Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor

VLAN Tagging / Single port routing advice

I have a Fortigate 80F. Right now we have it set up on internal1 is our LAN access and uses WAN1 by default with a link monitor set up to fail over to WAN2 if WAN1 goes down, and then move back to WAN1 when the link is restored. 


On internal 2, I have my Cisco Meraki switch plugged in. The meraki setup currently has 3 different SSIDs broadcasting. Through a policy route in the Fortigate, Internal2 gets internet access through WAN2 with a failover to WAN1, same way as above just in reverse. 


What I am trying to accomplish now is through that single port to allow SSID1 and SSID2 to use WAN1 by default and failover to WAN2 during a outage, while keeping SSID3 in the configuration already in place on Internal2 (WAN2, then WAN1 as backup). SSID1 and SSID2 cannot be allowed to talk to other networks for PCI compliance. These are credit card pinpad readers on SSID1 and 2. 


Is the best way to go, single cable setup and some kind of vlan tagging? Or would it be better to set up another port on the Meraki to be how SSID1 and 2 go out, then i can just run a cable to our LAN switch, which would essentially achieve the same thing because LAN is already setup with WAN1-->WAN2 failover. 


Any tips, or best practice suggestions will be greatly appreciated!



I would isolate each SSID to one VLAN and then perform routing based on the subnet prefixes.


That would:

1. Give you the possibility to granularly control traffic to/from these SSIDs

2. Give you the possibility to granularly control the route towards the Internet(depending on which WAN interface has failed)


1. Enable vlan tagging on the Fortigate

2.Enable vlan tagging on the Switch

3. Assign SSIDs to appropriate VLAN on AP/Switch

4. Configure VLAN interfaces on the Fortigate

5. Configure policies, routes and etc.




You may want to consider leveraging FortiGate SD-WAN feature for your use-case. It greatly simplifies the type of configuraiton you are trying to accomplish.


But yes as @aahmadzada mentioned best option is to use VLANs and tagging to isolate all the SSIDs so you can control the traffic as needed.