Fortinet Document Library

Version:

Version:


Table of Contents

FortiWiFi and FortiAP Configuration Guide

Download PDF
Copy Link

Configuring a FortiAP local bridge (private cloud-managed AP)

A FortiAP unit can provide WiFi access to a LAN, even when the wireless controller is located remotely. This configuration is useful for the following situations:

  • Installations where the WiFi controller is remote and most of the traffic is local or uses the local Internet gateway
  • Wireless-PCI compliance with remote WiFi controller
  • Telecommuting, where the FortiAP unit has the WiFi controller IP address pre-configured and broadcasts the office SSID in the user’s home or hotel room. In this case, data is sent in the wireless tunnel across the Internet to the office and you should enable encryption using DTLS.
Remotely-managed FortiAP providing WiFi access to local network

On the remote FortiGate wireless controller, the WiFi SSID is created with the Bridge with FortiAP Interface option selected. In this mode, no IP addresses are configured. The WiFi and Ethernet interfaces on the FortiAP behave as a switch. WiFi client devices obtain IP addresses from the same DHCP server as wired devices on the LAN.

caution icon

The local bridge feature cannot be used in conjunction with Wireless Mesh features.

Block-Intra-SSID Traffic is available in Bridge mode. This is useful in hotspot deployments managed by a central FortiGate, but would also be useful in cloud deployments. Previously, this was only supported in Tunnel mode.

To configure a FortiAP local bridge - GUI
  1. Go to WiFi & Switch Controller > SSID and select Create New > SSID.
  2. Enter:

    Interface name

    A name for the new WiFi interface.

    Traffic Mode

    Local bridge with FortiAP interface.

    SSID

    The SSID visible to users.

    Security Mode
    Data Encryption
    Preshared Key

    Configure security as you would for a regular WiFi network.

  3. Select OK.
  4. Go to WiFi & Switch Controller > Managed FortiAPs and select the FortiAP unit for editing.
  5. Authorize the FortiAP unit.
    The FortiAP unit can carry regular SSIDs in addition to the Bridge SSID.
SSID configured for local bridge operation

To configure a FortiAP local bridge - CLI

This example creates a WiFi interface “branchbridge” with SSID “LANbridge” using WPA-Personal security, passphrase “Fortinet1”.

config wireless-controller vap

edit "branchbridge"

set vdom "root"

set ssid "LANbridge"

set local-bridging enable

set security wpa-personal

set passphrase "Fortinet1"

end

config wireless-controller wtp

edit FAP22B3U11005354

set admin enable

set vaps "branchbridge"

end

note icon

 

Disabling local-bridging forcefully disables local-standalone. Also, disabling either local-bridging or local-standalone forcefully disables intra-vap-privacy.

 

Enabling intra-vap-privacy forcefully disables local-standalone.

 

Enabling local-standalone forcefully enables local-bridging.

Continued FortiAP operation when WiFi controller connection is down

The wireless controller, or the connection to it, might occasionally become unavailable. During such an outage, clients already associated with a bridge mode FortiAP unit continue to have access to the WiFi and wired networks. Optionally, the FortiAP unit can also continue to authenticate users if the SSID meets these conditions:

  • Traffic Mode is Local bridge with FortiAP’s Interface.
    In this mode, the FortiAP unit does not send traffic back to the wireless controller.
  • Security Mode is WPA2 Personal.
    These modes do not require the user database. In WPA2 Personal authentication, all clients use the same pre-shared key which is known to the FortiAP unit.
  • Allow New WiFi Client Connections When Controller is down is enabled.
    This field is available only if the other conditions have been met.

The “LANbridge” SSID example would be configured like this in the CLI:

config wireless-controller vap

edit "branchbridge"

set vdom "root"

set ssid "LANbridge"

set local-bridging enable

set security wpa-personal

set passphrase "Fortinet1"

set local-authentication enable

end

Configuring a FortiAP local bridge (private cloud-managed AP)

A FortiAP unit can provide WiFi access to a LAN, even when the wireless controller is located remotely. This configuration is useful for the following situations:

  • Installations where the WiFi controller is remote and most of the traffic is local or uses the local Internet gateway
  • Wireless-PCI compliance with remote WiFi controller
  • Telecommuting, where the FortiAP unit has the WiFi controller IP address pre-configured and broadcasts the office SSID in the user’s home or hotel room. In this case, data is sent in the wireless tunnel across the Internet to the office and you should enable encryption using DTLS.
Remotely-managed FortiAP providing WiFi access to local network

On the remote FortiGate wireless controller, the WiFi SSID is created with the Bridge with FortiAP Interface option selected. In this mode, no IP addresses are configured. The WiFi and Ethernet interfaces on the FortiAP behave as a switch. WiFi client devices obtain IP addresses from the same DHCP server as wired devices on the LAN.

caution icon

The local bridge feature cannot be used in conjunction with Wireless Mesh features.

Block-Intra-SSID Traffic is available in Bridge mode. This is useful in hotspot deployments managed by a central FortiGate, but would also be useful in cloud deployments. Previously, this was only supported in Tunnel mode.

To configure a FortiAP local bridge - GUI
  1. Go to WiFi & Switch Controller > SSID and select Create New > SSID.
  2. Enter:

    Interface name

    A name for the new WiFi interface.

    Traffic Mode

    Local bridge with FortiAP interface.

    SSID

    The SSID visible to users.

    Security Mode
    Data Encryption
    Preshared Key

    Configure security as you would for a regular WiFi network.

  3. Select OK.
  4. Go to WiFi & Switch Controller > Managed FortiAPs and select the FortiAP unit for editing.
  5. Authorize the FortiAP unit.
    The FortiAP unit can carry regular SSIDs in addition to the Bridge SSID.
SSID configured for local bridge operation

To configure a FortiAP local bridge - CLI

This example creates a WiFi interface “branchbridge” with SSID “LANbridge” using WPA-Personal security, passphrase “Fortinet1”.

config wireless-controller vap

edit "branchbridge"

set vdom "root"

set ssid "LANbridge"

set local-bridging enable

set security wpa-personal

set passphrase "Fortinet1"

end

config wireless-controller wtp

edit FAP22B3U11005354

set admin enable

set vaps "branchbridge"

end

note icon

 

Disabling local-bridging forcefully disables local-standalone. Also, disabling either local-bridging or local-standalone forcefully disables intra-vap-privacy.

 

Enabling intra-vap-privacy forcefully disables local-standalone.

 

Enabling local-standalone forcefully enables local-bridging.

Continued FortiAP operation when WiFi controller connection is down

The wireless controller, or the connection to it, might occasionally become unavailable. During such an outage, clients already associated with a bridge mode FortiAP unit continue to have access to the WiFi and wired networks. Optionally, the FortiAP unit can also continue to authenticate users if the SSID meets these conditions:

  • Traffic Mode is Local bridge with FortiAP’s Interface.
    In this mode, the FortiAP unit does not send traffic back to the wireless controller.
  • Security Mode is WPA2 Personal.
    These modes do not require the user database. In WPA2 Personal authentication, all clients use the same pre-shared key which is known to the FortiAP unit.
  • Allow New WiFi Client Connections When Controller is down is enabled.
    This field is available only if the other conditions have been met.

The “LANbridge” SSID example would be configured like this in the CLI:

config wireless-controller vap

edit "branchbridge"

set vdom "root"

set ssid "LANbridge"

set local-bridging enable

set security wpa-personal

set passphrase "Fortinet1"

set local-authentication enable

end