Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
tanr
Valued Contributor II

Fortigate managed FortiAP with tunnelled SSID fails connection if given VLAN

Hi All,

 

I'm managing a single FortiAP 320C from a FortiGate 300D.  Both v5.4.1.

 

The AP management communication is over a vlan (wifi-comm.v).  The switch interface the FAP is on tags any untagged frames as being in the wifi-comm.v vlan.  The management works fine.

 

The FAP has a couple bridged SSIDs, with their own vlans.  The switch interface the FAP is on allows those vlans, tagged only. This all works fine.

 

I've added a couple tunnelled SSIDs, with DHCP and with the SSID interface IP being the IP used for DNS and NTP.  This works just fine if I don't specify a vlan for the SSID.  

 

However, if I specify a vlan for the tunnelled SSID, clients can make the initial connection to the FortiAP, but they and I never see any communication with the FortiGate, no DHCP, no ping, etc.  I see no log entries at all on the FortiGate side when this happens.

 

I thought perhaps the tunnel was being built using the SSID vlan (not that that makes sense) so I tried setting the switch to allow ssid-tun.v vlan tagged packets at the FAP switch port and at a firewall port.  No change in the results.

 

So, I'm confused here.  I thought the tunnel from the FAP meant that an SSID with a VLAN should just show up on the FortiGate in a similar manner to a normal vlan interface.  

 

I've watched this with diag wireless-controller wlac sta_filter Client-MAC 2.  The output when using a non-zero vlan looks pretty similar to the output when vlan is 0.  However, there is never any DHCP ACK after the "pairwise key handshake completed."

 

Is anyone else using vlans in tunnelled SSIDs?  Any advice would be welcome. 

 

3 REPLIES 3
Bromont_FTNT
Staff
Staff

Not sure it makes sense to use vlans in tunnel mode unless you are using dynamic vlan. You still need to create your vlan interface under the SSID interface and assign IPs DHCP etc. 

 

What's the reason for vlan in tunnel mode?

 

tanr
Valued Contributor II

Hi Bromont,

 

Thanks for the suggestion, that works.

 

I created a new vlan interface as a child of the tunnelled SSID and was able to make this work.  I had to set the SSID to have an IP of 0.0.0.0/0.0.0.0, with the the same vlan as the child, and of course add the child interface to the security policy rules.  Any concerns with having the SSID IP at 0.0.0.0?

 

The vlan in tunnel mode is to allow for a planned future VXLAN over IPSec config.  

You're correct, though -- I don't think this is truly needed.

 

Thanks again.

huntson
New Contributor

I'm looking to provision a VLAN over a tunnelled SSID.  it looks like you were able to get it to work.  I have a SSID with a child vlan of 100 and a I have a software switch with a child vlan of 100 as well as a port of the switch (at the switch end tagged).  I have tried with both set vlanid and without with no luck.  Am I missing something?

Labels
Top Kudoed Authors