Hi All, hoping someone would be able to help.
I Initially configured FG-80F with 4 VLANs: ports 1-4 LAN - 167, port 5 CAM - 10, port 6 IoT - 20.
Then I added FAP-433F but since all ports were taken, I removed port b from fortilink, set to Ethernet Trunk and manually assigned IP to FAP-433F, then configured SSIDs for LAN_167 (bridge), IoT_20 (bridge), and Guest VLAN 30 (tunnel) - no SSID for CAM VLAN. All worked ok.
Thank I received SW-108E-FPOE and decided to move VLANs 20 and 30 onto it. Moving VLAN 20 (CAMs) was easy and all worked with no hiccups, moving VLAN 30 (IoT) presented an issue that I hope knowledgeable minds can help me with.
After moving VLAN from FG to FS, wired IoT devices were ok but wireless IoT devices couldn't get an IP. I've tried moving b port back to fortilink, then configuring VLAN on fortilink for FAP management but FAP never gets and IP. If I create FAP management VLAN on the switch, it does get an IP and all wireless IoT get IPs and start to function, but then my wireless LAN VLAN 167 devices that resides on FG cant get an IP.
I'd prefer to have FAP still, if possible, connected to the b port of FG (to maximize ports utilization) and allow it to serve wireless clients on FG and SW VLANS
I dont know what config info would be helpful, so, please ask if some missing.
Interface:
config system interface
edit "wan1"
set vdom "root"
set mode dhcp
set allowaccess https
set ident-accept enable
set type physical
set monitor-bandwidth enable
set role wan
set snmp-index 1
config ipv6
set ip6-mode dhcp
set dhcp6-prefix-delegation enable
set ip6-dns-server-override disable
config dhcp6-iapd-list
edit 5
set prefix-hint ::/60
next
end
end
set dns-server-override disable
next
edit "wan2"
set vdom "root"
set mode dhcp
set type physical
set role wan
set snmp-index 2
next
edit "internal1" - through 6
set vdom "root"
set type physical
set snmp-index 3
next
edit "a"
set vdom "root"
set type physical
set snmp-index 9
next
edit "b"
set vdom "root"
set type physical
set trunk enable
set alias "FAP-433 Trunk"
set snmp-index 10
next
edit "internal"
set vdom "root"
set ip 192.168.167.1 255.255.255.0
set allowaccess ping https ssh fabric
set type hard-switch
set alias "internal LAN"
set device-identification enable
set lldp-reception enable
set lldp-transmission enable
set role lan
set snmp-index 15
config ipv6
set ip6-mode delegated
set ip6-send-adv enable
set ip6-other-flag enable
set ip6-upstream-interface "wan1"
set ip6-delegated-prefix-iaid 5
set ip6-subnet ::1/64
config ip6-delegated-prefix-list
edit 1
set upstream-interface "wan1"
set delegated-prefix-iaid 5
set subnet ::/64
set rdnss 2601:586:c400:5240::1
next
end
end
next
edit "fortilink"
set vdom "root"
set fortilink enable
set ip 10.255.1.1 255.255.255.0
set allowaccess ping fabric
set type aggregate
set member "a"
set lldp-reception enable
set lldp-transmission enable
set snmp-index 16
set fortilink-split-interface disable
set switch-controller-nac "fortilink"
set switch-controller-dynamic "fortilink"
set swc-first-create 255
next
edit "wifi LAN"
set vdom "root"
set type vap-switch
set role lan
set snmp-index 19
next
edit "wifi IoT"
set vdom "root"
set type vap-switch
set role lan
set snmp-index 22
next
edit "wifi Guest"
set vdom "root"
set ip 10.30.1.1 255.255.255.0
set allowaccess ping fabric
set type vap-switch
set device-identification enable
set role lan
set snmp-index 20
config ipv6
set ip6-mode delegated
set ip6-send-adv enable
set ip6-other-flag enable
set ip6-upstream-interface "wan1"
set ip6-delegated-prefix-iaid 5
set ip6-subnet ::3:0:0:0:1/64
config ip6-delegated-prefix-list
edit 1
set upstream-interface "wan1"
set delegated-prefix-iaid 5
set subnet 0:0:0:3::/64
set rdnss 2606:4700:4700::1113 2606:4700:4700::1003
next
end
end
next
edit "internal CAM"
set vdom "root"
set ip 10.10.1.1 255.255.255.0
set allowaccess ping fabric
set device-identification enable
set role lan
set snmp-index 17
set switch-controller-igmp-snooping enable
config ipv6
set ip6-mode delegated
set ip6-send-adv enable
set ip6-other-flag enable
