Combining WiFi and wired networks with a software switch

Combining WiFi and wired networks with a software switch

Combining WiFi and wired networks with a software switch

FortiAP local bridging (Private Cloud-Managed AP) Using bridged FortiAPs to increase scalability

 

Combining WiFi and wired networks with a software switch

A WiFi network can be combined with a wired LAN so that WiFi and wired clients are on the same subnet. This is a convenient configuration for users. Note that software switches are only available if your FortiGate is in Interface mode.

Wireless Mesh features cannot be used in conjunction with this configuration because they enable the FortiAP Local Bridge option.

To create the WiFi and wired LAN configuration, you need to:

  • Configure the SSID so that traffic is tunneled to the WiFi controller.
  • Configure a software switch interface on the FortiGate unit with the WiFi and internal network interface as members.
  • Configure Captive Portal security for the software switch interface.

 

To configure the SSID – web-based manager

1. Go to WiFi & Switch Controller > SSID and select Create New.

2. Enter:

Interface name                           A name for the new WiFi interface, homenet_if for example.

Traffic Mode                              Tunnel to Wireless Controller

SSID                                            The SSID visible to users, homenet for example.

Security Mode Data Encryption Preshared Key

Configure security as you would for a regular WiFi network.

3. Select OK.

4. Go to WiFi & Switch Controller > Managed FortiAPs, select the FortiAP unit for editing.

5. Authorize the FortiAP unit.

The FortiAP unit can carry regular SSIDs in addition to the Bridge SSID.

 

To configure the SSID – CLI

This example creates a WiFi interface “homenet_if” with SSID “homenet” using WPA-Personal security, passphrase “Fortinet1”.

config wireless-controller vap

edit “homenet_if” set vdom “root”

set ssid “homenet”

set security wpa-personal set passphrase “Fortinet1”

end

config wireless-controller wtp edit FAP22B3U11005354

set admin enable

set vaps “homenet_if” end

 

To configure the FortiGate software switch – web-based manager

1. Go to Network > Interfaces and select Create New > Interface.

2. Enter:

 

  Interface Name A name for the new interface, homenet_nw for example.
Type Software Switch
Physical Interface Members Add homenet_if and the internal network interface.
Addressing mode Select Manual and enter an address, for example

172.16.96.32/255.255.255.0

DHCP Server Enable and configure an address range for clients.
Security Mode Select Captive Portal. Add the permitted User Groups.
 

3.

 

Select OK.

 

 

To configure the FortiGate unit – CLI

config system interface edit homenet_nw

set ip 172.16.96.32 255.255.255.0 set type switch

set security-mode captive-portal set security-groups “Guest-group”

end

config system interface edit homenet_nw

set member “homenet_if” “internal” end

 

VLAN configuration

If your environment uses VLAN tagging, you assign the SSID to a specific VLAN in the CLI. For example, to assign the homenet_if interface to VLAN 100, enter:

config wireless-controller vap edit “homenet_if”

set vlanid 100 end

 

Additional configuration

The configuration described above provides communication between WiFi and wired LAN users only. To provide access to other networks, create appropriate firewall policies between the software switch and other interfaces.

 

FortiAP local bridging (Private Cloud-Managed AP)

A FortiAP unit can provide WiFi access to a LAN, even when the wireless controller is located remotely. This configuration is useful for the following situations:

  • Installations where the WiFI controller is remote and most of the traffic is local or uses the local Internet gateway
  • Wireless-PCI compliance with remote WiFi controller
  • Telecommuting, where the FortiAP unit has the WiFi controller IP address pre-configured and broadcasts the office SSID in the user’s home or hotel room. In this case, data is sent in the wireless tunnel across the Internet to the office and you should enable encryption using DTLS.

 

Remotely-managed FortiAP providing WiFi access to local network

On the remote FortiGate wireless controller, the WiFi SSID is created with the Bridge with FortiAP Interface option selected. In this mode, no IP addresses are configured. The FortiAP unit’s WiFi and Ethernet interfaces behave as a switch. WiFi client devices obtain IP addresses from the same DHCP server as wired devices on the LAN.

The Local Bridge feature cannot be used in conjunction with Wireless Mesh features.

Block-Intra-SSID Traffic is not available in Bridge mode.

To configure a FortiAP local bridge – web-based manager

1. Go to WiFi & Switch Controller > SSID and select Create New > SSID.

2. Enter:

Interface name                           A name for the new WiFi interface.

Traffic Mode                              Local bridge with FortiAP’s Interface

SSID                                            The SSID visible to users.

Security Mode Data Encryption Preshared Key

Configure security as you would for a regular WiFi network.

3. Select OK.

4. Go to WiFi & Switch Controller > Managed FortiAPs and select the FortiAP unit for editing.

5. Authorize the FortiAP unit.

The FortiAP unit can carry regular SSIDs in addition to the Bridge SSID.

 

 

SSID configured for Local Bridge operation

 

To configure a FortiAP local bridge – CLI

This example creates a WiFi interface “branchbridge” with SSID “LANbridge” using WPA-Personal security, passphrase “Fortinet1”.

config wireless-controller vap edit “branchbridge”

set vdom “root”

set ssid “LANbridge”

set local-bridging enable set security wpa-personal set passphrase “Fortinet1”

end

config wireless-controller wtp edit FAP22B3U11005354

set admin enable

set vaps “branchbridge” end

 

Continued FortiAP operation when WiFi controller connection is down

The wireless controller, or the connection to it, might occasionally become unavailable. During such an outage, clients already associated with a bridge mode FortiAP unit continue to have access to the WiFi and wired networks. Optionally, the FortiAP unit can also continue to authenticate users if the SSID meets these conditions:

  • Traffic Mode is Local bridge with FortiAP’s Interface.

In this mode, the FortiAP unit does not send traffic back to the wireless controller.

  • Security Mode is WPA2 Personal.

These modes do not require the user database. In WPA2 Personal authentication, all clients use the same pre- shared key which is known to the FortiAP unit.

  • Allow New WiFi Client Connections When Controller is down is enabled.

This field is available only if the other conditions have been met.

The “LANbridge” SSID example would be configured like this in the CLI:

config wireless-controller vap edit “branchbridge”

set vdom “root”

set ssid “LANbridge”

set local-bridging enable set security wpa-personal set passphrase “Fortinet1”

set local-authentication enable end

 

 

Using bridged FortiAPs to increase scalability

The FortiGate wireless controller can support more FortiAP units in local bridge mode than in the normal mode. But this is only true if you configure some of your FortiAP units to operate in remote mode, which supports only local bridge mode SSIDs.

The Managed FortAP page (WiFi & Switch Controller > Managed FortiAPs) shows at the top right the current number of Managed FortiAPs and the maximum number that can be managed, “5/64” for example. The maximum number, however, is true only if all FortiAP units operate in remote mode. For more detailed information, consult the Maximum Values Table. For each FortiGate model, there are two maximum values for managed FortiAP units: the total number of FortiAPs and the number of FortiAPs that can operate in normal mode.

 

To configure FortiAP units for remote mode operation

1. Create at least one SSID with Traffic Mode set to Local bridge with FortiAP’s Interface.

2. Create a custom AP profile that includes only local bridge SSIDs.

3. Configure each managed FortiAP unit to use the custom AP profile. You also need to set the FortiAP unit’s wtp- mode to remote, which is possible only in the CLI. The following example uses the CLI both to set wtp-mode and select the custom AP profile:

config wireless-controller wtp

edit FAP22B3U11005354 set wtp-mode remote

set wtp-profile 220B_bridge end

 

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.