Fortinet black logo

FortiWiFi and FortiAP Configuration Guide

How to configure a FortiAP local bridge (private cloud-managed AP)

Copy Link
Copy Doc ID 5b27930f-f55a-11eb-97f7-00505692583a:442078
Download PDF

How to configure a FortiAP local bridge (private cloud-managed AP)

A FortiAP unit can provide WiFi access to a LAN, even when the wireless controller is located remotely. This configuration is useful for the following situations:

  • Installations where the WiFi controller is remote and most of the traffic is local or uses the local Internet gateway
  • Wireless-PCI compliance with remote WiFi controller
  • Telecommuting, where the FortiAP unit has the WiFi controller IP address pre-configured and broadcasts the office SSID in the user’s home or hotel room. In this case, data is sent in the wireless tunnel across the Internet to the office and you should enable encryption using DTLS.
Remotely-managed FortiAP providing WiFi access to local network

On the remote FortiGate wireless controller, the WiFi SSID is created with the Bridge with FortiAP Interface option selected. In this mode, no IP addresses are configured. The WiFi and Ethernet interfaces on the FortiAP behave as a switch. WiFi client devices obtain IP addresses from the same DHCP server as wired devices on the LAN.

Caution

The local bridge feature cannot be used in conjunction with Wireless Mesh features.

Block-Intra-SSID Traffic is available in Bridge mode. This is useful in hotspot deployments managed by a central FortiGate, but would also be useful in cloud deployments. Previously, this was only supported in Tunnel mode.

To configure a FortiAP local bridge - GUI
  1. Go to WiFi and Switch Controller > SSIDs and select Create New > SSID.
  2. Complete the following fields:

    Interface name

    A name for the new WiFi interface.

    Traffic Mode

    Local bridge with FortiAP interface.

    SSID

    The SSID visible to users.

    Security Mode

    Configure security as you would for a regular WiFi network.

    Pre-shared Key

    A network access key for the SSID.

  3. Click OK.
  4. Go to WiFi and Switch Controller > Managed FortiAPs and select the FortiAP unit for editing.
  5. Authorize the FortiAP unit.
    The FortiAP unit can carry regular SSIDs in addition to the Bridge SSID.
SSID configured for local bridge operation

To configure a FortiAP local bridge - CLI

This example creates a WiFi interface “branchbridge” with SSID “LANbridge” using WPA-Personal security, passphrase “Fortinet1234”.

config wireless-controller vap

edit "branchbridge"

set vdom "root"

set ssid "LANbridge"

set local-bridging enable

set security wpa-personal

set passphrase "Fortinet1234"

end

config wireless-controller wtp

edit FAP22B3U11005354

set admin enable

set vaps "branchbridge"

end

Note
  • Disabling local-bridging forcefully disables local-standalone. Also, disabling either local-bridging or local-standalone forcefully disables intra-vap-privacy.
  • Enabling intra-vap-privacy forcefully disables local-standalone.
  • Enabling local-standalone forcefully enables local-bridging.

Continued FortiAP operation when WiFi controller connection is down

The wireless controller, or the connection to it, might occasionally become unavailable. During such an outage, clients already associated with a bridge mode FortiAP unit continue to have access to the Wi-Fi and wired networks.

The FortiAP unit can continue to authenticate users if the SSID meets the following conditions:

  • Traffic mode is set to Bridge with the FortiAP Interface.

    In this mode, the FortiAP unit does not send traffic back to the wireless controller.

  • Security mode is set to one of the following modes:
    • Open
    • Captive Portal with external authentication portal
    • WPA/WPA2-Personal
    • WPA/WPA2-Enterprise
    • WPA3-Enterprise
    • WPA3-SAE
    • WPA3-SAE Transition
    • WPA3-OWE
  • Local standalone mode is enabled.
    This allows new Wi-Fi client connections when the controller is down. This field is available only if the other conditions have been met. By default, this option is disabled.

