Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
brianmac64
New Contributor

Possible to bridge interface or vlan to ssid at fortigate and not fortiap

Just wondering if it is possible to bridge interface/vlan to ssid at the fortigate instead of at the fortiap?
moo?
moo?
10 REPLIES 10
Bromont_FTNT
Staff
Staff

Not sure exactly what you need but bridge mode bridges at the AP, tunnel mode goes to the VAP interface on the Fortigate.
brianmac64

ORIGINAL: Bromont Not sure exactly what you need but bridge mode bridges at the AP, tunnel mode goes to the VAP interface on the Fortigate.
Thanks for your reply. Yes, I am aware of fortiAP local bridging, but was curious if there was a way to bridge SSID with interfaces or vlans that terminate at the controlling FortiGate and not the FortiAP? In regards to the FortiAP local bridging, do you know how many local bridge SSIDs are supported per FortiAP? I seem to recall that only 1 was possible per fortiap but am having a hard time tracking that document down. Thanks EDIT: spelling
moo?
moo?
Bromont_FTNT
Staff
Staff

You mean bridge the SSID to the internal interface (or other ports) on the Fortigate? You' d need to create a software switch in the Interface menu after which you' d add the SSID and the other interfaces you' d like to add. Any interface you want to add to the software switch must be free of any configs such as DHCP or firewall policies. I believe when local FortiAP bridge was first introduced there was a limit of 1 bridge mode SSID but I believe you can add more now although I' d have to test again to be sure.
brianmac64

ORIGINAL: Bromont You mean bridge the SSID to the internal interface (or other ports) on the Fortigate? You' d need to create a software switch in the Interface menu after which you' d add the SSID and the other interfaces you' d like to add. Any interface you want to add to the software switch must be free of any configs such as DHCP or firewall policies. I believe when local FortiAP bridge was first introduced there was a limit of 1 bridge mode SSID but I believe you can add more now although I' d have to test again to be sure.
Yep, you got it, and it makes sense. Will give it a try and post what I find. Thanks for your help, Bromont!!
moo?
moo?
Sean_Toomey_FTNT

One thing you will want to know is that software bridges are not hardware accelerated. That doesn' t matter on smaller units that don' t have an NP ASIC, but on larger units (200 series and up) you will end up sending all that traffic to the CPU, so just be forewarned. You can accomplish most connectivity needs by creating rules between the SSID interface and wired interfaces as needed, and adding multicast rules so things like AirPlay and AirPrint will work. See http://docs-legacy.fortinet.com/cb/html/index.html#page/FOS_Cookbook/Firewall/cb_fw_airplay_airprint.html for an example. Thanks!
-- Sean Toomey, CISSP FCNSP Consulting Security Engineer (CSE) FORTINET— High Performance Network Security
baitken
New Contributor

I believe the limit of one bridged SSID per AP is a technical limitation rather than a FortiGate limitation. Doesn' t make much sense to have multiple SSIDs bridged to the same physical network.
Bromont_FTNT
Staff
Staff

Actually it does make sense if you implement vlans....
baitken
New Contributor

But as it is currently implemented the bridge is between an SSID and the physical network interface of the FortiAP. The FortiAP does not support 802.1q as far as I am aware.
Bromont_FTNT
Staff
Staff

It does support 802.1q, you can set the FortiAP management vlan, you can select the vlan ID for each bridged mode SSID and you can also configure dynamic vlan where a user gets assigned the vlan ID based on the value returned from the Radius server.
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors