Hello friends,
I need some support in the configuration of a FortiAP.
I have a specific vlan (with vlan-id 99) for all FortiAPs connected to my FortiGate-firewall. This vlan
is the management-VLAN for the FortiAPs.
My goal is that the FortiAPs broadcast a wifi-network which is bridged to my lan-network (connected to port2 of the FortiGate-firewall). But how to configure it? If I choose "Bridge" as "Tunnel Mode" in the configuration of the SSID then the wireless-clients get an ip-address in the management-vlan of the FortiAPs.
If I choose "Tunnel" as "Tunnel Mode" I get a new (wifi)-interface on the FortiGate-firewall (with the name of the SSID) and I have to define an ip-address/netmask for this wifi-interface.
Would the next step be to create a software-bridge with port2 and the wifi-interface as member ports?
As mentioned above my goal is to have the wifi-clients in the same network as the clients connected to my lan (which is connected to port2).
Can somebody help? Thanks in advance for your assistance. :)
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
If FAP management VLAN needs to be separated from non-tagged LAN, the soft-switch would be the only option as you figured already.
Toshi
I configure it this way (but we are not using FortiAP). AP itself is in mgmt vlan with a specific vid just like yours. All Wifi Networks that are broadcasted have their own subnet AND vlan.
Ports on switch where AP is connected are vlan trunk with mgmt vid as pvid (i.e untagged in mgmt and tagged in all others). FortiGate then has vlan interfaces for all vlans so traffic is completely seperated.
Traffic between vlans/ports is maintained by policies (routing is already there itself because of the interfaces).
Works fine here even from wifi through ap + switch + FGT + ipsec to HQ :)
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
what would not work in my configuriation (without some proxy) is services that use udp broadcasting like bonjour or airprint. DHCP uses that too but the FGT can do DHCP relaying intself so this works.
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
I'm not sure about your network topology. But if outsider can come in to your LAN side to reach the FortiAP, you got a much bigger problem. Generally it's not allowed or blocked by the Fortigate. On WiFi side, first, guests and employee/corp accesses need to be separated by SSID and generally with subnets as well.
If you're worrying about somebody on the LAN hacking into your network devices like APs, vlan separation of management traffic would not be enough, because you likely have a policy allowing admin users on the LAN to access the management VLAN.
I regularly don't use "bridged" SSID so that SSID users can be in a separate subnet/VLAN per user group and put separate policies as necessary. If you do that you can put management connection on different subnet/VLAN.
Toshi
If FAP management VLAN needs to be separated from non-tagged LAN, the soft-switch would be the only option as you figured already.
Toshi
I configure it this way (but we are not using FortiAP). AP itself is in mgmt vlan with a specific vid just like yours. All Wifi Networks that are broadcasted have their own subnet AND vlan.
Ports on switch where AP is connected are vlan trunk with mgmt vid as pvid (i.e untagged in mgmt and tagged in all others). FortiGate then has vlan interfaces for all vlans so traffic is completely seperated.
Traffic between vlans/ports is maintained by policies (routing is already there itself because of the interfaces).
Works fine here even from wifi through ap + switch + FGT + ipsec to HQ :)
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
what would not work in my configuriation (without some proxy) is services that use udp broadcasting like bonjour or airprint. DHCP uses that too but the FGT can do DHCP relaying intself so this works.
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
Thanks for your information :-).
Do you think it is a security risk to put a FortiAP in a vlan where the notebooks of the employees are connected to?
I had the idea to take a separate vlan as the manamenent-vlan of the FortiAPs because the employees or foreign (criminal) persons could try to hack one or several FortiAPs.
Do you understand what I mean?
I'm not sure about your network topology. But if outsider can come in to your LAN side to reach the FortiAP, you got a much bigger problem. Generally it's not allowed or blocked by the Fortigate. On WiFi side, first, guests and employee/corp accesses need to be separated by SSID and generally with subnets as well.
If you're worrying about somebody on the LAN hacking into your network devices like APs, vlan separation of management traffic would not be enough, because you likely have a policy allowing admin users on the LAN to access the management VLAN.
I regularly don't use "bridged" SSID so that SSID users can be in a separate subnet/VLAN per user group and put separate policies as necessary. If you do that you can put management connection on different subnet/VLAN.
Toshi
@Toshi_Esumi wrote:If you're worrying about somebody on the LAN hacking into your network devices like APs, vlan separation of management traffic would not be enough, because you likely have a policy allowing admin users on the LAN to access the management VLAN.
In my network the admin users have an own vlan and ip-subnet. So if I put the FortiAPs in a seperate (management)-vlan (with own ip-subnet), I would only allow the ip-subnet of the admin users to access the FortiAP.
Then I have the possibility to bridge the wifi-interface into the lan of the normal users. I want the wifi-network of the employees in the same L2-segment because applications which use broadcasts will work then.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1547 | |
1031 | |
749 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.