I wonder how others address this, seemingly, simple config using FG-80F with FS-108E-FPOE and FAP-433F. How would you connect/configure this (an overview will suffice):
My problem is where and how to connect FAP? If a new FAP management VLAN created on SW and FAP connected to FS port 7, then VLAN 20 devices (wired and wireless) are ok but VLAN 10 wireless clients not getting IPs; if FAP management interface is created on FG by removing port b from fortilink, then VLAN 10 clients (wired and wireless) are ok but VLAN 20 wireless devices not getting an IP.
Any info or pointers would be appreciated
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
If your FortiGate switch ports are always going to be separate from those on your FortiSwitch (i.e. FGT will always only have VLAN10 and FSW will always have only VLAN20 and other VLANs outside of VLAN10) then you can just keep VLAN10 off the FortiLink/FSW and manage it on the FGT switch ports only.
The caveat with that solution is that your WiFi clients will never be able to join VLAN10 directly. However, using Firewall Policies you can allow devices from other VLANs to access devices like printers in VLAN10 and vice versa.
If you want VLAN10 integrated on your FSW and FAP then you'll need to use the physical bridge link for VLAN10 between the FSW and the FGT as I described before. That way if you want WiFi Clients existing directly in VLAN10 you can have the FGT-connected devices also participating in VLAN10.
It might simplify things if you put your Wi-Fi clients into their own VLAN and use Firewall policies to allow access to/from the Wi-Fi VLAN and the other Wired VLANs. You can also join some of your VLANs into an Interface ZONE and in that case you do not need any policies to allow access to-from the VLANs.
Alright. FortiLink is tricky because while it allows you to manage all of your switch ports and AP from the FortiGate it does not manage or integrate the switchports that exist on the Firewall! VLAN 10 on the FortiSwitch has no knowledge of VLAN10 on the FortiGate.
So you either have to not use your switch ports on the Firewall or consider a couple solutions:
- A separate physical link between a FortiSwitch port configured for VLAN10 connected to one of the FortiGate switch ports (which should be configured as untagged) to bridge and connect those two domains
- Running the FortiSwitch in standalone mode and bridging everything that way through the uplink
For the AP jjust connect it to the FortiSwitch port 7 and set up a AP MGMT network as the native VLAN and tag VLAN 10 and VLAN 20. Two SSIDs configured, one for VLAN10 wireless clients and one for VLAN 20 for other wireless clients.
@gfleming - thank you for a quick and tremendously informative response!
Running FS in standalone mode is out of the questions, that puts this option to rest.
Now, are you saying that I can:
Will the above make FG aware of FS VLAN 20 or will it make FS aware of FG VLAN 10?
Close. I was suggesting you create a new VLAN for FortiAP management (FortiAP's will get an IP address in this VLAN and will be used for connecting back to the FortiGate for management). Let's call it VLAN40.
On FS Port 7 make VLAN40 native, FortiAP will connect to that port and receive an IP address from VLAN40 DHCP scope and communicate to FortiGate this way.
Port 7 will also have VLAN10 and VLAN20 tagged for wireless client access. It sounds like you have two wireless networks, right? So two SSIDs, one configured to be VLAN10 and another SSID to be VLAN20. When clients connect to either SSID their packets will be tagged for the respective VLAN and be connected appropriately.
If you want the ports 1-6 on the FortiGate to also participate in VLAN10 then keep them untagged, no VLAN configuration needed. Set a port on the FS (not port 7 because that's used for the AP). Perhaps port 6 or something. Native VLAN10 on port 6. Physically connect port 6 to port 1 or 2, 3 4 5 or 6 on the FGT and this will naturally extend VLAN10 to the FortiGate switch ports.
Make sense?
YES YES YES, we are almost on the same page.
Sorry, I failed to indicate that my previous response was ONLY for the matter of joining domains - not FAP connection.
Now, your response kind of answer almost all except one configuration discrepancy. My initial questions referred to 2 VLANS:
(see, we are talking about 2 separate wired networks)
With this, wouldn't the last paragraph in your last reply not apply? I would still need to free up one of FG ports to make it untagged for linking FG and FS domains, right? Will the FS port also need to be untagged?
If FortiAP connected to the Switch, as you recommended, will wifi clients tagged as VLAN 10 (SALES) reach their network on FG?
As far as FortiAP - can I remove port b on FG from FortiLink making it physical (untagged) interface and connect FortiAP to it?
If your FortiGate switch ports are always going to be separate from those on your FortiSwitch (i.e. FGT will always only have VLAN10 and FSW will always have only VLAN20 and other VLANs outside of VLAN10) then you can just keep VLAN10 off the FortiLink/FSW and manage it on the FGT switch ports only.
The caveat with that solution is that your WiFi clients will never be able to join VLAN10 directly. However, using Firewall Policies you can allow devices from other VLANs to access devices like printers in VLAN10 and vice versa.
If you want VLAN10 integrated on your FSW and FAP then you'll need to use the physical bridge link for VLAN10 between the FSW and the FGT as I described before. That way if you want WiFi Clients existing directly in VLAN10 you can have the FGT-connected devices also participating in VLAN10.
It might simplify things if you put your Wi-Fi clients into their own VLAN and use Firewall policies to allow access to/from the Wi-Fi VLAN and the other Wired VLANs. You can also join some of your VLANs into an Interface ZONE and in that case you do not need any policies to allow access to-from the VLANs.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1632 | |
1063 | |
749 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.