I have 7 Forti APs connected in Tunnel Mode and Firewall is controller ....

lovejit · ‎05-07-2018

Hello Guys,

I have some questions , I am doing vlan Design and add on wireless vlan where i can untagg my FortAPs .

My confusion is that FortiAPs are using CAPWAP tunnel to reach Firewall , so does seperate vlan for these Aps make any difference or not.

My target seperate wireless traffic from regular traffic.

Other thing, In tunnel mode I got option to set DHCP scope on Firewall but how i can add other server as a DHCp server ?

Thanks

Toshi_Esumi · ‎05-07-2018

There are two VLANs you're talking about. One for AP connection, another for SSIDs. If you don't set a VLAN for AP, AP will be on the same non-tagged interface on the physical interface. It might be a member of hard/soft-switch. If you want to separate AP connection subnet from them, you have to use a vlan.

The tunnel mode you're talking about is for SSIDs. If you want to use an outside DHCP server, you need either DHCP server relay or a vlan spanned through your L2 network fabric. In this case, you need to use vlan on an SSID. It takes some good network designing if you want to use both as independent DHCP servers for separate sets of broadcast domains.

Also make sure your FG supports 7 APs and enough SSIDs especially tunnel mode. There are limitations per model.

View solution in original post

Toshi_Esumi · ‎05-07-2018

There are two VLANs you're talking about. One for AP connection, another for SSIDs. If you don't set a VLAN for AP, AP will be on the same non-tagged interface on the physical interface. It might be a member of hard/soft-switch. If you want to separate AP connection subnet from them, you have to use a vlan.

The tunnel mode you're talking about is for SSIDs. If you want to use an outside DHCP server, you need either DHCP server relay or a vlan spanned through your L2 network fabric. In this case, you need to use vlan on an SSID. It takes some good network designing if you want to use both as independent DHCP servers for separate sets of broadcast domains.

Also make sure your FG supports 7 APs and enough SSIDs especially tunnel mode. There are limitations per model.

lovejit · ‎05-07-2018

hello Toshi,

Yeah, I have single vlan for Wireless (Acesspoints + Staff SSID ), I am going to use two SSIDs , Guest and staff. For Guest SSID, I will use tunnell mode and set the DHCP scope on Firewall.

For staff SSID, I want to use Same wireless vlan and setup Relay mode and provide DHCP server Address. my concern is just see the IP/Network mask option in SSID not vlan. How to corelate SSID with specific vlan.

Thanks

Toshi_Esumi · ‎05-07-2018

By the way, I haven't this type of setting so you should test yourself to make sure it works, unless somebody else who's using this feature already chimes in with "yea" or "nay".

Toshi_Esumi · ‎05-07-2018

In our 5.4.8 GUI, I see "Optional VLAN ID" setting under WiFi Settings section in SSID config page.

lovejit · ‎05-07-2018

Do we need to define vlan on firewall or just insert the vlan number in this option.

Toshi_Esumi · ‎05-07-2018

If you use DHCP server relay, you don't need to span the vlan. Relay part is L3 connection, not L2. If you want to span the vlan, you have to connect the broadcast domain to where the DHCP server is located. That's why I said it would take a good design.