Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Spirou_
New Contributor

Created on ‎07-10-2017 10:26 AM

FortiWiFi 60D (FortiOS 5.6) - bridge WiFi SSID to a VLAN

Hello to all

 

 

I got myself a Fortinet FortiWiFi 60D a few days ago. After getting in touch with a Fortigate 100D at work, I thought the interface was quite well thought off. That made me think to buy a Fortigate at home too. I wanted to upgrade my home network with some VLAN's and routing/advanced firewalling between them. 

 

In the few days I have this device, I already found out that you cannot configure VLAN's going out on trunk ports AND configuring VLAN access ports (traffic for only one of the VLAN's - untagged), so I already figured out I need a little managed switch together with the FortiWiFi to get simple access to the VLAN's at the FortiWiFi's location. Trunking is absolutely needed because I only have one cable going to another switch (which serves all the upper rooms), and then I only have one cable going to a wireless router serving as AP (wireless & 4 x Eth). But no problem, I will configure all the VLAN's on a hardware switch of two (trunk) ports (trunk-switch). I'm using another hardware switch of 4 ports for my incoming connection from my ISP. I'm using it to provide WAN connection to the FortiWiFi, but also to provide direct WAN access to my IPTV-vlan (tn-vlan, Telenet which is the ISP). The IPTV's do need to have direct access to the incoming WAN connection so I'm using a VLAN with 3 access ports (1 WAN in, 2 IPTV out). DMZ is being used as the management-interface, and WAN2 en port 5 are still available. 

 

So far so good... Got my different VLAN's, and the only disadvantage of the FortiWiFi up untill now is that I cannot combine trunk port with VLAN access ports, so I need an extra managed switch. But then I want to configure the built-in WiFi (remember, it's a FortiWiFi). I'm not having any other Fortinet AP's, so I'm just using the built-in one of the FortiWiFi.

 

I want to create one SSID (Hund49), which infact will be bridged onto VLAN 10 - cl-vlan. So I want to get my WiFi clients in the same network with the same DHCP server (FortiWifi at the VLAN interface) as my LAN clients. I didn't found a lot of information about bridging SSID on the FortiWifi (only with managed Fortinet AP's) on the internet. The steps I followed are: creating an SSID, chosing "bridged to AP" as a mode, setting him up with the right VLAN ID. Then trying to couple this SSID to the active (& only) FortiAP profile. When adding it there manually to the SSIDs list, I'm getting an error "Entry not found". In the CLI I'm getting an error too.

 

 

I could make a WiFi interface (as shown in the picture), and adding a new VLAN just for the WiFi clients (I kept VLAN 20 free for this). But if I do this I also need to include this VLAN 20 on to the trunk ports (trunk-switch) because the same VLAN ID is used two switches further as the second WiFi of the house. I'm not seeing how to get the same VLAN on the WiFi as on the trunk ports together.

 

I must be missing something very stupid, so I hope to get an answer on this forum.

 

Thanks

12443
0 Kudos
5 REPLIES 5
Toshi_Esumi
SuperUser
SuperUser

Created on ‎07-11-2017 09:43 AM

I might be mistaken but WiFi on FortiWiFi doesn't bridge because bridging was originally developed for wifi traffic from APs doesn't have to get to the controller but directly goes out to local LAN the AP is connected to.

I'll wait if someone says NO.

2354
0 Kudos
brycemd
Contributor II
In response to Toshi_Esumi

Created on ‎07-11-2017 10:05 AM

I would guess you would need to create a software switch with the SSID and the trunk ports. Since VLANs aren't meant to traverse layer 3.

 

I haven't worked with the internal WiFi before, only actual APs, but it should work

2354
0 Kudos
Spirou_
New Contributor
In response to brycemd

Created on ‎07-11-2017 11:42 AM

A software switch isn't possible, I'm not getting the trunk-switch as an option to couple with the WiFi (don't know exactly why, might be because of the trunk-switch ports being trunk ports) There must be some possibility to bridge the WiFi to à VLAN I hope. It's a very good (range of) products, but not extremely flexible...
2354
0 Kudos
brycemd
Contributor II
In response to Spirou_

Created on ‎07-11-2017 12:46 PM

An interface can't have any references to add to a new hardware/software switch. Since any policy/IP it has would no longer be relevant in the switch/zone/interface. You have to delete the hardware switch and have both interfaces free. Create software switch with interface 6, 7, and SSID

2354
0 Kudos
Spirou_
New Contributor
In response to brycemd

Created on ‎07-12-2017 10:13 AM

This answer helped me to the right solution. I couldn't delete the hardware switch and make a new software switch between ports 6, 7 & WiFi because I have to set my VLANS on this interface level. And I don't want the trunked traffic to come out of the WiFi interface. But your remark about "no IP" before you can use something in a software switch made me try to delete the IP-settings from te VLAN 10 (cl-vlan) first, one of the VLANs of the trunk-switch. When no interface IP, this VLAN became an option to software switch with the WiFi interface. Then I set up the interface IP and DHCP on the level of the new software switch (cl-vlan with WiFi interface) and everything is working! Thanks a lot for your help.
2354
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.