- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- FG FS FAP stack and VLAN not getting DHCP
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
FG FS FAP stack and VLAN not getting DHCP
I wonder how others address this, seemingly, simple config using FG-80F with FS-108E-FPOE and FAP-433F. How would you connect/configure this (an overview will suffice):
- FG and FS on 7.2.3, FAP on 7.2.1
- All 6 ports of FG belong to a VALAN 10 for wired clients
- VLAN 10 also has wireless clients that should be bridged to its wired clients
- port 8 of FS is connected to FG port a via fortilink
- ports 1-6 of SW belong to VLAN 20 for wired clients
- VLAN 20 also has wireless clients that should be bridged to its wired clients
- So, for FAP only port 7 available on FS, and port b on FG (POE not necessary for FAP, could be powered by a power supply). In absolute worst case, port 6 of FG could be freed for FAP
My problem is where and how to connect FAP? If a new FAP management VLAN created on SW and FAP connected to FS port 7, then VLAN 20 devices (wired and wireless) are ok but VLAN 10 wireless clients not getting IPs; if FAP management interface is created on FG by removing port b from fortilink, then VLAN 10 clients (wired and wireless) are ok but VLAN 20 wireless devices not getting an IP.
Any info or pointers would be appreciated
Solved! Go to Solution.
Labels:
- Labels:
-
FortiAP
-
FortiGate
-
FortiSwitch
1 Solution
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If your FortiGate switch ports are always going to be separate from those on your FortiSwitch (i.e. FGT will always only have VLAN10 and FSW will always have only VLAN20 and other VLANs outside of VLAN10) then you can just keep VLAN10 off the FortiLink/FSW and manage it on the FGT switch ports only.
The caveat with that solution is that your WiFi clients will never be able to join VLAN10 directly. However, using Firewall Policies you can allow devices from other VLANs to access devices like printers in VLAN10 and vice versa.
If you want VLAN10 integrated on your FSW and FAP then you'll need to use the physical bridge link for VLAN10 between the FSW and the FGT as I described before. That way if you want WiFi Clients existing directly in VLAN10 you can have the FGT-connected devices also participating in VLAN10.
It might simplify things if you put your Wi-Fi clients into their own VLAN and use Firewall policies to allow access to/from the Wi-Fi VLAN and the other Wired VLANs. You can also join some of your VLANs into an Interface ZONE and in that case you do not need any policies to allow access to-from the VLANs.
Cheers,
Graham
Graham
5 REPLIES 5
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Alright. FortiLink is tricky because while it allows you to manage all of your switch ports and AP from the FortiGate it does not manage or integrate the switchports that exist on the Firewall! VLAN 10 on the FortiSwitch has no knowledge of VLAN10 on the FortiGate.
So you either have to not use your switch ports on the Firewall or consider a couple solutions:
- A separate physical link between a FortiSwitch port configured for VLAN10 connected to one of the FortiGate switch ports (which should be configured as untagged) to bridge and connect those two domains
- Running the FortiSwitch in standalone mode and bridging everything that way through the uplink
For the AP jjust connect it to the FortiSwitch port 7 and set up a AP MGMT network as the native VLAN and tag VLAN 10 and VLAN 20. Two SSIDs configured, one for VLAN10 wireless clients and one for VLAN 20 for other wireless clients.
Cheers,
Graham
Graham
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@gfleming - thank you for a quick and tremendously informative response!
Running FS in standalone mode is out of the questions, that puts this option to rest.
Now, are you saying that I can:
- keep FS port 8 connected to FG port a for FortiLink
- configure FS port 7 as native VLAN 20 (did you make a typo in you response referring to this VLAN as 10?)
- remove FG port 6 from VLAN 10 (to make it untagged)
- connect FS port 7 to FG port 6
Will the above make FG aware of FS VLAN 20 or will it make FS aware of FG VLAN 10?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Close. I was suggesting you create a new VLAN for FortiAP management (FortiAP's will get an IP address in this VLAN and will be used for connecting back to the FortiGate for management). Let's call it VLAN40.
On FS Port 7 make VLAN40 native, FortiAP will connect to that port and receive an IP address from VLAN40 DHCP scope and communicate to FortiGate this way.
Port 7 will also have VLAN10 and VLAN20 tagged for wireless client access. It sounds like you have two wireless networks, right? So two SSIDs, one configured to be VLAN10 and another SSID to be VLAN20. When clients connect to either SSID their packets will be tagged for the respective VLAN and be connected appropriately.
If you want the ports 1-6 on the FortiGate to also participate in VLAN10 then keep them untagged, no VLAN configuration needed. Set a port on the FS (not port 7 because that's used for the AP). Perhaps port 6 or something. Native VLAN10 on port 6. Physically connect port 6 to port 1 or 2, 3 4 5 or 6 on the FGT and this will naturally extend VLAN10 to the FortiGate switch ports.
Make sense?
Cheers,
Graham
Graham
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
YES YES YES, we are almost on the same page.
