I think you already figured out how to set up tunnel mode SSIDs with separate subnets based on the interface screen you attached. They're just interfaces so that you can build policy sets to wherever you want to connect them to.
What version of firmware is running on FAP221C and FG90D?
FG90D - v5.2.4,build688
Both AP's - v5.2,build245
I tested a little with FG60D(5.2.3) and FAP221B(5.2.4) with static IP on the FAP. It connects just fine with the IP I configured. Are you sure you allowed "capwap" tunnel on your internal1 interface, where you're intending to terminate the tunnels from those APs?
Is your 60D a PoE? I think I've come to the conclusion it's impossible unless I start all over and put the Fortigate back into "Switch Mode" and implement a VLAN switch to communicate between the 2 ports. I've factory reset the AP that I added the static address to and I'm going to use the "Zero Configuration" mode for now. As soon as I get a spare 90D to play with I'm going to try it in "Switch Mode". Thanks for all your help!
No PoE. Using an ac power adapter. I don't know about 90D but with 60D it changed the internal switch configuration after 5.2.2 or 5.2.3. So all internal interfaces (7 of them) are bound to "internal" with hard-switch(virtual-switch). I split it to have a different virtual-switch interface for APs.
User | Count |
---|---|
2674 | |
1410 | |
810 | |
702 | |
455 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.