Possible to bridge interface or vlan to ssid at fortigate and not fortiap

brianmac64 · ‎01-23-2014

Just wondering if it is possible to bridge interface/vlan to ssid at the fortigate instead of at the fortiap?

moo?

Bromont_FTNT · ‎01-23-2014

Not sure exactly what you need but bridge mode bridges at the AP, tunnel mode goes to the VAP interface on the Fortigate.

brianmac64 · ‎01-27-2014

ORIGINAL: Bromont Not sure exactly what you need but bridge mode bridges at the AP, tunnel mode goes to the VAP interface on the Fortigate.

Thanks for your reply. Yes, I am aware of fortiAP local bridging, but was curious if there was a way to bridge SSID with interfaces or vlans that terminate at the controlling FortiGate and not the FortiAP? In regards to the FortiAP local bridging, do you know how many local bridge SSIDs are supported per FortiAP? I seem to recall that only 1 was possible per fortiap but am having a hard time tracking that document down. Thanks EDIT: spelling

moo?

Bromont_FTNT · ‎01-27-2014

You mean bridge the SSID to the internal interface (or other ports) on the Fortigate? You' d need to create a software switch in the Interface menu after which you' d add the SSID and the other interfaces you' d like to add. Any interface you want to add to the software switch must be free of any configs such as DHCP or firewall policies. I believe when local FortiAP bridge was first introduced there was a limit of 1 bridge mode SSID but I believe you can add more now although I' d have to test again to be sure.

brianmac64 · ‎01-27-2014

ORIGINAL: Bromont You mean bridge the SSID to the internal interface (or other ports) on the Fortigate? You' d need to create a software switch in the Interface menu after which you' d add the SSID and the other interfaces you' d like to add. Any interface you want to add to the software switch must be free of any configs such as DHCP or firewall policies. I believe when local FortiAP bridge was first introduced there was a limit of 1 bridge mode SSID but I believe you can add more now although I' d have to test again to be sure.

Yep, you got it, and it makes sense. Will give it a try and post what I find. Thanks for your help, Bromont!!

moo?

Sean_Toomey_FTNT · ‎08-05-2014

One thing you will want to know is that software bridges are not hardware accelerated. That doesn' t matter on smaller units that don' t have an NP ASIC, but on larger units (200 series and up) you will end up sending all that traffic to the CPU, so just be forewarned. You can accomplish most connectivity needs by creating rules between the SSID interface and wired interfaces as needed, and adding multicast rules so things like AirPlay and AirPrint will work. See http://docs-legacy.fortinet.com/cb/html/index.html#page/FOS_Cookbook/Firewall/cb_fw_airplay_airprint.html for an example. Thanks!

-- Sean Toomey, CISSP FCNSP Consulting Security Engineer (CSE) FORTINETâ€” High Performance Network Security

baitken · ‎09-14-2014

I believe the limit of one bridged SSID per AP is a technical limitation rather than a FortiGate limitation. Doesn' t make much sense to have multiple SSIDs bridged to the same physical network.

Bromont_FTNT · ‎09-14-2014

Actually it does make sense if you implement vlans....

baitken · ‎09-15-2014

But as it is currently implemented the bridge is between an SSID and the physical network interface of the FortiAP. The FortiAP does not support 802.1q as far as I am aware.

Bromont_FTNT · ‎09-15-2014

It does support 802.1q, you can set the FortiAP management vlan, you can select the vlan ID for each bridged mode SSID and you can also configure dynamic vlan where a user gets assigned the vlan ID based on the value returned from the Radius server.

Possible to bridge interface or vlan to ssid at fortigate and not fortiap

Nominate a Forum Post for Knowledge Article Creation

You are leaving our website