Technical Tip: Managing FortiAP via FortiGate with routing on external device

mbigini · ‎08-26-2025

Description This article describes how to configure a FortiGate to manage FortiAPs while routing is handled by an external device.

Scope FortiGate and FortiAP.

Solution

FortiAPs can be deployed in Tunnel, Bridge, or Mesh mode across various network topologies and are managed directly by a FortiGate firewall.

This article describes a scenario where FortiAPs are managed by FortiGate, but routing is handled by a third-party device, such as an external router.

Step 1:

Create a new SSID in Tunnel Mode and set the IP 0.0.0.0/0.0.0.0.

Fill in all the necessary settings as needed (SSID name, password...).

config wireless-controller vap
    edit "External_WiFi"
        set ssid "External-wifi"
        set passphrase <strong_password>
        set schedule "always"
    next
end

Step 2:

Create a new switch interface, select the previously created SSID, and add both the SSID and the interface connected to the external router as members.

Note: The option 'Intra-switch policy' can only be configured at this step.

Implicit: No policies are required between interface members; traffic will not be offloaded (Default setting).
Explicit: Specific policies are required between interface members; traffic will be offloaded, and security profiles can be used.

config system interface
    edit "switch_wifi"
        set vdom "GUEST_wifi"
        set type switch
        set lldp-transmission enable
        set role lan
    next
end

Technical Tip: Managing FortiAP via FortiGate with routing on external device

You are leaving our website