- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Bridging SSID via VLANs
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Anonymous
Not applicable
Created on 04-18-2022 06:32 PM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Bridging SSID via VLANs
Hi all, I would greatly appreciate help in resolving a problem I have with FG-80F and FAP-433F both on 7.2.0 where I'm trying to bridge WiFi with local interface using VLANS, without software switch.
Configuration:
- System/Settings/VLAN switch mode: on
- ports 1-4 as "internal_LAN", VLAN Switch with VLAN 167. This interface is configured with an IP and DHCP. All hosts connecting to this IF get IP fine.
- ports 5-6 as "internal_IoT" - VLAN 50, I've tried different configs but for now it's unconfigured
- FAP is connected to FG port 4 (which is internal_LAN)
"WiFi_LAN" SSID for my LAN is configured as "bridge" and since it is physically connected to VLAN 167, it works fine bridging WiFi with LAN.
I'm trying to create a "WiFi_IoT" as bridge specifying "OPTIONAL VLAN ID" 50 and have it bridged with "internal_IoT".
Here is what I've tried so far.
Software switch: SS requires tunneling mode for SSID but then it's pretty easy, add SSID and unconfigured physical interfaces into it, configure SS with IP and DHCP and all connected get IP - done but not in bridge and no VLANs
I tried, deleting "internal_IoT" VLAN switch to free up ports 5 and 6, then creating a VLAN 50 subinterface for SS: remove IP and DHCP from SS, configure SS VLAN (50) with IP and DHCP, then if I specify "OPTIONAL VLAN ID" (50) for "WiFi_IoT" (which is a member of SS) - wifi clients get IP fine, but no matter what I do, physical interfaces 5 and 6 (which I added to SS for this config) never get served IP.
I tried creating VLAN SWITCH, adding 4 and 5 to it, then creating VLAN as subinterface with IP and DCHP but physical interfaces never get served by it.
I've tried creating VLAN SWITCH with ID 50 and no IP config, then adding it to SS but physical ports again never get served with IP
Since AP is physically connected to "internal_LAN", I tried setting VLANFORWARD as enabled for "internal_LAN" VLAN SWITCH thinking that it would pass traffic from AP tagged to other VLANs but no avail.
I've seen youtube where bridging SSIDs to VLANs in "bridge" mode and specifying "optional vlan id" was done but in that config AP was connected to FortiSwitch 108 which was then fortilinked to FG
Is there a way for me bridge SSIDs to FG using VLANs?
Solved! Go to Solution.
2 Solutions
Created on 04-22-2022 12:01 PM Edited on 04-22-2022 12:02 PM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yeah, additional bridging would simply consist of the repetition of:
- set the "optional" VLAN ID for the bridged SSID
- create VLAN-SWITCH with the same VLAN-ID (solution #1) / or create another VLAN-interface on top of the HW-switch with the same VLAN-ID (solution #2)
And you're right about "wouldn't I need internal1 to assign IP to AP?". That's the part where I am not certain about solution #1. I suspect that the trunk-interface may not accept untagged traffic.
If you're willing to test this, and the trunk-interface indeed does not accept untagged frames from the FortiAP, then you could consider setting the management VLAN-ID for the FortiAP, as described in this KB . If you choose to go this way, then you will additionally need to make one more VLAN-switch with the same VLAN-ID. This would then be the place to configure the IP/subnet/DHCP for the FortiAP.
[ corrections always welcome ]
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
THANK YOU FOR YOUR HELP!
You were right - trunk port did not take untagged traffic from the AP.
I need another VLAN switch for FAP management but I couldn't add a trunk port into that switch and I dont have any more free ports to populate the switch with.
Here is what I ended up doing that worked (kind of):
- unset trunk for the port FAP is connected to, let's call it port "B"
created a new VLAN switch ("mgmt FAP") with ID 200, IP, and DHCP, populated with port "B" - FAP did not need any modifications, it obtained the IP from VLAN switch and came online but, as expected, none of bridged SSIDs worked
- without removing port "A" from the "mgmt FAP" switch, config system interface edit "B" set trunk enable
- all bridged SSIDs became visible to their respective VLANs and accepted clients
So, everything works as expected except no changes can be made to "mgmt FAP" switch UNLESS port "B" is unset trunk.
Is this normal?
I've tried, per article you referenced upstream, to configure FAP management for manual IP and VLAN but that configuration still requires a VLAN switch on FG, which, again, needs at least one interface that I dont have.
Is there a better way or did I miss anything?
14 REPLIES 14
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello FortiForum,
Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.
Thanks,
Anthony-Fortinet Community Team.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey FortiForum,
I am by no means an expert in all things SSID bridging and VLAN, but I think your issue is the following:
- your SSID is in bridge mode
- it is physically connected on port4, so FortiGate considers the SSID a part/extension of port4
-> port1-4 are a switch
-> SSID is technically part of this because it is technically a part of port4
You're looking to have the SSID bridged to interfaces it is not physically connected to, correct?
