Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Holiday badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiGuest
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiVoice
- FortiToken
- FortiWAN
- FortiWeb
- FortiAppSec Cloud
- Lacework
- RMA Information and Announcements
- Wireless Controller
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Support Forum
- Bridging SSID via VLANs
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Anonymous
Not applicable
Created on 04-18-2022 06:32 PM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Bridging SSID via VLANs
Hi all, I would greatly appreciate help in resolving a problem I have with FG-80F and FAP-433F both on 7.2.0 where I'm trying to bridge WiFi with local interface using VLANS, without software switch.
Configuration:
- System/Settings/VLAN switch mode: on
- ports 1-4 as "internal_LAN", VLAN Switch with VLAN 167. This interface is configured with an IP and DHCP. All hosts connecting to this IF get IP fine.
- ports 5-6 as "internal_IoT" - VLAN 50, I've tried different configs but for now it's unconfigured
- FAP is connected to FG port 4 (which is internal_LAN)
"WiFi_LAN" SSID for my LAN is configured as "bridge" and since it is physically connected to VLAN 167, it works fine bridging WiFi with LAN.
I'm trying to create a "WiFi_IoT" as bridge specifying "OPTIONAL VLAN ID" 50 and have it bridged with "internal_IoT".
Here is what I've tried so far.
Software switch: SS requires tunneling mode for SSID but then it's pretty easy, add SSID and unconfigured physical interfaces into it, configure SS with IP and DHCP and all connected get IP - done but not in bridge and no VLANs
I tried, deleting "internal_IoT" VLAN switch to free up ports 5 and 6, then creating a VLAN 50 subinterface for SS: remove IP and DHCP from SS, configure SS VLAN (50) with IP and DHCP, then if I specify "OPTIONAL VLAN ID" (50) for "WiFi_IoT" (which is a member of SS) - wifi clients get IP fine, but no matter what I do, physical interfaces 5 and 6 (which I added to SS for this config) never get served IP.
I tried creating VLAN SWITCH, adding 4 and 5 to it, then creating VLAN as subinterface with IP and DCHP but physical interfaces never get served by it.
I've tried creating VLAN SWITCH with ID 50 and no IP config, then adding it to SS but physical ports again never get served with IP
Since AP is physically connected to "internal_LAN", I tried setting VLANFORWARD as enabled for "internal_LAN" VLAN SWITCH thinking that it would pass traffic from AP tagged to other VLANs but no avail.
I've seen youtube where bridging SSIDs to VLANs in "bridge" mode and specifying "optional vlan id" was done but in that config AP was connected to FortiSwitch 108 which was then fortilinked to FG
Is there a way for me bridge SSIDs to FG using VLANs?
Solved! Go to Solution.
2 Solutions
Created on 04-22-2022 12:01 PM Edited on 04-22-2022 12:02 PM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yeah, additional bridging would simply consist of the repetition of:
- set the "optional" VLAN ID for the bridged SSID
- create VLAN-SWITCH with the same VLAN-ID (solution #1) / or create another VLAN-interface on top of the HW-switch with the same VLAN-ID (solution #2)
And you're right about "wouldn't I need internal1 to assign IP to AP?". That's the part where I am not certain about solution #1. I suspect that the trunk-interface may not accept untagged traffic.
If you're willing to test this, and the trunk-interface indeed does not accept untagged frames from the FortiAP, then you could consider setting the management VLAN-ID for the FortiAP, as described in this KB . If you choose to go this way, then you will additionally need to make one more VLAN-switch with the same VLAN-ID. This would then be the place to configure the IP/subnet/DHCP for the FortiAP.
[ corrections always welcome ]
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
THANK YOU FOR YOUR HELP!
You were right - trunk port did not take untagged traffic from the AP.
I need another VLAN switch for FAP management but I couldn't add a trunk port into that switch and I dont have any more free ports to populate the switch with.
Here is what I ended up doing that worked (kind of):
- unset trunk for the port FAP is connected to, let's call it port "B"
created a new VLAN switch ("mgmt FAP") with ID 200, IP, and DHCP, populated with port "B" - FAP did not need any modifications, it obtained the IP from VLAN switch and came online but, as expected, none of bridged SSIDs worked
- without removing port "A" from the "mgmt FAP" switch, config system interface edit "B" set trunk enable
- all bridged SSIDs became visible to their respective VLANs and accepted clients
So, everything works as expected except no changes can be made to "mgmt FAP" switch UNLESS port "B" is unset trunk.
Is this normal?
I've tried, per article you referenced upstream, to configure FAP management for manual IP and VLAN but that configuration still requires a VLAN switch on FG, which, again, needs at least one interface that I dont have.
Is there a better way or did I miss anything?
- « Previous
-
- 1
- 2
- Next »
14 REPLIES 14
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Your comment about switching "B" to trunk after configuring it as a VLAN-switch did seem like some unsupported edge-case that was only configurable by accident. The fact that it reverts after reboot is a further suggestion that it's not intended to work like that.
I'm glad to see you managed to get it working at least somehow, although it is clear that this is not perfect. FortiSwitch would've made this much easier. :)
Going forward, you could try reporting this in a TAC ticket. This could end up as an NFR, or at least make sure trunk isn't configurable like that to avoid causing issues in the future.
[ corrections always welcome ]
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How would you configure this setup with FortiSiwtch?
I have one on order for months but everything is back ordered nowadays. This setup in which everything hangs from FG is a temp config for me while I'm waiting for the FS to come in. I have a general idea how this config would look with FS but would love to hear your opinion.