set ip6-upstream-interface "wan1"
set ip6-delegated-prefix-iaid 5
set ip6-subnet ::1:0:0:0:1/64
config ip6-delegated-prefix-list
edit 1
set upstream-interface "wan1"
set delegated-prefix-iaid 5
set subnet 0:0:0:1::/64
set rdnss 2606:4700:4700::1113 2606:4700:4700::1003
next
end
end
set interface "fortilink"
set vlanid 10
next
edit "internal IoT"
set vdom "root"
set ip 10.20.1.1 255.255.255.0
set allowaccess ping fabric
set device-identification enable
set role lan
set snmp-index 18
set switch-controller-igmp-snooping enable
config ipv6
set ip6-mode delegated
set ip6-send-adv enable
set ip6-other-flag enable
set ip6-upstream-interface "wan1"
set ip6-delegated-prefix-iaid 5
set ip6-subnet ::2:0:0:0:1/64
config ip6-delegated-prefix-list
edit 1
set upstream-interface "wan1"
set delegated-prefix-iaid 5
set subnet 0:0:0:2::/64
set rdnss 2601:586:c400:5242::1
next
end
end
set interface "fortilink"
set vlanid 20
next
end
config system physical-switch
edit "sw0"
set age-val 0
next
end
config system virtual-switch
edit "internal"
set physical-switch "sw0"
set vlan 167
config port
edit "internal1"
next
edit "internal2"
next
edit "internal3"
next
edit "internal4"
next
edit "internal5"
next
edit "internal6"
next
end
next
end
config wireless-controller vap
edit "wifi LAN"
set ssid "M-6"
set passphrase ENC XXX
set local-bridging enable
set schedule "always"
set vlanid 167
set alias "b"
set multicast-enhance enable
set igmp-snooping enable
next
edit "wifi IoT"
set ssid "IoT"
set passphrase ENC XXX
set local-bridging enable
set schedule "always"
set vlanid 20
set alias "b"
next
edit "wifi Guest"
set ssid "G-6"
set passphrase ENC XXX
set intra-vap-privacy enable
set schedule "always"
set quarantine disable
next
end
config system dhcp server
edit 1
set lease-time 86400
set dns-service local
set wifi-ac-service local
set ntp-service local
set default-gateway 192.168.167.1
set netmask 255.255.255.0
set interface "internal"
config ip-range
edit 1
set start-ip 192.168.167.10
set end-ip 192.168.167.200
next
end
next
edit 2
set dns-service local
set ntp-service local
set default-gateway 10.255.1.1
set netmask 255.255.255.0
set interface "fortilink"
config ip-range
edit 1
set start-ip 10.255.1.2
set end-ip 10.255.1.254
next
end
set vci-match enable
set vci-string "FortiSwitch" "FortiExtender"
next
edit 8
set lease-time 86400
set wifi-ac-service local
set ntp-service local
set default-gateway 10.30.1.1
set netmask 255.255.255.0
set interface "wifi Guest"
config ip-range
edit 1
set start-ip 10.30.1.2
set end-ip 10.30.1.200
next
end
set dns-server1 1.1.1.3
set dns-server2 1.0.0.3
next
edit 6
set dns-service default
set default-gateway 10.255.11.1
set netmask 255.255.255.0
set interface "quarantine"
config ip-range
edit 1
set start-ip 10.255.11.2
set end-ip 10.255.11.254
next
end
set timezone-option default
next
edit 7
set dns-service default
set default-gateway 10.255.12.1
set netmask 255.255.255.0
set interface "rspan"
config ip-range
edit 1
set start-ip 10.255.12.2
set end-ip 10.255.12.254
next
end
set timezone-option default
next
edit 9
set lease-time 300
set dns-service default
set default-gateway 10.255.13.1
set netmask 255.255.255.0
set interface "nac_segment"
config ip-range
edit 1
set start-ip 10.255.13.2
set end-ip 10.255.13.254
next
end
set timezone-option default
next
edit 10
set mac-acl-default-action block
set dns-service local
set wifi-ac-service local
set ntp-service local
set default-gateway 10.10.1.1
set netmask 255.255.255.0
set interface "internal CAM"
config ip-range
edit 1
set start-ip 10.10.1.30
set end-ip 10.10.1.40
next
end
next
edit 11
set dns-service local
set wifi-ac-service local
set ntp-service local
set default-gateway 10.20.1.1
set netmask 255.255.255.0
set interface "internal IoT"
config ip-range
edit 1
set start-ip 10.20.1.2
set end-ip 10.20.1.200
next
end
next
end
config system dhcp6 server
edit 1
set interface "fortilink"
next
edit 2
set interface "internal"
set dns-server1 xxx
next
edit 5
set interface "wifi Guest"
set dns-server1 2606:4700:4700::1113
set dns-server2 2606:4700:4700::1003
