Description
This article describes how to keep a WiFi network on the same subnet as a LAN or desired VLAN network. This is important as a FortiGate unit requires each network interface to have a single unique network segment.
Scope
FortiGate.
Solution
Note: Bridge mode is not available on local WiFi radio on FortiWifi. Instead, use a software switch by following the instructions in Technical Tip: Combining WiFi network and wired LAN with a software switch for DHCP leases.
To create a bridged WiFi and wired LAN configuration, it is necessary to configure the SSID with the local bridge option so that traffic is sent directly over the FortiAP unit’s Ethernet interface to the FortiGate unit, instead of being tunneled to the WiFi controller.
- Navigate to WiFi Controller -> SSIDs.
- Give a name then select the traffic mode as 'Bridge', and configure the SSID and passphrase.
If it is necessary to have the WiFi network on the same subnet of the VLAN network that is configured in FortiGate, enter the VLAN ID. By default, the VLAN ID is 0.
- Navigate to WiFi Controller -> FortiAP profiles -> Edit the FortiAP profile applied to the AP, then select the bridge SSID.
Configure the bridge SSID with CLI commands.
This example creates a WiFi interface 'Corporate_WiFi' with SSID 'Office_WiFi' using the WPA-Personal security passphrase 'Fortinet1'.
config wireless-controller vap
show
config wireless-controller vap
edit "Corporate_Wifi"
set ssid "Office_Wifi"
set passphrase ENC
set local-bridging enable
set schedule "always"
set vlanid 10
next
end
config wireless-controller wtp-profile
edit "FAP221C-default"
set handoff-sta-thresh 55
config radio-1
set band 802.11n,g-only
set vap-all bridge
set channel "1" "6" "11"
end
If the DHCP server is configured on a LAN interface, WLAN clients get an IP from the LAN DHCP lease scope on the FortiGate. If there is a DHCP server, it is not necessary to create a DHCP relay since both the WLAN and LAN fall under the bridge interface.
Note:
- For Bridge mode SSID to work, the VLAN-10 interface must be added to the Allowed VLANs of the switch port, where the FortiAP is connected. Otherwise, the Workstations will not get the DHCP IP and the traffic will be dropped at the Switch Port.
- If the FortiAP is connected on same VLAN, then no need to specify the optional VLAN ID to be broadcasted by the access point. Traffic on that bridged SSID will already be tagged on the same VLAN as the FortiAP.
Here is a picture for reference:
Note:
FortiAPs are connected to port 7-PoE of FortiSwitch and are managed through the FAP_MGMT VLAN interface.
A firewall policy cannot be created using a Bridge SSID because, in bridge mode, wireless client traffic is directly bridged to the local network (LAN/VLAN).
To enforce firewall policies, a Tunnel SSID must be used.
Note:
- This also applies when binding an SSID to a FortiLink interface VLAN. For more details, refer to Technical Tip: How to create a new Bridge SSID with its VLAN dedicated for users.
- Bridge mode SSID does not support Disclaimer Only and Disclaimer + Authentication captive portal. Bridge mode supports external authentication captive portals.
Related documents:
Captive Portal Security
Troubleshooting Tip: Wireless clients do not receive IP through DHCP from Bridged SSID
