Going to be overhauling my policy set and UTM Sensors on the 92D at the house. Pretty excited. Gotta lock security down even further because I want to host some services off my business line with static IP. Pretty stoked and will go through the process with you all in hopes that it provides clarity on something Fortinet related to you that you didn’t get before.
I really enjoy your articles and find them useful to round out my 15+ years working with Fortinet. I am working to replace my home FG with a FG-94d that I picked up on a bargain. It only runs 6.0 code for some reason but for me, that’s fine. I’m having an issue with getting my FortiAP’s to pass through on Bridge Mode and figuring how to utilize the POE ports to carry both a control network and the two SSID VLANs to get back to the wired networks. I have two wired networks here (that relate directly to my SSIDs) called Devices and Home. The short story is that I use the Devices separation to allow things like Airprint as friends and family visit, while keeping my home resources separate.
So the issue I’m having, is that I have setup 3 VLAN Switches on my 94d.
1 – v100 for FortiAP Control Plane (Where CAPWAP is enabled)
2 – v1000 for Home Network (HomeSSID)
3 – v500 for Devices (DeviceSSID)
Ports 1-8 on Home, 9-44 Devices and 45-48 FortiAP
I have everything working normally but can’t figure out how to get ports 45-48 to trunk my vlan1000 and vlan500 for the SSIDs to traverse.
You have any thoughts or fancy CLI commands you think would help? I’ve tried enable the vlanforward on the v100 interface/switch.
VLAN 100 is native for the port. This is where the AP connects up to the FortiGate for CAPWAP and management.
The SSID’s need the VLANs appropriately tagged for the VLAN (Home is tagged for 1000 and Devices for 500)
If it is a FortiSwitch that is managed by the FortiGate, then you just need native VLAN set to the 100 VLAN and the other two to be “allowed VLANs”
From there it should pass traffic fine.
If it is a standalone switch (fortiswitch or otherwise) then you need a trunk port configured and to be connected to the ports on the FortiGate that have the appropriate VLANs tagged.
Would need more information to know exactly what you need. (switch type, example fortigate config) etc
Hi, thanks for the response. I’d be more than happy to post a diagram or config as this is just a.lab today. I have setup several with switches trunked to a fg Interface which has a vlan sub interface. I have a pretty firm underataning of that with everything from FortiSwitch through Cisco. But this is a different scenario thats frying my brain.
This scenario is using a Fortigate 94d, which has 48 integrated ports. I’ve sliced that up into 3 vlan switches, one for each use. The one for the FortiAPs v100 is working to register and control the FortiAP (as a access ports). Issue is, the bridged ssid vlans from the FortiAP (v1000) can’t seem to get back to my v1000 vlan switch running on ports 1-8. I feel like I’m missing something as on a normal switch I’d just trunk, set a native, and define my allowed vlans. But that doesn’t seem to be an option with this all in one. Let me know what you need for more info and I’ll provide.
Thanks again, keep up the great work! I know I read your stuff quite a bit.
Hey Mike,
I really enjoy your articles and find them useful to round out my 15+ years working with Fortinet. I am working to replace my home FG with a FG-94d that I picked up on a bargain. It only runs 6.0 code for some reason but for me, that’s fine. I’m having an issue with getting my FortiAP’s to pass through on Bridge Mode and figuring how to utilize the POE ports to carry both a control network and the two SSID VLANs to get back to the wired networks. I have two wired networks here (that relate directly to my SSIDs) called Devices and Home. The short story is that I use the Devices separation to allow things like Airprint as friends and family visit, while keeping my home resources separate.
So the issue I’m having, is that I have setup 3 VLAN Switches on my 94d.
1 – v100 for FortiAP Control Plane (Where CAPWAP is enabled)
2 – v1000 for Home Network (HomeSSID)
3 – v500 for Devices (DeviceSSID)
Ports 1-8 on Home, 9-44 Devices and 45-48 FortiAP
I have everything working normally but can’t figure out how to get ports 45-48 to trunk my vlan1000 and vlan500 for the SSIDs to traverse.
You have any thoughts or fancy CLI commands you think would help? I’ve tried enable the vlanforward on the v100 interface/switch.
VLAN 100 is native for the port. This is where the AP connects up to the FortiGate for CAPWAP and management.
The SSID’s need the VLANs appropriately tagged for the VLAN (Home is tagged for 1000 and Devices for 500)
If it is a FortiSwitch that is managed by the FortiGate, then you just need native VLAN set to the 100 VLAN and the other two to be “allowed VLANs”
From there it should pass traffic fine.
If it is a standalone switch (fortiswitch or otherwise) then you need a trunk port configured and to be connected to the ports on the FortiGate that have the appropriate VLANs tagged.
Would need more information to know exactly what you need. (switch type, example fortigate config) etc
Hi, thanks for the response. I’d be more than happy to post a diagram or config as this is just a.lab today. I have setup several with switches trunked to a fg Interface which has a vlan sub interface. I have a pretty firm underataning of that with everything from FortiSwitch through Cisco. But this is a different scenario thats frying my brain.
This scenario is using a Fortigate 94d, which has 48 integrated ports. I’ve sliced that up into 3 vlan switches, one for each use. The one for the FortiAPs v100 is working to register and control the FortiAP (as a access ports). Issue is, the bridged ssid vlans from the FortiAP (v1000) can’t seem to get back to my v1000 vlan switch running on ports 1-8. I feel like I’m missing something as on a normal switch I’d just trunk, set a native, and define my allowed vlans. But that doesn’t seem to be an option with this all in one. Let me know what you need for more info and I’ll provide.
Thanks again, keep up the great work! I know I read your stuff quite a bit.