Helpful ReplyHot!FortiWifi60d

Page: 12 > Showing page 1 of 2
Author
TigerEmperor
New Member
  • Total Posts : 12
  • Scores: 0
  • Reward points: 0
  • Joined: 2017/11/05 01:16:35
  • Status: offline
2017/11/11 07:34:30 (permalink)
0

FortiWifi60d

Dear all
I have a fortiwifi 60d, I form a sofware switch and add a vlan into this software switch, however I notice that when I bind the Wi-Fi into this software switch, it will not use the vlan, how can I turn it into the vlan, thanks.
#1
bravishank_FTNT
New Member
  • Total Posts : 17
  • Scores: 0
  • Reward points: 0
  • Joined: 2013/05/14 12:25:38
  • Status: offline
Re: FortiWifi60d 2017/11/17 13:56:46 (permalink)
0
Have you added the VLAN ID to the Wifi Interface ? 
#2
TigerEmperor
New Member
  • Total Posts : 12
  • Scores: 0
  • Reward points: 0
  • Joined: 2017/11/05 01:16:35
  • Status: offline
Re: FortiWifi60d 2017/12/17 18:34:44 (permalink)
0
Sorry, I just login back the fortigate. I can not see the vlan option in the wifi.
post edited by TigerEmperor - 2017/12/17 19:08:47
#3
TigerEmperor
New Member
  • Total Posts : 12
  • Scores: 0
  • Reward points: 0
  • Joined: 2017/11/05 01:16:35
  • Status: offline
Re: FortiWifi60d 2017/12/19 20:11:10 (permalink)
0
Anyone know how can I set it to use the vlan for wifi? I open a software switch named lan, and create a vlan in this software switch, then put the wifi into this software switch. The wifi got the IP of software switch only not the vlan.
#4
TigerEmperor
New Member
  • Total Posts : 12
  • Scores: 0
  • Reward points: 0
  • Joined: 2017/11/05 01:16:35
  • Status: offline
Re: FortiWifi60d 2017/12/23 22:56:54 (permalink)
0
Do this forum has Fortigate official technical to answer or no one use Fortigate any more now?
#5
Sidewaysguy
Bronze Member
  • Total Posts : 31
  • Scores: 3
  • Reward points: 0
  • Status: offline
Re: FortiWifi60d 2017/12/24 11:45:19 (permalink)
0
Hey there,
 
What you are seeing is the default behavior of a software switch.  IP info assigned to a software switch overrides ip info on any interface added to a software switch. 
 
As a side note, you may want to strengthen your Google Fu a little bit as my first query pulled up:  https://docs.fortinet.com/uploaded/files/1671/assigning-wireless-users-to-different-networks-using-dynamic-VLANs.pdf   While that may or may not be what you are looking for, there is a ton of documentation out there with examples before getting snippy in a forum.
 
Cheers,
 
Sidwaysguy
#6
TigerEmperor
New Member
  • Total Posts : 12
  • Scores: 0
  • Reward points: 0
  • Joined: 2017/11/05 01:16:35
  • Status: offline
Re: FortiWifi60d 2017/12/25 19:04:12 (permalink)
0
Hi Sidwaysguy
Good Morning.
I have search google before and find the about doc, it seem a external ap with controller I want the vlan assign to local device SSID, I see it in a company, but I can not set it myself. I used to guess it is a problem of tunnel mode or brigh mode but seem not.
#7
Sidewaysguy
Bronze Member
  • Total Posts : 31
  • Scores: 3
  • Reward points: 0
  • Status: offline
Re: FortiWifi60d 2017/12/27 09:09:54 (permalink)
0
Hi there,
 
Do you have the vlan already configured on switches in the environment?  If so then using Bridge mode, you can specify the VLAN.  At that point, the port that the AP is plugged into will need to have that tag as an allowed VLAN for the SSID to bridge to the LAN.
#8
TigerEmperor
New Member
  • Total Posts : 12
  • Scores: 0
  • Reward points: 0
  • Joined: 2017/11/05 01:16:35
  • Status: offline
Re: FortiWifi60d 2017/12/28 19:41:39 (permalink)
0
Thanks Sidewaysguy.
No. I am not using the external AP, I am using the internal AP Feature.
 