next
edit 6
set subnet 0:0:0:1::/64
set interface "internal CAM"
set upstream-interface "wan1"
set delegated-prefix-iaid 5
set ip-mode delegated
set dns-server1 2606:4700:4700::1113
set dns-server2 2606:4700:4700::1003
next
edit 4
set interface "internal IoT"
set dns-server1 2601:586:c400:5242::1
next
end
config system zone
edit "Internal LAN Zone"
set intrazone allow
set interface "internal"
next
edit "Outside Zone"
set interface "wan1"
next
edit "Internal IoT Zone"
set interface "internal IoT"
next
edit "Internal CAM Zone"
set interface "internal CAM"
next
edit "Internal Guest Zone"
set interface "wifi Guest"
next
end
config switch-controller managed-switch
edit "S108EFTQ22002755"
set name "FS-108E-FPOE"
set fsw-wan1-peer "fortilink"
set fsw-wan1-admin enable
set poe-detection-type 1
set version 1
set max-allowed-trunk-members 8
set dynamic-capability 0x00000000000000000009267594c2b9d7
config ports
edit "port1"
set speed-mask 207
set poe-capable 1
set vlan "internal CAM"
set untagged-vlans "quarantine"
set export-to "root"
set mac-addr ac:71:2e:65:a2:1f
next
edit "port2"
set speed-mask 207
set poe-capable 1
set vlan "internal CAM"
set untagged-vlans "quarantine"
set export-to "root"
set mac-addr ac:71:2e:65:a2:20
next
edit "port3"
set speed-mask 207
set poe-capable 1
set vlan "internal CAM"
set untagged-vlans "quarantine"
set export-to "root"
set mac-addr ac:71:2e:65:a2:21
next
edit "port4"
set speed-mask 207
set poe-capable 1
set vlan "internal CAM"
set untagged-vlans "quarantine"
set export-to "root"
set mac-addr ac:71:2e:65:a2:22
next
edit "port5"
set speed-mask 207
set poe-capable 1
set vlan "internal CAM"
set untagged-vlans "quarantine"
set export-to "root"
set mac-addr ac:71:2e:65:a2:23
next
edit "port6"
set speed-mask 207
set poe-capable 1
set vlan "internal IoT"
set untagged-vlans "quarantine"
set export-to "root"
set mac-addr ac:71:2e:65:a2:24
next
edit "port7"
set speed-mask 207
set poe-capable 1
set vlan "internal IoT"
set allowed-vlans "quarantine"
set untagged-vlans "quarantine"
set export-to "root"
set mac-addr ac:71:2e:65:a2:25
next
edit "port8"
set speed-mask 207
set poe-capable 1
set vlan "_default"
set allowed-vlans "quarantine"
set untagged-vlans "quarantine"
set export-to "root"
set mac-addr ac:71:2e:65:a2:26
next
edit "port9"
set speed 1000full
set speed-mask 216
set vlan "_default"
set allowed-vlans "quarantine"
set untagged-vlans "quarantine"
set export-to "root"
set mac-addr ac:71:2e:65:a2:27
next
edit "port10"
set speed 1000full
set speed-mask 216
set vlan "_default"
set allowed-vlans "quarantine"
set untagged-vlans "quarantine"
set export-to "root"
set mac-addr ac:71:2e:65:a2:28
next
end
next
end
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
The Fortilink interface type is aggregated, both the ports on the aggregated interface should be connected to Fortiswitch. Connecting FAP to one of the ports is not supported.
Hardware switch interface type will support connecting different device to the ports under same interface.
"Connecting FAP to one of the ports is not supported" - even if I remove that port from fortilink interface?
"Hardware switch interface type will support connecting different device to the ports under same interface" - can you please elaborate?
Can you please list an overview of the supported way my devices should be connected to each other in order for FAP to serve VLAN on the FG and FS?
To answer your question, I need to know the network diagram.
You have mentioned about the wired device, I need to know how are they connected ? are they connected directly to FGT or any of the 3rd party switches and then to FGT?
It will be easier if you can create a support ticket, we will verify your network diagram, current FGT config and the requirements to assist you on the new requirement.
I do have a ticket open since the 12th, still waiting, so I figured I try the forum :) .... sigh
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1696 | |
1091 | |
752 | |
446 | |
228 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.