Technical Tip: How to setup a wireless network on FortiGate using Tunnel-Mode SSID

jera · ‎08-20-2025

Description

This article describes how to create a wireless-only dedicated network called Tunnel Mode. The client traffic is tunneled back to the FortiGate over CAPWAP and managed centrally.

Scope

FortiGate v7.4.8

Solution

Navigate to WiFi Controller -> SSIDs -> Create. Configure a new SSID by adding a name.
Choose the traffic mode as 'Tunnel-mode'.
Add the IP or Network Mask for the wireless interface.

Enable DHCP. The address range will be automatically populated based on the IP Network assigned to the SSID.

Complete the WiFi settings by adding the SSID and passphrase. Keep the rest of the configuration on default or configure Radius if necessary.

Create an AP Profile for a specific hardware model, WiFi Controller -> FortiAP profiles > Create.
Supply the name and the hardware model for the platform on which the profile will be applied.

The SSIDs, by default, assign all Tunnel-mode SSIDs to the profile. The SSIDs must be the same for Radio 1 and Radio 2. Leave the rest of the setting to default. Select 'OK' to save.

Create a firewall policy to allow internet traffic for the wireless network. Ensure that the SSID is selected as the Incoming interface and the Internet-facing Interface as the Outgoing Interface.

Technical Tip: How to setup a wireless network on FortiGate using Tunnel-Mode SSID

You are leaving our website