Sorry, I failed to indicate that my previous response was ONLY for the matter of joining domains - not FAP connection.
Now, your response kind of answer almost all except one configuration discrepancy. My initial questions referred to 2 VLANS:
- VLAN 10 resides on FG and, let's say, for SALES office network
- VLAN 20 resides on SW and for ACCOUNTING network
- Wireless clients should be accessible by wired clients of their respective VLANS: like, a desktop PC on VLAN 10 should be able to print to wireless printer on the same VLAN
(see, we are talking about 2 separate wired networks)
With this, wouldn't the last paragraph in your last reply not apply? I would still need to free up one of FG ports to make it untagged for linking FG and FS domains, right? Will the FS port also need to be untagged?
If FortiAP connected to the Switch, as you recommended, will wifi clients tagged as VLAN 10 (SALES) reach their network on FG?
As far as FortiAP - can I remove port b on FG from FortiLink making it physical (untagged) interface and connect FortiAP to it?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If your FortiGate switch ports are always going to be separate from those on your FortiSwitch (i.e. FGT will always only have VLAN10 and FSW will always have only VLAN20 and other VLANs outside of VLAN10) then you can just keep VLAN10 off the FortiLink/FSW and manage it on the FGT switch ports only.
The caveat with that solution is that your WiFi clients will never be able to join VLAN10 directly. However, using Firewall Policies you can allow devices from other VLANs to access devices like printers in VLAN10 and vice versa.
If you want VLAN10 integrated on your FSW and FAP then you'll need to use the physical bridge link for VLAN10 between the FSW and the FGT as I described before. That way if you want WiFi Clients existing directly in VLAN10 you can have the FGT-connected devices also participating in VLAN10.
It might simplify things if you put your Wi-Fi clients into their own VLAN and use Firewall policies to allow access to/from the Wi-Fi VLAN and the other Wired VLANs. You can also join some of your VLANs into an Interface ZONE and in that case you do not need any policies to allow access to-from the VLANs.
Cheers,
Graham
Graham
Related Posts
- New FortiGate 60F- Assigns me IP... 119 Views
- Fortiproxy BSOD Netio.sys 91 Views
- ipv6 - internal lan interface cannot... 171 Views
- VPN connected clients only allowed to... 127 Views
- Trouble Receiving DHCP Packet Over S2S... 219 Views
Labels
-
FortiGate
6,438 -
FortiClient
1,282 -
5.2
801 -
5.4
639 -
FortiManager
560 -
6.0
416 -
FortiAnalyzer
410 -
5.6
362 -
FortiSwitch
330 -
FortiAP
325 -
FortiClient EMS
259 -
6.2
251 -
FortiMail
239 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
148 -
6.4
128 -
FortiNAC
103 -
FortiGuard
102 -
FortiGateCloud
86 -
FortiSIEM
85 -
FortiCloud Products
82 -
FortiToken
69 -
Customer Service
69 -
4.0MR3
64 -
IPsec
63 -
Wireless Controller
57 -
SSL-VPN
52 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
38 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
30 -
FortiSwitch v6.4
28 -
FortiConnect
23 -
SD-WAN
23 -
FortiWAN
22 -
FortiConverter
21 -
High Availability
20 -
Firewall policy
20 -
VLAN
17 -
FortiPortal
17 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
ZTNA
15 -
FortiMonitor
14 -
Certificate
14 -
FortiDDoS
13 -
Routing
12 -
FortiCASB
12 -
SAML
11 -
DNS
11 -
Interface
11 -
BGP
10 -
FortiGate v5.0
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
LDAP
9 -
FortiManager v5.0
9 -
4.0MR2
9 -
Logging
9 -
Traffic shaping
8 -
Virtual IP
8 -
RADIUS
7 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
Admin
7 -
FortiGate v4.0 MR3
7 -
4.0
7 -
Fortigate Cloud
6 -
NAT
6 -
IP address management - IPAM
6 -
SSID
5 -
Security profile
5 -
Traffic shaping policy
5 -
Authentication
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
FortiAuthenticator
5 -
Static route
5 -
FortiManager v4.0
5 -
FortiDirector
4 -
SSL SSH inspection
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
packet capture
3 -
FortiToken Cloud
3 -
Automation
3 -
DoS policy
3 -
FortiTester
3 -
Port policy
3 -
FortiDB
3 -
IPS signature
3 -
FortiDeceptor
2 -
FortiInsight
2 -
Antivirus profile
2 -
VoIP profile
2 -
Traffic shaping profile
2 -
Web profile
2 -
FortiAP profile
2 -
Intrusion prevention
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
trunk
2 -
NAC policy
1 -
SDN connector
1 -
4.0MR1
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Web rating
1 -
Application signature
1 -
Authentication rule and scheme
1 -
Multicast routing
1 -
Zone
1 -
FortiManager-VM
1 -
Fabric connector
1 -
Internet Service Database
1 -
Fortinet Engage Partner Program
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.