Fortinet black logo

FortiWiFi and FortiAP Configuration Guide

LAN port options

Copy Link
Copy Doc ID e7542848-cfc4-11eb-97f7-00505692583a:430146
Download PDF

LAN port options

FortiAPs have at least one Ethernet port that operates as a WAN port to provide management connection to a WiFi Controller such as FortiGate or FortiAP Cloud. Some FortiAP models have multiple LAN ports that can provide wired network access.

There are some differences in LAN configuration among FortiAP models.

FortiAP models, including FAP-21D, FAP-24D, and FAP-C24JE, have one WAN port and one or more LAN ports. By default, the LAN ports are offline. You can directly configure LAN port operation via the web UI of a WiFi Controller, or in the FortiGate CLI (config wireless-controller wtp-profile > config lan).

FortiAP models, including FAP-320C, FAP-421E, and FAP-U421EV, have two ports, labeled LAN1 and LAN2. By default, LAN1 and LAN2 are direct pass-through ports, and can work as the WAN interface. When necessary, the LAN1 and LAN2 ports can be re-configured for WAN-LAN operation.

This section covers the following topics:

Configuring a port to WAN-LAN operation mode

Some FortiAP models have two LAN ports instead of having both a WAN port and a LAN port. You can configure one of the LAN ports to operate under the WAN-LAN mode. To configure a port to WAN-LAN operation, you must first configure the CLI in the FortiGate, and then in the CLI of the FortiAP.

To configure a port to WAN-LAN operation
  1. Access the FortiGate CLI.

  2. Select the "wan-lan" option in the wtp-profile, for example:

    config wireless-controller wtp-profile

    edit <profile_name>

    set wan-port-mode wan-lan

    end

    By default, the wan-port-mode is set to wan-only.

    Once the wan-port-mode is set to wan-lan, LAN Port options become available in the web UI and the CLI of WiFi controller, similar to FortiAP models that have labeled WAN and LAN ports.

  3. Access the FortiAP CLI (see FortiAP CLI access).
  4. Enable the WAN-LAN mode. The method varies depending on the FortiAP model type.

    • Enabling WAN-LAN mode on FortiAP, FortiAP-S, and FortiAP-W2 models:

      cfg -a WANLAN_MODE=WAN-LAN

      cfg -c

      Note: By default, WANLAN_MODE is set to WAN-ONLY.

    • Enabling WAN-LAN mode on FortiAP-U models:

      cfg -a FAP_ETHER_TRUNK=3

      cfg -c

      Note: By default, FAP_ETHER_TRUNK is set to 0.

  5. Once the WiFi Controller and the FortiAP are both configured, LAN1 will work as the WAN interface and LAN2 will work as the LAN interface.

Bridging a LAN port with an SSID

Bridging a LAN port with a FortiAP SSID combines traffic from both sources to provide a single broadcast domain for wired and wireless users.

In this configuration:

  • The IP addresses for LAN clients come from the DHCP server that serves the wireless clients.
  • Traffic from LAN clients is bridged to the SSID’s VLAN. Dynamic VLAN assignment for hosts on the LAN port is not supported.
  • Wireless and LAN clients are on the same network and can communicate locally, via the FortiAP.
  • Any host connected to the LAN port will be taken as authenticated. RADIUS MAC authentication for hosts on the LAN port is not supported.

For configuration instructions, see Configuring FortiAP LAN ports.

Bridging a LAN port with the WAN port

Bridging a LAN port with the WAN port enables the FortiAP unit to be used as a hub which is also an access point.

In this configuration:

  • The IP addresses for LAN clients come from the WAN directly and will typically be in the same range as the AP itself.
  • All LAN client traffic is bridged directly to the WAN interface.
  • Communication between wireless and LAN clients can only occur if a policy on the FortiGate unit allows it.
Tooltip

Wired clients from the LAN ports are able to access the WAN port with or without a VLAN tag. By default, bridged LAN to WAN traffic has no VLAN tag and defaults to 0 (AP_MGMT_VLAN_ID=0). If the AP_MGMT_VLAN_ID is set to a non-zero number, the bridged LAN to WAN traffic will also be tagged with that VLAN ID.

For configuration instructions, see Configuring FortiAP LAN ports.

Configuring FortiAP LAN ports

You can configure FortiAP LAN ports for APs through a FortiAP Profile. A profile applies to APs that are the same model and share the same configuration. If you have multiple models or different configurations, you might need to create several FortiAP Profiles. You can also override FortiAP Profile configurations by editing the individual AP directly.

Configuring FortiAP LAN ports using profiles

FortiAP profiles apply configurations to multiple APs of the same model.

To configure FortiAP LAN ports - GUI
  1. If your FortiAP unit has LAN ports, but no WAN ports, enable LAN port options in the CLI. See Configuring a port to WAN-LAN operation mode.
  2. Go to WiFi and Switch Controller > FortiAP Profiles.
  3. Edit the default profile for your FortiAP model or select Create New.
  4. If you are creating a new profile, enter a Name and select the correct Platform (model).
  5. Select SSIDs.
  6. In the LAN Port section, set Mode to Bridge to and select an SSID or WAN Port as needed.