 
Software Switch=lan
Role=lan
Vlan Interface=Vlan123
Wifi=tunnel mode (Builtin in Fortigate)
Wifi attached interface=lan
 
My software switch IP (192.168.10.28), DHCP=192.168.10.51-192.168.10.100
My Vlan interface IP (192.168.123.28), DHCP=192.168.123.51-192.168.123.100
 
The connected device (example: iphone) get the IP 192.168.10.51, but I want it get 192.168.123.51. How can I set it? I can not find the vlan option in wifi. Thanks.
#9
Sidewaysguy
Bronze Member
  • Total Posts : 31
  • Scores: 3
  • Reward points: 0
  • Status: offline
Re: FortiWifi60d 2017/12/28 20:08:17 (permalink)
0
I think you may be missing what I said above.... Have you tried configuring the SSID in bridge mode and specifying the VLAN there.  As well, also noted above is that with a Software Switch, any IP configuration will override any interfaces' configuration that is added to the Software Switch.  I haven't specifically tested your scenario, but  i would see that would still apply. 
 
Besides, just wanting to accomplish this, if everything is internal to the FortiWifi, why not just leave the SSID as a separate interface and use policy to direct traffic to the other subnets?  You haven't explained why the VLAN interface is actually needed if it's not being tagged on other devices. 
#10
TigerEmperor
New Member
  • Total Posts : 12
  • Scores: 0
  • Reward points: 0
  • Joined: 2017/11/05 01:16:35
  • Status: offline
Re: FortiWifi60d 2017/12/29 00:10:42 (permalink)
0
Hi Sidewaysguy.
Sorry, I Misunderstand your answer before.
I try to add a bridge wifi, add the vlan 123 in the option, but I can not search the wifi on mobile, also I can not see enable broadcase like tunnel mode, do the bridge mode only use to enable the wifi?
 
Yes, It can use if it is used as independent subnet, but the other branch need to limited the subnet in VPN. the vlan 123 is a one of internal network with wifi and phycal cable lan port. Sorry need to use in vlan.
 
I confirmed the other branch is using the tunnel mode but can use the vlan IP, but they do not provided the config to me. What other prossible setting can make a tunnel mode ssid in vlan?
#11
Sidewaysguy
Bronze Member
  • Total Posts : 31
  • Scores: 3
  • Reward points: 0
  • Status: offline
Re: FortiWifi60d 2017/12/29 08:53:55 (permalink)
0
Hello there,
 
Okay first things first, did you add the SSID you created in bridge mode to the wireless profile that you have associated with the local wifi?  The default profile will automatically add tunnel ssids but not Bridged.  You will need to manually add the SSID. 
 
Secondly, if this is an issue for needing traffic coming from a remote subnet through the vpn to the wireless network, then you will need to have the subnet defined in Phase 2 on both sides (unless you are using 0.0.0.0/0.0.0.0). As well, you will need to have the appropriate policies on both sides, referencing the appropriate subnets and interfaces.  Whether you use the SSID or VLAN it doesn't matter as each are an interface that would need to be referenced on your side in the policy.
 
Thirdly, the vlan you are trying to utilize is only on your side of the vpn correct?
 
I'm not sure what firmware you are using but http://help.fortinet.com/fos50hlp/54/Content/FortiOS/fortigate-wireless-54/define-ssid.htm maybe something to read.  
#12
TigerEmperor
New Member
  • Total Posts : 12
  • Scores: 0
  • Reward points: 0
  • Joined: 2017/11/05 01:16:35
  • Status: offline
Re: FortiWifi60d 2018/01/02 00:26:57 (permalink)
0
Dear Sidewaysguy
Good Afternoon.
I add a bridge SSID again. Where can I assigned it in the local wifi? Thanks.
post edited by TigerEmperor - 2018/01/02 01:27:55
#13
Sidewaysguy
Bronze Member
  • Total Posts : 31
  • Scores: 3
  • Reward points: 0
  • Status: offline
Re: FortiWifi60d 2018/01/02 11:09:31 (permalink)
0
Hi there,
 
In the FortiAP profile you have assigned to the local wifi. 
 