Or do you want to have the SSID both bridged to port1-4 (VLAN 167) AND port5/6 (VLAN50)?
From what I could find, you might need a VLAN interface with ID 50 on port4, and with VLAN ID 50 in SSID, the SSID should be considered part of the VLAN ID, not part of the physical port4
Then you could use the VLAN interface + port5 + port6 and create a switch with subnet and DHCP (or VLAN 50 interfaces on port5/port6)
If I'm wrong, please let us know and we will continue to see what documentation we can find.
+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Debbie, thank you for your attention.
The ultimate goal is NOT to use tunnel mode on any SSID but instead bridge them to their respective VLANs. Pardon my switcharoo game, but in my initial ports I used hypothetical interfaces and port numbers, but the principal is the same. Below is my actual configuration. AP is connected to FG-80F to port "b"
The goal is:
- IoT to be on VLAN 30 including physically connected devices as well as connected to "wifi IoT"
- My main network on VLAN 167, similarly to IoT, including physically connected and "wifi LAN"
- Both of the above wifi to stay in "bridge" mode
You see, I understand that since AP is physically connected to VLAN switch "internal LAN" port "b" and considered to be a part of it, shouldn't there be a way for that switch to "forward" other VLANS?
Then I can specify "OPTIONAL VLAN" 30 for "wifi IoT", create a new HW VLAN switch "internal IoT" with "VLAN ID" 30, add internal5 and "wifi IoT" to it?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have two suggestions to feed the discussion, but neither is perfect. Hopefully someone will be able to flesh it out further...
Some assumptions for the example below:
- internal1 - interface facing the FortiAP
internal2 ~ 3 - interfaces facing the IoT devices - FortiAP's own management traffic does not use VLAN-ID (untagged)
locally-bridged SSID "IoT" is set to tag client traffic with VLAN-ID 50
IoT devices expect untagged frames (VLAN 50 is the "native" vlan for that segment)
Let me know if this roughly matches your goal. (If it's too different, we may need to re-think the sample setup below)
Idea #1: Using VLAN-switch
- The interface facing the FortiAP should be set to trunk:
config sys interface > edit internal1 > set trunk enable
- The interfaces facing the IoT devices should be included in a VLAN switch with VLAN ID 50.
At this point, client traffic should behave like so:
- Packets from the bridged SSID are VLAN-tagged (50) by the FortiAP, accepted on the trunk-interface, and forwarded out of the IoT VLAN-switch with the tag stripped (native VLAN).
- In the reverse direction, IoT devices send untagged packets into the IoT VLAN-switch, the VLAN-tag (50) is attached and they are forwarded out of the trunk-interface to the FortiAP.
However, I am uncertain as to what should happen to the FortiAP's traffic.
By default it will hit the trunk-interface with no VLAN-tag, and I was not able to find out what happens to untagged frames hitting the trunk-interface. If they get dropped, then this is likely a show-stopper for this solution attempt. (there also doesn't seem to be any sort "set native-vlan" option for the trunk-interface)
If perhaps you could make the FortiAP tag its own management traffic, then that could let you steer its traffic through the trunk-interface into another VLAN-switch (matching the given VLAN-ID)?
Idea #2: Using the "traditional" hardware switch + VLANs on top of it
With the non-VLAN-switch approach, things could work like so:
- hardware switch interface (ports 1~3): process untagged frames -> handle FortiAP management traffic
- VLAN interface on top of the HW switch: process wifi client frames tagged by FortiAP, and egress traffic towards the wired IoT clients, but still VLAN tagged(!)
Con: You would need another switch on the path to strip the VLAN-tag if the IoT devices expect untagged frames.
[ corrections always welcome ]
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you for your time. Your assumptions are almost correct with one omission: there is still "internal LAN" interface that should be bridged with "wifi LAN" to service VLAN 167
Idea #1
So, for this great idea I would need:
- remove internal1 from all interfaces and make it physical, unconfigured (no VLAN, no IP, no DHCP) or with IP config but no VLAN?, and set trunk enable
- attach AP to internal1 - wouldn't I need internal1 to assign IP to AP?
- create VLAN switch for IoT with internal1-3, VLAN ID set to 50, IP and DHCP configured
- create VLAN switch for LAN with internal4-6, VLAN ID set to 167, IP and DHCP configured
WiFi Config:
- IoT wifi - in bridge mode, Optional VLAN ID set to 50
- LAN wifi - in bridge mode, Optional VLAN ID set to 167
Correct?
Created on 04-22-2022 12:01 PM Edited on 04-22-2022 12:02 PM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yeah, additional bridging would simply consist of the repetition of:
- set the "optional" VLAN ID for the bridged SSID
- create VLAN-SWITCH with the same VLAN-ID (solution #1) / or create another VLAN-interface on top of the HW-switch with the same VLAN-ID (solution #2)
And you're right about "wouldn't I need internal1 to assign IP to AP?". That's the part where I am not certain about solution #1. I suspect that the trunk-interface may not accept untagged traffic.
