By Manny Fernandez

January 11, 2020

FortiWifi with Tunnel and Bridge SSIDs

If you have a FortiWiFi using the internal radio and want to offer a guest SSID that is in “Tunnel” mode an internal SSID that would normally be bridged to your LAN, you can set your device up in the following way:

Equipment:

FortiWiFi 61E
Firmware: 6.2.2 build1010
Local WiFi Radio Mode

  • Create BOTH SSIDs in *Tunnel* mode (yes, even though you want to bridge one of them)
    • Go to WiFi & Switch Controller > SSID
    • For the inside/local SSID (that you want in Bridged mode) leave the IP/Netmask as 0.0.0.0/0.0.0.02020-01-10_13-22-51.png
    • For the outside/guest SSID set it up as you normally would in Tunnel mode with an address and DHCP scope if needed2020-01-10_15-03-55
    • The SSIDs would look something like this2020-01-10_13-18-10
  • Assign the SSIDs to an AP Profile

    • WiFi & Switch Controller > FortiAP Profiles
    • You will notice on the list that populates that none of the SSIDs that were in Bridge mode show up as selectable (although I was testing this in 6.0.2 and they showed up but when you tried to save it there was an error)2020-01-10_13-18-52.png
  • Assign that profile in Local WiFi Radio
    • WiFi & Switch Controller > Local WiFi Radio
      2020-01-10_15-19-36.png
  • In Interfaces make sure there is a Software switch
    • Network > Interfaces
  • Assign the “Inside/local/bridged” SSID to the ‘lan’ interface
    2020-01-10_13-19-44

I did this in my lab and the “BridgedWiFi” SSID got an internal lan address (192.168.1.x), and the “Guest” SSID gave me an address I setup in its own scope (192.168.10.x).

This would work well in a Branch-in-the-box scenario where you want to offer wireless access to guests and employees but give them different networks to use.

Recent posts

  • If you've spent any time configuring user authentication on... Full Story

  • DNS is one of those technologies that quietly underpins... Full Story

  • BGP issues on FortiGate firewalls usually trace back to... Full Story

  • Every time your laptop talks to your router, a... Full Story

  • If you've spent any time configuring NAT on a... Full Story

  • If you have spent any time configuring firewall policies... Full Story

  • High availability on FortiGate is one of those features... Full Story

  • If you've configured SD-WAN on a FortiGate, you've almost... Full Story

  • FortiLink is the management protocol that turns a FortiSwitch... Full Story

  • FortiSwitches are pretty rock solid from Mean Time Between... Full Story

  • This is a quicky tip.  Have you ever gone... Full Story

  • DNS is one of those quiet pieces of internet... Full Story

  • This article is an updated version of the previous... Full Story

  • You will add ns2 as a secondary (slave) BIND9... Full Story

  • In the process of deploying my lab, I needed... Full Story

  • RFC 8805, used to be known as Self-Correcting IP... Full Story

  • Years back, I wrote an article about certificate pinning. ... Full Story

  • FortiGates have the ability to send alerts to Microsoft... Full Story

  • In this post, I am going to walk through... Full Story

  • Troubleshooting VoIP on a FortiGate can feel like trying... Full Story

  • Prior to FortiOS 7.0, there were three commands to... Full Story

  • In this post, I am going to go over... Full Story

  • What we are going to do:  We are going... Full Story

  • Choosing between FGCP (FortiGate Clustering Protocol) and FGSP (FortiGate... Full Story

  • Creating a VLAN on macOS (The "Pro" Move) A... Full Story

  • This blog post explores the logic behind how macOS... Full Story

  • Pretty Fly for a Wi-Fi Tell My Wi-Fi Love... Full Story

  • Part of my daily gig is creating BoMs (Bill-of-Materials)... Full Story

  • ICMP introduces several security risks, but careful filtering, rate... Full Story

  • The command diag debug application dhcps -1 enables full... Full Story

  • In the world of FortiOS, execute tac report is... Full Story

  • LLDP; What is it The Link Layer Discovery Protocol... Full Story

  • What it actually does When you run diagnose fdsm... Full Story

  • Monkey Bites are bite-sized, high-impact security insights designed for... Full Story

  • I have run macOS in macOS with Parallels but... Full Story

  • Don't be confused with my other FortiNAC posts where... Full Story

  • This is the third session in a multi-part article... Full Story

  • Today I was configuring key-based authentication on a FortiGate... Full Story

  • Netcat, often called the "Swiss Army knife" of networking,... Full Story

  • At its core, IEEE 802.1X is a network layer... Full Story

  • In case you did not see the previous FortiNAC... Full Story

  • This is our 5th session where we are going... Full Story

  • Now that we have Wireshark installed and somewhat configured,... Full Story

  • The Philosophy of Packet Analysis Troubleshooting isn't about looking... Full Story

  • Overview FortiOS 8.0 introduces custom tags as a first-class... Full Story

  • These are two distinct mechanisms on FortiOS, and conflating... Full Story

  • Replacement messages are the pages and text blocks that... Full Story