 
#14
TigerEmperor
New Member
  • Total Posts : 12
  • Scores: 0
  • Reward points: 0
  • Joined: 2017/11/05 01:16:35
  • Status: offline
Re: FortiWifi60d 2018/01/02 17:44:54 (permalink)
0
Dear Sidewaysguy
Good Morning.
Thanks for your reply.
I see the default FortiAP profile is assigned to Local Wifi Radio Platform. If I create a new profile, I can not see bridge mode in Platform. Don't the FortiAP profile is used to map to other Fortigate's AP?
#15
wanglei_FTNT
Bronze Member
  • Total Posts : 48
  • Scores: 13
  • Reward points: 0
  • Joined: 2015/07/20 10:10:18
  • Status: offline
Re: FortiWifi60d 2018/01/03 10:26:40 (permalink)
0
Hi All,
 
To clarify a little bit
1) you can't bind bridge mode VAP to WTP profile assigned to local radio 
2) if you really need to use VLAN interface for tunnel mode VAP. There are a couple of ways to do it
a) make tunnel mode VAP an independent interface(not part of software/hardware switch) and create vlan interface under VAP itself
b) make tunnel mode VAP part of software/hardware switch, create VLAN interface under the switch. In order to include tunnel mode VAP part of switch, you can't enable DHCP server on VAP itself. 
 
Hope this will help
 
Lei
#16
Sidewaysguy
Bronze Member
  • Total Posts : 31
  • Scores: 3
  • Reward points: 0
  • Status: offline
Re: FortiWifi60d 2018/01/03 10:54:54 (permalink)
0
Hi there,
 
You can use the default profile if you like, you just need to add the SSID to it.  A FortiAP profile is needed to provide settings to the AP so if you have different models of AP, you would need a different FortiAP profile per model.  This includes SSIDs and radio settings.  
 
Going back to the original question, I just want to confirm that you subnet 192.168.123.x is being used for the wireless connection that you are setting up correct?  Reading back through the posts, I still don't think that you need a VLAN. Both VLANs and tunnel SSIDs are interfaces, and as such can be used in policies to control the traffic.  If you need to send traffic from the 192.168.123.x to the 192.168.10.x subnet then you need to create policies allowing traffic to flow referencing both interfaces and the subnets without NAT.  If you need to have traffic from 192.168.123.x go to and from subnets on the other side of the vpn; you will create similar policies referencing the VPN interface and subnets.  You could add the SSID interface/address subnet to the VPN policies (you may need to turn on the multiple interface feature).  The caveat here as I mentioned above is that the subnets need to be defined in your Phase 2 unless you are using 0.0.0.0/0.0.0.0.  On the other side there will also need to be policies referencing the 192.168.123.x subnet as well.  
#17
Sidewaysguy
Bronze Member
  • Total Posts : 31
  • Scores: 3
  • Reward points: 0
  • Status: offline
Re: FortiWifi60d 2018/01/03 11:15:28 (permalink)
0
wanglei@fortinet.com
Hi All,
 
To clarify a little bit
1) you can't bind bridge mode VAP to WTP profile assigned to local radio 
2) if you really need to use VLAN interface for tunnel mode VAP. There are a couple of ways to do it
a) make tunnel mode VAP an independent interface(not part of software/hardware switch) and create vlan interface under VAP itself
b) make tunnel mode VAP part of software/hardware switch, create VLAN interface under the switch. In order to include tunnel mode VAP part of switch, you can't enable DHCP server on VAP itself. 
 
Hope this will help
 
Lei




Thanks Lei!  I didn't know/realize that you couldn't bind bridge mode to the local radio.  Is there a reason for this?
 
Cheers,
 
Jared
#18
wanglei_FTNT
Bronze Member
  • Total Posts : 48
  • Scores: 13
  • Reward points: 0
  • Joined: 2015/07/20 10:10:18
  • Status: offline
Re: FortiWifi60d 2018/01/03 12:36:27 (permalink) ☄ Helpfulby Sidewaysguy 2018/01/03 16:36:14
5 (1)
Hi Jared,
 
FWF wireless traffic is already handled locally from FGT point of view even it's called tunnel mode.  
 
Lei
#19
Sidewaysguy
Bronze Member
  • Total Posts : 31
  • Scores: 3
  • Reward points: 0
  • Status: offline
Re: FortiWifi60d 2018/01/03 16:38:01 (permalink)
0
wanglei@fortinet.com
Hi Jared,
 
FWF wireless traffic is already handled locally from FGT point of view even it's called tunnel mode.  
 
Lei


Thanks Lei!  That's interesting as I was thinking that the local radio was treated like external AP's in regards to the profiles/interfaces.
#20
Page: 12 > Showing page 1 of 2
Jump to:
© 2018 APG vNext Commercial Version 5.5