The “LANbridge” SSID example would be configured like this in the CLI:

config wireless-controller vap

edit "branchbridge"

set vdom "root"

set ssid "LANbridge"

set local-bridging enable

set security wpa-personal

set passphrase "Fortinet1234"

set local-authentication enable

end

How to configure a FortiAP local bridge (private cloud-managed AP)

A FortiAP unit can provide WiFi access to a LAN, even when the wireless controller is located remotely. This configuration is useful for the following situations:

  • Installations where the WiFi controller is remote and most of the traffic is local or uses the local Internet gateway
  • Wireless-PCI compliance with remote WiFi controller
  • Telecommuting, where the FortiAP unit has the WiFi controller IP address pre-configured and broadcasts the office SSID in the user’s home or hotel room. In this case, data is sent in the wireless tunnel across the Internet to the office and you should enable encryption using DTLS.
Remotely-managed FortiAP providing WiFi access to local network

On the remote FortiGate wireless controller, the WiFi SSID is created with the Bridge with FortiAP Interface option selected. In this mode, no IP addresses are configured. The WiFi and Ethernet interfaces on the FortiAP behave as a switch. WiFi client devices obtain IP addresses from the same DHCP server as wired devices on the LAN.

Caution

The local bridge feature cannot be used in conjunction with Wireless Mesh features.

Block-Intra-SSID Traffic is available in Bridge mode. This is useful in hotspot deployments managed by a central FortiGate, but would also be useful in cloud deployments. Previously, this was only supported in Tunnel mode.

To configure a FortiAP local bridge - GUI
  1. Go to WiFi and Switch Controller > SSIDs and select Create New > SSID.
  2. Complete the following fields:

    Interface name

    A name for the new WiFi interface.

    Traffic Mode

    Local bridge with FortiAP interface.

    SSID

    The SSID visible to users.

    Security Mode

    Configure security as you would for a regular WiFi network.

    Pre-shared Key

    A network access key for the SSID.

  3. Click OK.
  4. Go to WiFi and Switch Controller > Managed FortiAPs and select the FortiAP unit for editing.
  5. Authorize the FortiAP unit.
    The FortiAP unit can carry regular SSIDs in addition to the Bridge SSID.
SSID configured for local bridge operation

To configure a FortiAP local bridge - CLI

This example creates a WiFi interface “branchbridge” with SSID “LANbridge” using WPA-Personal security, passphrase “Fortinet1234”.

config wireless-controller vap

edit "branchbridge"

set vdom "root"

set ssid "LANbridge"

set local-bridging enable

set security wpa-personal

set passphrase "Fortinet1234"

end

config wireless-controller wtp

edit FAP22B3U11005354

set admin enable

set vaps "branchbridge"

end

Note
  • Disabling local-bridging forcefully disables local-standalone. Also, disabling either local-bridging or local-standalone forcefully disables intra-vap-privacy.
  • Enabling intra-vap-privacy forcefully disables local-standalone.
  • Enabling local-standalone forcefully enables local-bridging.

Continued FortiAP operation when WiFi controller connection is down

The wireless controller, or the connection to it, might occasionally become unavailable. During such an outage, clients already associated with a bridge mode FortiAP unit continue to have access to the Wi-Fi and wired networks.

The FortiAP unit can continue to authenticate users if the SSID meets the following conditions:

  • Traffic mode is set to Bridge with the FortiAP Interface.

    In this mode, the FortiAP unit does not send traffic back to the wireless controller.

  • Security mode is set to one of the following modes:
    • Open
    • Captive Portal with external authentication portal
    • WPA/WPA2-Personal
    • WPA/WPA2-Enterprise
    • WPA3-Enterprise
    • WPA3-SAE
    • WPA3-SAE Transition
    • WPA3-OWE
  • Local standalone mode is enabled.
    This allows new Wi-Fi client connections when the controller is down. This field is available only if the other conditions have been met. By default, this option is disabled.

The “LANbridge” SSID example would be configured like this in the CLI:

config wireless-controller vap

edit "branchbridge"

set vdom "root"

set ssid "LANbridge"

set local-bridging enable

set security wpa-personal

set passphrase "Fortinet1234"

set local-authentication enable

end