab:cd:ef ).
• The WiFi client cannot ping the gateway 192.168.44.1, nor can the FortiGate ping the client 192.168.44.101
• As shown in the sniffer, no traffic comes for the client, confirmed with 'diagnose sniffer packet THE_LAN "host 192.168.44.101" 4'
• The sniffer does not notice any arp messages related to the IP 192.168.44.101 or the MAC address 01:23:45:67:89:ab:cd:ef, confirmed with 'diagnose sniffer packet THE_LAN "arp" 4'
• The ARP table is blank for this IP/MAC address, confirmed with 'get system arp | grep 192.168.44.101' and 'get system arp | grep 01:23:45'

This is an indication that the broadband suppression policies are restricting the arp, as per the configuration: 

config wireless-controller vap

    edit "THE_WiFi"

        set broadcast-suppression dhcp-up dhcp-down dhcp-starvation dhcp-ucast arp-known arp-unknown arp-reply arp-poison arp-proxy netbios-ns netbios-ds ipv6 all-other-mc all-other-bc

    next

end

Once the ARP policies are relaxed (in this particular case once arp-poison was removed), the connectivity will be restored.

config wireless-controller vap

    edit "THE_WiFi"

        set broadcast-suppression dhcp-up dhcp-down dhcp-starvation dhcp-ucast arp-known arp-unknown arp-reply  arp-proxy netbios-ns netbios-ds ipv6 all-other-mc all-other-bc

    next

end