Thank you
Created on 04-26-2022 07:50 AM Edited on 04-26-2022 07:52 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
With a managed FortiSwitch, I would:
- create the virtual VLAN interfaces (they're just VLANs on top of the FortiLink interface)
- set the physical port's "native VLAN" to the FortiAP management network (accept&process FAP's own untagged frames)
- add an allowed VLAN(s) that matches the VLAN-ID(s) of the VLAN-IDs used by the bridged SSIDs (process wifi client traffic)
- set other switch ports to their relevant native VLANs as desired
And that should be it.
This is be a good starting point if you're looking for documentation.
One thing to remember is that you cannot switch together physical ports on FortiSwitch with physical ports on the FortiGate (at least not easily without jumping through hoops).
[ corrections always welcome ]
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you, yes, that's how I was planning to reconfigure once the switch is in.
One more question, please, if you dont mind. See my interfaces screenshot. I'm planning to move "internal CAM" and "internal IoT" VLANS from FG to the switch once it arrives, so, their VLAN definition and configuration will be done in the switch VLANs - will I be able to access switch's VLANs in my zones and/or policies on FG?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Assuming this will be a FortiGate-managed FortiSwitch, then yes. VLANs on FWS are treated like other virtual VLAN interfaces in FortiOS - you can put them in firewall policies, into zones, etc.
[ corrections always welcome ]
- « Previous
-
- 1
- 2
- Next »
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Labels
-
FortiGate
8,752 -
FortiClient
1,778 -
5.2
801 -
FortiManager
736 -
5.4
639 -
FortiAnalyzer
563 -
FortiSwitch
477 -
FortiAP
474 -
FortiClient EMS
436 -
6.0
416 -
5.6
362 -
FortiMail
323 -
6.2
251 -
SSL-VPN
249 -
FortiAuthenticator v5.5
234 -
IPsec
212 -
FortiWeb
208 -
5.0
196 -
FortiNAC
191 -
FortiGuard
139 -
6.4
128 -
SD-WAN
117 -
FortiAuthenticator
106 -
FortiGateCloud
102 -
FortiSIEM
99 -
FortiCloud Products
98 -
FortiToken
92 -
Firewall policy
84 -
Wireless Controller
81 -
Customer Service
80 -
4.0MR3
64 -
FortiProxy
60 -
Fortivoice
56 -
High Availability
56 -
FortiADC
54 -
vlan
53 -
FortiEDR
52 -
ZTNA
49 -
Routing
47 -
FortiExtender
45 -
FortiSandbox
44 -
DNS
44 -
FortiDNS
42 -
LDAP
42 -
BGP
40 -
Authentication
39 -
FortiGate v5.4
35 -
SAML
35 -
NAT
35 -
Certificate
35 -
FortiSwitch v6.4
34 -
Radius
34 -
SSO
33 -
Interface
31 -
FortiConnect
30 -
VDOM
30 -
FortiLink
29 -
FortiWAN
27 -
Application control
27 -
Web profile
27 -
FortiConverter
25 -
Logging
25 -
Virtual IP
25 -
FortiGate v5.2
24 -
SSL SSH inspection
23 -
FortiPAM
22 -
Fortigate Cloud
20 -
FortiGate-VM
19 -
FortiSwitch v6.2
19 -
FortiPortal
19 -
FortiMonitor
18 -
Traffic shaping
17 -
SSID
16 -
Automation
16 -
WAN optimization
16 -
FortiDDoS
15 -
OSPF
15 -
System settings
15 -
FortiGate v5.0
14 -
FortiSOAR
14 -
Static route
14 -
Web application firewall profile
14 -
IP address management - IPAM
14 -
SNMP
13 -
Admin
13 -
FortiCASB
12 -
FortiManager v5.0
11 -
FortiRecorder
11 -
Security profile
11 -
Proxy policy
11 -
FortiManager v4.0
10 -
FortiBridge
10 -
IPS signature
10 -
FortiAP profile
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiWeb v5.0
9 -
Traffic shaping policy
9 -
Intrusion prevention
9 -
FortiDeceptor
8 -
RMA Information and Announcements
8 -
Port policy
8 -
4.0
7 -
FortiAnalyzer v5.0
7 -
FortiCache
7 -
DNS filter
7 -
Antivirus profile
7 -
Fabric connector
7 -
Web rating
7 -
Fortinet Engage Partner Program
7 -
FortiToken Cloud
6 -
Explicit proxy
6 -
trunk
6 -
Packet capture
6 -
Traffic shaping profile
6 -
API
5 -
FortiTester
5 -
Users
5 -
Email filter profile
5 -
3.6
4 -
FortiCarrier
4 -
FortiScan
4 -
FortiDirector
4 -
Internet service database
4 -
Application signature
4 -
Authentication rule and scheme
4 -
DLP sensor
4 -
Netflow
4 -
Replacement messages
4 -
Cloud Management Security
4 -
FortiDB
3 -
FortiHypervisor
3 -
FortiNDR
3 -
NAC policy
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
Protocol option
3 -
TACACS
3 -
SDN connector
3 -
Service
3 -
VoIP profile
3 -
Multicast routing
3 -
FortiInsight
2 -
FortiAI
2 -
Kerberos
2 -
Schedule
2 -
Multicast policy
2 -
Zone
2 -
Vulnerability Management
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
ICAP profile
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1740 | |
| 1108 | |
| 752 | |
| 447 | |
| 240 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.