Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Datax_2502
New Contributor II

Bridge wireless-clients to lan + management-vlan for FortiAP

Hello friends,

 

I need some support in the configuration of a FortiAP.

 

I have a specific vlan (with vlan-id 99) for all FortiAPs connected to my FortiGate-firewall. This vlan

is the management-VLAN for the FortiAPs.

 

My goal is that the FortiAPs broadcast a wifi-network which is bridged to my lan-network (connected to port2 of the FortiGate-firewall). But how to configure it? If I choose "Bridge" as "Tunnel Mode" in the configuration of the SSID then the wireless-clients get an ip-address in the management-vlan of the FortiAPs.

 

If I choose "Tunnel" as "Tunnel Mode" I get a new (wifi)-interface on the FortiGate-firewall (with the name of the SSID) and I have to define an ip-address/netmask for this wifi-interface.

 

Would the next step be to create a software-bridge with port2 and the wifi-interface as member ports?

 

As mentioned above my goal is to have the wifi-clients in the same network as the clients connected to my lan (which is connected to port2).

 

Can somebody help? Thanks in advance for your assistance. :)

4 Solutions
Toshi_Esumi
SuperUser
SuperUser

If FAP management VLAN needs to be separated from non-tagged LAN, the soft-switch would be the only option as you figured already.

 

Toshi

View solution in original post

sw2090
SuperUser
SuperUser

I configure it this way (but we are not using FortiAP). AP itself is in mgmt vlan with a specific vid just like yours. All Wifi Networks that are broadcasted have their own subnet AND vlan. 

Ports on switch where AP is connected are vlan trunk with mgmt vid as pvid (i.e untagged in mgmt and tagged in all others). FortiGate then has vlan interfaces for all vlans so traffic is completely seperated. 

Traffic between vlans/ports is maintained by policies (routing is already there itself because of the interfaces). 

Works fine here even from wifi through ap + switch + FGT + ipsec to HQ :)

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

View solution in original post

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
sw2090
SuperUser
SuperUser

what would not work in my configuriation (without some proxy) is services that use udp broadcasting like bonjour or airprint. DHCP uses that too but the FGT can do DHCP relaying intself so this works.

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

View solution in original post

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
Toshi_Esumi
SuperUser
SuperUser

I'm not sure about your network topology. But if outsider can come in to your LAN side to reach the FortiAP, you got a much bigger problem. Generally it's not allowed or blocked by the Fortigate. On WiFi side, first, guests and employee/corp accesses need to be separated by SSID and generally with subnets as well.

If you're worrying about somebody on the LAN hacking into your network devices like APs, vlan separation of management traffic would not be enough, because you likely have a policy allowing admin users on the LAN to access the management VLAN.

I regularly don't use "bridged" SSID so that SSID users can be in a separate subnet/VLAN per user group and put separate policies as necessary. If you do that you can put management connection on different subnet/VLAN.

 

Toshi

View solution in original post

6 REPLIES 6
Toshi_Esumi
SuperUser
SuperUser

If FAP management VLAN needs to be separated from non-tagged LAN, the soft-switch would be the only option as you figured already.

 

Toshi

sw2090
SuperUser
SuperUser

I configure it this way (but we are not using FortiAP). AP itself is in mgmt vlan with a specific vid just like yours. All Wifi Networks that are broadcasted have their own subnet AND vlan. 

Ports on switch where AP is connected are vlan trunk with mgmt vid as pvid (i.e untagged in mgmt and tagged in all others). FortiGate then has vlan interfaces for all vlans so traffic is completely seperated. 

Traffic between vlans/ports is maintained by policies (routing is already there itself because of the interfaces). 

Works fine here even from wifi through ap + switch + FGT + ipsec to HQ :)

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
sw2090
SuperUser
SuperUser

what would not work in my configuriation (without some proxy) is services that use udp broadcasting like bonjour or airprint. DHCP uses that too but the FGT can do DHCP relaying intself so this works.

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
Datax_2502
New Contributor II

Thanks for your information :-).

 

Do you think it is  a security risk to put a FortiAP in a vlan where the notebooks of the employees are connected to?

 

I had the idea to take a separate vlan as the manamenent-vlan of the FortiAPs because the employees or foreign (criminal) persons could try to hack one or several FortiAPs.

 

Do you understand what I mean?

Toshi_Esumi
SuperUser
SuperUser

I'm not sure about your network topology. But if outsider can come in to your LAN side to reach the FortiAP, you got a much bigger problem. Generally it's not allowed or blocked by the Fortigate. On WiFi side, first, guests and employee/corp accesses need to be separated by SSID and generally with subnets as well.

If you're worrying about somebody on the LAN hacking into your network devices like APs, vlan separation of management traffic would not be enough, because you likely have a policy allowing admin users on the LAN to access the management VLAN.

I regularly don't use "bridged" SSID so that SSID users can be in a separate subnet/VLAN per user group and put separate policies as necessary. If you do that you can put management connection on different subnet/VLAN.

 

Toshi

Datax_2502


@Toshi_Esumi wrote:

If you're worrying about somebody on the LAN hacking into your network devices like APs, vlan separation of management traffic would not be enough, because you likely have a policy allowing admin users on the LAN to access the management VLAN.


In my network the admin users have an own vlan and ip-subnet. So if I put the FortiAPs in a seperate (management)-vlan (with own ip-subnet), I would only allow the ip-subnet of the admin users to access the FortiAP.

 

Then I have the possibility to bridge the wifi-interface into the lan of the normal users. I want the wifi-network of the employees in the same L2-segment because applications which use broadcasts will work then.

Labels
Top Kudoed Authors