FortiWifi with Tunnel and Bridge SSIDs

If you have a FortiWiFi using the internal radio and want to offer a guest SSID that is in “Tunnel” mode an internal SSID that would normally be bridged to your LAN, you can set your device up in the following way:

Equipment:

FortiWiFi 61E
Firmware: 6.2.2 build1010
Local WiFi Radio Mode

• Create BOTH SSIDs in *Tunnel* mode (yes, even though you want to bridge one of them)
  • Go to WiFi & Switch Controller > SSID
  • For the inside/local SSID (that you want in Bridged mode) leave the IP/Netmask as 0.0.0.0/0.0.0.0
  • For the outside/guest SSID set it up as you normally would in Tunnel mode with an address and DHCP scope if needed
  • The SSIDs would look something like this
• Assign the SSIDs to an AP Profile
  
  • WiFi & Switch Controller > FortiAP Profiles
  • You will notice on the list that populates that none of the SSIDs that were in Bridge mode show up as selectable (although I was testing this in 6.0.2 and they showed up but when you tried to save it there was an error)
• Assign that profile in Local WiFi Radio
  • WiFi & Switch Controller > Local WiFi Radio
    
• In Interfaces make sure there is a Software switch
  • Network > Interfaces
• Assign the “Inside/local/bridged” SSID to the ‘lan’ interface
  

I did this in my lab and the “BridgedWiFi” SSID got an internal lan address (192.168.1.x), and the “Guest” SSID gave me an address I setup in its own scope (192.168.10.x).

This would work well in a Branch-in-the-box scenario where you want to offer wireless access to guests and employees but give them different networks to use.