Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
chocolateeater
New Contributor II

Created on ‎01-29-2023 12:10 PM

Bridged SSID not getting DHCP

Hi, all. 


I have two switches - Dell Powerconnect and Fortiswitch. There are several FortiAPs connected to both switches, broadcasting the same set of SSIDs.

 

All SSIDs that are tunneled are working fine on both switches. I have one SSID that is bridged to a LAN, as they need to be interconnected. When connecting to APs on the Powerconnect, everything works fine. But when connecting through the FortiSwitch, the clients cannot reach DHCP. Authentication is set to local, so everyone gets a connection.

 

I have attached a basic scheme of the setup. Could anyone point me towards what I am missing, here? Why cannot the clients connecting through FS get an IP?

 

SSID Tech.png

 

Labels:
3976
0 Kudos
10 REPLIES 10
ebilcari
Staff
Staff

Created on ‎01-30-2023 05:15 AM

When using a bridged SSID the users VLAN should be spanned across the switches. Is the user VLAN tagged on the switch ports connecting the APs and configured on FSW/Fortilink?

If you want to use the same VLAN on different ports of FGT you have to create software/hardware switch on FortiGate: https://docs.fortinet.com/document/fortigate/7.2.3/administration-guide/100999/hardware-switch

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
3398
chocolateeater
New Contributor II
In response to ebilcari

Created on ‎02-22-2023 10:07 AM

Hi, ebilcari.

I have a SW switch enabled, but I think you are on to something. The VLAN (40) tagging the WLAN traffic was not defined as allowed on the Fortilink, and not on the ports that the APs are connected to.

I have now defined this, but it still does not work, so there is still something I'm missing - probably how to connect the traffic from the Fortilink to the SW switch. The VLAN defined on the Fortilink is not possible to include in the SW switch. Any ideas?

3344
0 Kudos
ebilcari
Staff
Staff
In response to chocolateeater

Created on ‎02-23-2023 12:38 AM Edited on ‎02-23-2023 12:39 AM

The trick is that the VLAN that can be included in a Software switch should be pure Layer 2, no IP configuration or address object should exist for that VLAN.

Try to create a new VLAN on FortiSwitch VLANs without selecting anything related to IP (Layer 3 configurations)

ebilcari_0-1677141362280.png

Layer 3 configuration should be done on Software switch interface only.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
3338
0 Kudos
chocolateeater
New Contributor II
In response to ebilcari

Created on ‎02-23-2023 03:17 AM Edited on ‎02-23-2023 03:22 AM

Hello, again.

This is how it's set up:

 

Fortiswitch VLAN:

chocolateeater_0-1677150509744.png

Fortiswitch port 1:

chocolateeater_1-1677150572813.png

Fortilink:

 

chocolateeater_5-1677151322318.png

 

The software switch:

chocolateeater_3-1677150926610.png

The point here is to bridge the "LKS Teknisk" to the "teknisk lan". 

 

There is no way to include "wlan_fl_teknisk" in the SW switch. Does not show in the include list.

 

 

 

3334
0 Kudos
ebilcari
Staff
Staff
In response to chocolateeater

Created on ‎02-23-2023 07:16 AM Edited on ‎02-23-2023 07:17 AM

the only way that prevents it, is if this VLAN has an IP configured or a address object attached to it by default. If that is the case than change the Role from LAN to Undefined and that search in Addresses and delete the Interface subnet referring to that interface. After that it will allow you to tie this interface to the software switch

 

ebilcari_0-1677165277700.png

 

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
3321
0 Kudos
chocolateeater
New Contributor II
In response to ebilcari

Created on ‎02-24-2023 01:41 AM

I changed the VLAN to Undefined role and removed the address object, but still not possible. Driving me kind of crazy. Should I open a support case?

 

The sw switch: 

 

chocolateeater_0-1677231647466.png

 

The VLAN interface:

chocolateeater_1-1677231701443.png

 

3313
0 Kudos
ebilcari
Staff
Staff
In response to chocolateeater

Created on ‎02-24-2023 04:49 AM Edited on ‎02-24-2023 04:50 AM

Try to delete this one and create a new VLAN for ID 40 and specify the role to Undefined before you save the settings, maybe the old one is tied with something else.

If you still can't attach it then you can create a support ticket.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
3306
0 Kudos
chocolateeater
New Contributor II
In response to ebilcari

Created on ‎02-24-2023 06:31 AM Edited on ‎02-24-2023 07:28 AM

OK, I deleted everything and started over. Renamed the interface (vlan_teknisk_i) to make sure. But, there is something corrupt here:

 

chocolateeater_0-1677247891681.png

 

Created a new sw switch. Now I can add all the interfaces, but it fails when I add the interface with VLAN 40, says it overlaps with the VLAN "vlan_teknisk_i".

 

Basically, it refuses to include the two interfaces in the same switch, as they have same VLAN ID. Even when the VLAN interface defined in the FortiSwitch has undefined role and no network info. 

3304
0 Kudos
AEK
SuperUser
SuperUser

Created on ‎01-30-2023 01:31 PM

Hello Choco

Try configure a static IP on the client, then try ping your FGT and use sniffer to see if you are really on the same VLAN with your FGT.

 

AEK
AEK
3393
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.