If you're willing to test this, and the trunk-interface indeed does not accept untagged frames from the FortiAP, then you could consider setting the management VLAN-ID for the FortiAP, as described in this KB . If you choose to go this way, then you will additionally need to make one more VLAN-switch with the same VLAN-ID. This would then be the place to configure the IP/subnet/DHCP for the FortiAP.
[ corrections always welcome ]
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
THANK YOU FOR YOUR HELP!
You were right - trunk port did not take untagged traffic from the AP.
I need another VLAN switch for FAP management but I couldn't add a trunk port into that switch and I dont have any more free ports to populate the switch with.
Here is what I ended up doing that worked (kind of):
- unset trunk for the port FAP is connected to, let's call it port "B"
created a new VLAN switch ("mgmt FAP") with ID 200, IP, and DHCP, populated with port "B" - FAP did not need any modifications, it obtained the IP from VLAN switch and came online but, as expected, none of bridged SSIDs worked
- without removing port "A" from the "mgmt FAP" switch, config system interface edit "B" set trunk enable
- all bridged SSIDs became visible to their respective VLANs and accepted clients
So, everything works as expected except no changes can be made to "mgmt FAP" switch UNLESS port "B" is unset trunk.
Is this normal?
I've tried, per article you referenced upstream, to configure FAP management for manual IP and VLAN but that configuration still requires a VLAN switch on FG, which, again, needs at least one interface that I dont have.
Is there a better way or did I miss anything?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Well, this only worked until next reboot at which point the trunked port "B" is removed from "mgmt FAP" switch and all communication with the FAP is lost, taking all SSIDs with it
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So, I've settled at:
- keep port "B", to which FAP-433F is connected, as trunk enable
- logically hang FAP to IoP VLAN 20 and manually assign IP/SM/DG/DNS
- all SSID can be in bridge mode with respective VLAN IDs set, except GUEST which does not have a hardware VLAN switch
- GUEST wifi is tunneled with "OPTIONAL VLAN ID" as 0
Related Posts
- Wifi-Bridge with FortiWifi as controller in... 276 Views
- Captive Portal provided by Cisco ISE... 899 Views
- VLAN tagging on tunnel SSID 430 Views
- vlan creation question in Fortigate 423 Views
- Bridged SSID to be setup with... 334 Views
Labels
-
FortiGate
6,490 -
FortiClient
1,294 -
5.2
801 -
5.4
639 -
FortiManager
563 -
6.0
416 -
FortiAnalyzer
413 -
5.6
362 -
FortiSwitch
331 -
FortiAP
331 -
FortiClient EMS
260 -
6.2
251 -
FortiMail
239 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
149 -
6.4
128 -
FortiNAC
104 -
FortiGuard
102 -
FortiGateCloud
87 -
FortiSIEM
86 -
FortiCloud Products
82 -
IPsec
70 -
FortiToken
69 -
Customer Service
69 -
4.0MR3
64 -
Wireless Controller
58 -
SSL-VPN
57 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
39 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
31 -
FortiSwitch v6.4
28 -
FortiConnect
23 -
SD-WAN
23 -
FortiWAN
22 -
Firewall policy
22 -
FortiConverter
21 -
High Availability
20 -
VLAN
18 -
FortiPortal
18 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
Certificate
14 -
DNS
13 -
FortiDDoS
13 -
SAML
12 -
BGP
12 -
Routing
12 -
FortiCASB
12 -
Interface
11 -
Logging
11 -
FortiGate v5.0
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
LDAP
9 -
FortiManager v5.0
9 -
4.0MR2
9 -
RADIUS
8 -
Traffic shaping
8 -
Virtual IP
8 -
FortiAuthenticator
8 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
NAT
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
SSID
6 -
SSL SSH inspection
6 -
Authentication
6 -
Fortigate Cloud
6 -
IP address management - IPAM
6 -
Security profile
5 -
Traffic shaping policy
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
IPS signature
3 -
packet capture
3 -
FortiToken Cloud
3 -
Intrusion prevention
3 -
Automation
3 -
DoS policy
3 -
Port policy
3 -
FortiDB
3 -
FortiDeceptor
2 -
FortiInsight
2 -
VoIP profile
2 -
Antivirus profile
2 -
Web profile
2 -
Traffic shaping profile
2 -
FortiAP profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
Fortinet Engage Partner Program
2 -
trunk
2 -
SDN connector
1 -
4.0MR1
1 -
NAC policy
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Web rating
1 -
FortiPAM
1 -
Application signature
1 -
Multicast routing
1 -
Authentication rule and scheme
1 -
Zone
1 -
FortiManager-VM
1 -
Internet Service Database
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.