    On some models with multiple LAN ports, you can set Mode to Custom and configure the LAN ports individually. Enable each port that you want to use and select an SSID or WAN Port as needed.

  7. Select OK.

Be sure to select this profile when you authorize your FortiAP units.

To configure FortiAP LAN ports - CLI

In this example, the default FortiAP-11C profile is configured to bridge the LAN port to the office SSID.

config wireless-controller wtp-profile

edit FAP11C-default

config lan

set port-mode bridge-to-ssid

set port-ssid office

end

end

end

In this example, the default FortiAP-28C profile is configured to bridge LAN port1 to the office SSID and to bridge the other LAN ports to the WAN port.

config wireless-controller wtp-profile

edit FAP28C-default

config lan

set port1-mode bridge-to-ssid

set port1-ssid office

set port2-mode bridge-to-wan

set port3-mode bridge-to-wan

set port4-mode bridge-to-wan

set port5-mode bridge-to-wan

set port6-mode bridge-to-wan

set port7-mode bridge-to-wan

set port8-mode bridge-to-wan

end

end

In this example, the default FortiAP-320C profile is configured to bridge the LAN port to the office SSID.

config wireless-controller wtp-profile

edit FAP320C-default

set wan-port-mode wan-lan

config lan

set port-mode bridge-to-ssid

set port-ssid office

end

end

end

Configuring individual FortiAP LAN ports

For an individual AP, you can override the FortiAP profile settings by editing device configurations directly.

To override FortiAP Profile LAN port configurations - GUI
  1. Go to WiFi and Switch Controller > Managed FortiAPs.
  2. Select the FortiAP unit from the list and select Edit.
  3. Select the FortiAP Profile, if this has not already been done.
  4. In the LAN Port section, select Override.
    The options for Mode are shown.
  5. Set Mode to Bridge to and select an SSID or WAN Port, or NAT to WAN as needed.
    On some models with multiple LAN ports, you can set Mode to Custom and configure the LAN ports individually. Enable and configure each port that you want to use.
  6. Select OK.
To override FortiAP Profile LAN port configurations - GUI

In this example, a FortiAP unit’s configuration overrides the FortiAP Profile to bridge the LAN port to the office SSID.

config wireless-controller wtp

edit FP320C3X14020000

set wtp-profile FAP320C-default

set override-wan-port-mode enable

set wan-port-mode wan-lan

set override-lan enable

config lan

set port-mode bridge-to-ssid

set port-ssid office

end

end

LAN port options

FortiAPs have at least one Ethernet port that operates as a WAN port to provide management connection to a WiFi Controller such as FortiGate or FortiAP Cloud. Some FortiAP models have multiple LAN ports that can provide wired network access.

There are some differences in LAN configuration among FortiAP models.

FortiAP models, including FAP-21D, FAP-24D, and FAP-C24JE, have one WAN port and one or more LAN ports. By default, the LAN ports are offline. You can directly configure LAN port operation via the web UI of a WiFi Controller, or in the FortiGate CLI (config wireless-controller wtp-profile > config lan).

FortiAP models, including FAP-320C, FAP-421E, and FAP-U421EV, have two ports, labeled LAN1 and LAN2. By default, LAN1 and LAN2 are direct pass-through ports, and can work as the WAN interface. When necessary, the LAN1 and LAN2 ports can be re-configured for WAN-LAN operation.

This section covers the following topics:

Configuring a port to WAN-LAN operation mode

Some FortiAP models have two LAN ports instead of having both a WAN port and a LAN port. You can configure one of the LAN ports to operate under the WAN-LAN mode. To configure a port to WAN-LAN operation, you must first configure the CLI in the FortiGate, and then in the CLI of the FortiAP.

To configure a port to WAN-LAN operation
  1. Access the FortiGate CLI.

  2. Select the "wan-lan" option in the wtp-profile, for example:

    config wireless-controller wtp-profile

    edit <profile_name>

    set wan-port-mode wan-lan

    end

    By default, the wan-port-mode is set to wan-only.

    Once the wan-port-mode is set to wan-lan, LAN Port options become available in the web UI and the CLI of WiFi controller, similar to FortiAP models that have labeled WAN and LAN ports.

  3. Access the FortiAP CLI (see FortiAP CLI access).
  4. Enable the WAN-LAN mode. The method varies depending on the FortiAP model type.

    • Enabling WAN-LAN mode on FortiAP, FortiAP-S, and FortiAP-W2 models:

      cfg -a WANLAN_MODE=WAN-LAN

      cfg -c

      Note: By default, WANLAN_MODE is set to WAN-ONLY.

    • Enabling WAN-LAN mode on FortiAP-U models:

      cfg -a FAP_ETHER_TRUNK=3

      cfg -c

      Note: By default, FAP_ETHER_TRUNK is set to 0.

