Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor

FAP 221C multiple bridged and tunneled SSIDs Policy problems


I have the following situation:

I have configured my FAPs that way that some SSIDs are using tunnelmode. To supply internetaccess for these SSIDs I set up a policy saying Incoming "WLAN SSID" -> Outgoing WAN2, all Services, anytime, NAT.


I have a WAN2 Port, which is set up as Standardroute , but has a lower priority then WAN1 which is used for the Desktop PCs. The idea is to use WAN2 for the WLAN Access (tunnel mode), and WAN1 for the PC-Network.


To make the WAN2 Port used by the WLAN-SSIDs (tunnel mode) I additionally configured policyroutes which say that all traffic coming from the SSIDs IP - Ranges have to go out to the Internet via the WAN2 Port / Wan2 Gateway, which works well.


Now, If I would like to set up another SSID, which should use the WAN1 port for the connection to the internet, I did not get access to the WWW. In my opinion it should work, if I a.) set up the SSID in tunnelmode and add a policy which says that this SSID (incoming) should NAT via WAN1 (outgoing), all services, anytime - but it didn't.


Is this kind of configuration possible?

Are multiple SSIDs in tunnel mode and bridged mode supported?





Once you create wireless SSIDs, it's treated similarly to other wired interfaces on the FGT. I tried the following config on my setup and it works for me.

ssid1(tunnel)-------FGT----WAN1 (



1) default route points to wan1

2) add a policy route for ssid2 traffic to go out through wan2

3) add ipv4 policy to allow ssid1---wan1 and ssid2---wan2

4) connect wireless stations to both SSIDs and start ping


following capture shows that packets from ssid1 and ssid2 go out from right interfaces. 


FWF51E3U15000106 # diagnose sniffer packet wan2 icmp interfaces=[wan2] filters=[icmp] 0.639035 -> icmp: echo request 0.645582 -> icmp: echo reply 1.698976 -> icmp: echo request 1.700784 -> icmp: echo reply FWF51E3U15000106 # diagnose sniffer packet wan1 icmp

interfaces=[wan1] filters=[icmp] 0.878268 -> icmp: echo request 0.879787 -> icmp: echo reply 1.882986 -> icmp: echo request 1.884527 -> icmp: echo reply


Hi and thank you for your reply.


I tried to rebuild you setup. But i get stuck at the beginning.


In my opinion the following config should work in that way that the WLAN-devices get internet access via WAN1 (Standardroute).


The config is as follows:

Standardroute via WAN1 to the Internet, Admin distance 10, Priority 0 (highest). (Info: Standardroute is working, as all PCs on the LAN are able to surf via WAN1)


IPv4 Policy:

Incoming WLAN SSID ->  Outgoing WAN1, Source all, Destination all, Service all, NAT


If I am right, there is no need for a policy route for this.


The WLAN-Devices are not able to browse the Internet in this config (or ping


Is the config ok?



Update: After Rebooting the FGT, the configuration is working. This is not the first time this happens.


Very strange behaviour. :(


Thanks for your update. I was just going through your config/comments etc. I work on wireless side and am not that familiar with all the features on FGT.  From FGT point of view, wireless interface is pretty much similar to a wired interface. 


Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Top Kudoed Authors