Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
chocolateeater
New Contributor

Bridged SSID not getting DHCP

Hi, all. 


I have two switches - Dell Powerconnect and Fortiswitch. There are several FortiAPs connected to both switches, broadcasting the same set of SSIDs.

 

All SSIDs that are tunneled are working fine on both switches. I have one SSID that is bridged to a LAN, as they need to be interconnected. When connecting to APs on the Powerconnect, everything works fine. But when connecting through the FortiSwitch, the clients cannot reach DHCP. Authentication is set to local, so everyone gets a connection.

 

I have attached a basic scheme of the setup. Could anyone point me towards what I am missing, here? Why cannot the clients connecting through FS get an IP?

 

SSID Tech.png

 

10 REPLIES 10
ebilcari
Staff
Staff

When using a bridged SSID the users VLAN should be spanned across the switches. Is the user VLAN tagged on the switch ports connecting the APs and configured on FSW/Fortilink?

If you want to use the same VLAN on different ports of FGT you have to create software/hardware switch on FortiGate: https://docs.fortinet.com/document/fortigate/7.2.3/administration-guide/100999/hardware-switch

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
chocolateeater

Hi, ebilcari.

I have a SW switch enabled, but I think you are on to something. The VLAN (40) tagging the WLAN traffic was not defined as allowed on the Fortilink, and not on the ports that the APs are connected to.

I have now defined this, but it still does not work, so there is still something I'm missing - probably how to connect the traffic from the Fortilink to the SW switch. The VLAN defined on the Fortilink is not possible to include in the SW switch. Any ideas?

ebilcari

The trick is that the VLAN that can be included in a Software switch should be pure Layer 2, no IP configuration or address object should exist for that VLAN.

Try to create a new VLAN on FortiSwitch VLANs without selecting anything related to IP (Layer 3 configurations)

ebilcari_0-1677141362280.png

Layer 3 configuration should be done on Software switch interface only.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
chocolateeater

Hello, again.

This is how it's set up:

 

Fortiswitch VLAN:

chocolateeater_0-1677150509744.png

Fortiswitch port 1:

chocolateeater_1-1677150572813.png

Fortilink:

 

chocolateeater_5-1677151322318.png

 

The software switch:

chocolateeater_3-1677150926610.png

The point here is to bridge the "LKS Teknisk" to the "teknisk lan". 

 

There is no way to include "wlan_fl_teknisk" in the SW switch. Does not show in the include list.

 

 

 

ebilcari

the only way that prevents it, is if this VLAN has an IP configured or a address object attached to it by default. If that is the case than change the Role from LAN to Undefined and that search in Addresses and delete the Interface subnet referring to that interface. After that it will allow you to tie this interface to the software switch

 

ebilcari_0-1677165277700.png

 

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
chocolateeater

I changed the VLAN to Undefined role and removed the address object, but still not possible. Driving me kind of crazy. Should I open a support case?

 

The sw switch: 

 

chocolateeater_0-1677231647466.png

 

The VLAN interface:

chocolateeater_1-1677231701443.png

 

ebilcari

Try to delete this one and create a new VLAN for ID 40 and specify the role to Undefined before you save the settings, maybe the old one is tied with something else.

If you still can't attach it then you can create a support ticket.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
chocolateeater

OK, I deleted everything and started over. Renamed the interface (vlan_teknisk_i) to make sure. But, there is something corrupt here:

 

chocolateeater_0-1677247891681.png

 

Created a new sw switch. Now I can add all the interfaces, but it fails when I add the interface with VLAN 40, says it overlaps with the VLAN "vlan_teknisk_i".

 

Basically, it refuses to include the two interfaces in the same switch, as they have same VLAN ID. Even when the VLAN interface defined in the FortiSwitch has undefined role and no network info. 

AEK
Honored Contributor

Hello Choco

Try configure a static IP on the client, then try ping your FGT and use sniffer to see if you are really on the same VLAN with your FGT.

 

AEK
AEK
Labels
Top Kudoed Authors