  5. Once the WiFi Controller and the FortiAP are both configured, LAN1 will work as the WAN interface and LAN2 will work as the LAN interface.

Bridging a LAN port with an SSID

Bridging a LAN port with a FortiAP SSID combines traffic from both sources to provide a single broadcast domain for wired and wireless users.

In this configuration:

  • The IP addresses for LAN clients come from the DHCP server that serves the wireless clients.
  • Traffic from LAN clients is bridged to the SSID’s VLAN. Dynamic VLAN assignment for hosts on the LAN port is not supported.
  • Wireless and LAN clients are on the same network and can communicate locally, via the FortiAP.
  • Any host connected to the LAN port will be taken as authenticated. RADIUS MAC authentication for hosts on the LAN port is not supported.

For configuration instructions, see Configuring FortiAP LAN ports.

Bridging a LAN port with the WAN port

Bridging a LAN port with the WAN port enables the FortiAP unit to be used as a hub which is also an access point.

In this configuration:

  • The IP addresses for LAN clients come from the WAN directly and will typically be in the same range as the AP itself.
  • All LAN client traffic is bridged directly to the WAN interface.
  • Communication between wireless and LAN clients can only occur if a policy on the FortiGate unit allows it.
Tooltip

Wired clients from the LAN ports are able to access the WAN port with or without a VLAN tag. By default, bridged LAN to WAN traffic has no VLAN tag and defaults to 0 (AP_MGMT_VLAN_ID=0). If the AP_MGMT_VLAN_ID is set to a non-zero number, the bridged LAN to WAN traffic will also be tagged with that VLAN ID.

For configuration instructions, see Configuring FortiAP LAN ports.

Configuring FortiAP LAN ports

You can configure FortiAP LAN ports for APs through a FortiAP Profile. A profile applies to APs that are the same model and share the same configuration. If you have multiple models or different configurations, you might need to create several FortiAP Profiles. You can also override FortiAP Profile configurations by editing the individual AP directly.

Configuring FortiAP LAN ports using profiles

FortiAP profiles apply configurations to multiple APs of the same model.

To configure FortiAP LAN ports - GUI
  1. If your FortiAP unit has LAN ports, but no WAN ports, enable LAN port options in the CLI. See Configuring a port to WAN-LAN operation mode.
  2. Go to WiFi and Switch Controller > FortiAP Profiles.
  3. Edit the default profile for your FortiAP model or select Create New.
  4. If you are creating a new profile, enter a Name and select the correct Platform (model).
  5. Select SSIDs.
  6. In the LAN Port section, set Mode to Bridge to and select an SSID or WAN Port as needed.

    On some models with multiple LAN ports, you can set Mode to Custom and configure the LAN ports individually. Enable each port that you want to use and select an SSID or WAN Port as needed.

  7. Select OK.

Be sure to select this profile when you authorize your FortiAP units.

To configure FortiAP LAN ports - CLI

In this example, the default FortiAP-11C profile is configured to bridge the LAN port to the office SSID.

config wireless-controller wtp-profile

edit FAP11C-default

config lan

set port-mode bridge-to-ssid

set port-ssid office

end

end

end

In this example, the default FortiAP-28C profile is configured to bridge LAN port1 to the office SSID and to bridge the other LAN ports to the WAN port.

config wireless-controller wtp-profile

edit FAP28C-default

config lan

set port1-mode bridge-to-ssid

set port1-ssid office

set port2-mode bridge-to-wan

set port3-mode bridge-to-wan

set port4-mode bridge-to-wan

set port5-mode bridge-to-wan

set port6-mode bridge-to-wan

set port7-mode bridge-to-wan

set port8-mode bridge-to-wan

end

end

In this example, the default FortiAP-320C profile is configured to bridge the LAN port to the office SSID.

config wireless-controller wtp-profile

edit FAP320C-default

set wan-port-mode wan-lan

config lan

set port-mode bridge-to-ssid

set port-ssid office

end

end

end

Configuring individual FortiAP LAN ports

For an individual AP, you can override the FortiAP profile settings by editing device configurations directly.

To override FortiAP Profile LAN port configurations - GUI
  1. Go to WiFi and Switch Controller > Managed FortiAPs.
  2. Select the FortiAP unit from the list and select Edit.
  3. Select the FortiAP Profile, if this has not already been done.
  4. In the LAN Port section, select Override.
    The options for Mode are shown.
  5. Set Mode to Bridge to and select an SSID or WAN Port, or NAT to WAN as needed.
    On some models with multiple LAN ports, you can set Mode to Custom and configure the LAN ports individually. Enable and configure each port that you want to use.
  6. Select OK.
To override FortiAP Profile LAN port configurations - GUI

In this example, a FortiAP unit’s configuration overrides the FortiAP Profile to bridge the LAN port to the office SSID.

config wireless-controller wtp

edit FP320C3X14020000

set wtp-profile FAP320C-default

set override-wan-port-mode enable

set wan-port-mode wan-lan

set override-lan enable

config lan

set port-mode bridge-to-ssid

set port-ssid office

end

end