I'm not sure I understand the layout of your network. Does the FortiWifi connect to a separate firewall which in turn connects to a modem? What ForitOS are you using?

It would be best if you just got a switch to handle the taggings(or just have the end device tag itself), but if you insist on using the gate to get untagged traffic onto a vlan...

On a fortiwifi it comes as a software switch by default, so you may need to break out physical ports in the cli

You need to create the vlan and leave it as 0.0.0.0/0.0.0.0 and ensure it has no references. The physical port will need to be the same, 0.0.0.0/0.0.0.0 and no references, then create a software switch with the IP/subnet you want and then add the vlan and the physical port to that software switch. It essentially creates a bridge between the two interfaces.

This will make that physical port untagged on that vlan. There are several downsides to this, but the fortigate isn't really meant to replace a switch.

I guess the question is do you actually need vlans, or would simply breaking off a couple of ports into a new hardware switch would do what you want.

In FortiOS as I said a vlans are  treated as virtual interface that is untagged in that vlan.

This means that interface can have some ip out of some subnet or even do dhcp if needed.

It also means that all packets that leave the FortiOS Device coming from this interface will be tagged with the interface's vid.

you do not neccessary have to break off the software switch. Switch is also a virtual interface and you can attach vlan interfaces to it.

That would just mean that your FortiOS device would distribute vlan packets tagged with the vid over every single port that is member of that software switch.

I think you are confusing untagged with tagged. To reach any vlans on the fortigate the packet will need to arrive at the fortigate as tagged for that vlan. A computer plugged directly into the fortigate will end up on the untagged vlan(the physical interface) which is vlan0 unless the device tags itself.

No I only sopoke of packets that go out from FortiOS Vlan Interface. Their vlan tag will be rewiritten to the interface's one. That is what untagged means.

In the incoming direction you are right. Packets have to be tagged already to fit the vlan.

Basically: 

untagged == vlan tag will be rewritten on outgoing packets. Incoming packets must have correct vlan tag.

tagged == vlan tag will not be touched on outgoing packets. Incomind packets must have correct vlan tag.

That's not really correct.. untagged vlans get written as they enter and removed as they leave, tagged just needs to be there to accept the vlan otherwise it gets discarded.

Either way, it's beside the point. FortiGate is not meant to replace a switch, and to get a dumb device onto a vlan on a FortiGate you need a software switch to bridge the physical interface and vlan.

Ultimately, in this scenario, the issue is you cannot define on a fortigate what the 'untagged' vlan is. It will always be vlan0, the physical interface.

I agree with you for the first point. 

The second is not correct in FortiOS.

In FOrtiOS you need a policy that allows the traffic from lan to vlan with the speiic ones aus dst/src interface and that's it. That is the big advantage of vlans being treated as virtual interfaces. Since the vlan interface is untagged in FortiOS the vlan tag gets rewritten and the policy does the rest.

I do that with various vlans on my FGT here to connect e.g. coming from an IPSec Tunnel or a physical port and going to a vlan.

@concha

Do you want to present multiple VLANs to the AP and have the AP present these separate VLANs to the access ports?