Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Sandeep_FTNT
Staff
Staff

Created on ‎10-14-2014 07:01 AM Edited on ‎02-26-2025 09:29 PM By Community Manager

Article Id 196002

Technical Tip: How to bridge a FortiGate WiFi network to a wired network or VLAN network

Description

 
This article describes how to keep a WiFi network on the same subnet as a LAN or desired VLAN network. This is important as a FortiGate unit requires each network interface to have a single unique network segment. 
 
Scope
 
FortiGate.


Solution

 
Note: Bridge mode is not available on local WiFi radio on FortiWifi. Instead, use a software switch by following the instructions in Technical Tip: Combining WiFi network and wired LAN with a software switch for DHCP leases.
 
To create a bridged WiFi and wired LAN configuration, it is necessary to configure the SSID with the local bridge option so that traffic is sent directly over the FortiAP unit’s Ethernet interface to the FortiGate unit, instead of being tunneled to the WiFi controller.
 
  1. Navigate to WiFi Controller -> SSIDs.
  2. Give a name then select the traffic mode as 'Bridge', and configure the SSID and passphrase.


appp.PNG


If it is necessary to have the WiFi network on the same subnet of the VLAN network that is configured in FortiGate, enter the VLAN ID. By default, the VLAN ID is 0.

 

  1. Navigate to WiFi Controller -> FortiAP profiles -> Edit the FortiAP profile applied to the AP, then select the bridge SSID.
 
ssidd.PNG

 

Configure the bridge SSID with CLI commands.

This example creates a WiFi interface 'Corporate_WiFi' with SSID 'Office_WiFi' using the WPA-Personal security passphrase 'Fortinet1'.

config wireless-controller vap

show

config wireless-controller vap

    edit "Corporate_Wifi"

        set ssid "Office_Wifi"

        set passphrase ENC

        set local-bridging enable

        set schedule "always"

        set vlanid 10

    next

end


config wireless-controller wtp-profile
    edit "FAP221C-default"
        set handoff-sta-thresh 55
            config radio-1
                set band 802.11n,g-only
                set vap-all bridge
                set channel "1" "6" "11"
end

If the DHCP server is configured on a LAN interface, WLAN clients get an IP from the LAN DHCP lease scope on the FortiGate. If there is a DHCP server, it is not necessary to create a DHCP relay since both the WLAN and LAN fall under the bridge interface. 

Note:

For Bridge mode SSID to work, the VLAN-10 interface must be added to the Allowed VLANs of the switch port, where the FortiAP is connected. Otherwise, the Workstations will not get the DHCP IP and the traffic will be dropped at the Switch Port.

 

Here is a picture for reference:

 

swport.png

 

Note:

FortiAPs are connected to port 7-PoE of FortiSwitch and are managed through the FAP_MGMT VLAN interface.

A firewall policy cannot be created using a Bridge SSID because, in bridge mode, wireless client traffic is directly bridged to the local network (LAN/VLAN).

 

To enforce firewall policies, a Tunnel SSID must be used. 

 

Note:

 

Related document:
Captive Portal Security

Labels:
15190
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.