So I have the very config, yet on one SSID I get no IP ever (Vlan7) On Vlan1 I get IP from my main network 10.0.0x DHCP server (and NOT from FTG) Seb

VLAN1 is the default VLAN or ' straight' LAN. Whoever answers first to a DHCP request delivers first. It' s a bad idea to have 2 DHCP servers on the same LAN (or VLAN), you' re asking for trouble. So in your case: - remove the DHCP server on the FGT for VLAN1 - create a DHCP relay to your existing DHCP server - be sure that traffic can reach it! - connect a VLAN trunk with both VLAN1 and VLAN7 to the FGT ' port1' . Create a virtual interface with VLAN ID 7 on ' port1' . Create a DHCP server on that interface. - create policies to allow traffic from/to port1 and the new VLAN port. As port1 is part of VDOM1 you' ll have to setup all of this in this VDOM. If the other networks are on the root VDOM you need an inter-VDOM link and policies.

Correct, it is the very exact config that I have Yet I receive NO IP address from Fortigate when connected to SSID bound to Vlan7 Create a virtual interface with VLAN ID 7 on ' port1' . Does this interface have to have IP? or port1 has an IP? If port1 has to have an IP (192.168.188.254) then the virtual interface will not accept 192.168.188.252 Seb

No, it won' t. Networks on different router ports MUST be non-overlapping. Just choose a different address like 192.168.222.0/24. And yes, the ports, VLAN or physical, need to have an IP address. This address should be set as the gateway for this subnet. If you run DHCP, put it in the config there. All of this sounds like you' re really inexperienced with basic network stuff. Which makes me wonder how you' ll cope with the more complicated stuff like firewalling or UTM. You can do two things about this: - hire a professional who knows what he' s doing - read up on the documentation. I' ve posted the link to http://docs.fortinet.com so often that I' m about to get cramps. Get the FortiOS Handbook and read it. There' s one chapter on ' Basic setup' which will help you get started.

As to being inexperienced? Not necessary, you probably have guys doing this & only this day in day out I do the whole array of network stuff (mostly from A to Z) on my own And only have that many hours in a day for everything Most professionals I seen over the years can do ONE single thing, ask them something else & they fall apart (as it is way beyond what they do) Please do not tell me that having one subnet on Vlan, one on the port, another on Vdom link, another on root vdom, abother on Wan, another on IPsec, another on SSL VPN is not a complicated issue. if I had only to deal with Fortigate setup and nothing much else I would surely be a champ But thank you for your kind advice And I did read FortiOS handbook (in case) Seb

Well then, if you' ve read the Handbook and seen the examples then you should have noticed that you have to assign an IP address to an interface in order to create a route. And along those routes the traffic flows. But I guess we all have a lot of things to take care of; let' s not waste time in complaining. I surely didn' t mean to question your competence. But still I have the impression that your setup needs far more attention than can be delivered over the forum. I' m not really living around the corner but I surely know what I' m doing (as I' m doing it for my living). We haven' t started going into the Fortinet specific details yet. How far have you come with the hints from my first post? Is the DHCP server seeing requests at all? Is the line to port1/vlan-port def. a VLAN trunk? There are quite a few options why this doesn' t work.

I re-read the Vlan chapter & I am sure it will be easy to get working once I really have time to do it fully Only to say that the examples in manual are rather rubbish (stating Internal interface IP address) I do not know the other models, but 200B does not have Internal interface, each physical port is its own interface, hence all routing, policy access etc must be done for it Especially policies are complicated (even if the are only logic based) to get it all flowing Thanks for your help Seb

I do not know the other models, but 200B does not have Internal interface, each physical port is its own interface, hence all routing, policy access etc must be done for it

The FGT-200B comes per default with 8 ports combined into a switch - the interface is called ' switch' . On the contrary, if you need as many physical ports you have to break up the switch before doing anything else, i.e. before creating policies or address objects tied to the switch interface. Maybe you should have a look into the concept of a ' zone' which Fortinet offers to reduce complexity. You put multiple interfaces into a zone and from then on only deal with the zone. For example, you have several VPN tunnels defined in interface-mode and all are handled in the same way, policy-wise. A zone ' VPNs' would reduce the number of policies 1:n. The difference between a switch-interface and a zone is that zones are handled by CPU. One other difference is that a switch-interface shares Layer 2 broadcasts - you can put a physical port and a WLAN port into one switch-interface and thus have the same broadcast domain for both ports.