LAN port options
FortiAPs have at least one Ethernet port that operates as a WAN port to provide management connection to a WiFi Controller such as FortiGate or FortiLAN Cloud. Some FortiAP models have multiple LAN ports that can provide wired network access.
There are some differences in LAN configuration among FortiAP models:
- Some FortiAP models have one WAN port and one or more LAN ports. By default, the LAN ports are offline. You can directly configure LAN port operation via the web UI of a WiFi Controller, or in the FortiGate CLI (
config wireless-controller wtp-profile>config lan). -
Other FortiAP models have two ports, labeled LAN1 and LAN2. By default, LAN1 and LAN2 are direct pass-through ports, and can work as the WAN interface. When necessary, the LAN1 and LAN2 ports can be re-configured for WAN-LAN operation.
For information on which FortiAP models have configurable WAN/LAN ports, refer to the FortiAP product data sheet.
This section covers the following topics:
- Configuring a port to WAN-LAN operation mode
- Bridging a LAN port with the WAN port
- Bridging a LAN port with an SSID
- Configuring FortiAP LAN ports
- Verifying wired clients connected to FortiAP LAN ports
Configuring a port to WAN-LAN operation mode
Some FortiAP models have two LAN ports instead of having both a WAN port and a LAN port. You can configure one of the LAN ports to operate under the WAN-LAN mode. To configure a port to WAN-LAN operation, you must first configure the CLI in the FortiGate, and then in the CLI of the FortiAP.
To configure a port to WAN-LAN operation:
-
Access the FortiGate CLI.
-
Select the "
wan-lan" option in thewtp-profile, for example:config wireless-controller wtp-profile
edit <profile_name>
set wan-port-mode wan-lan
end
By default, the
wan-port-modeis set towan-only.Once the
wan-port-modeis set towan-lan, LAN Port options become available in the web UI and the CLI of WiFi controller, similar to FortiAP models that have labeled WAN and LAN ports. - Access the FortiAP CLI (see FortiAP CLI access).
-
Enable the WAN-LAN mode. The method varies depending on the FortiAP model type.
-
Enabling WAN-LAN mode on FortiAP, FortiAP-S, and FortiAP-W2 models:
cfg -a WANLAN_MODE=WAN-LAN
cfg -c
Note: By default,
WANLAN_MODEis set toWAN-ONLY. -
Enabling WAN-LAN mode on FortiAP-U models:
cfg -a FAP_ETHER_TRUNK=3
cfg -c
Note: By default,
FAP_ETHER_TRUNKis set to0.
-
- Once the WiFi Controller and the FortiAP are both configured, LAN1 will work as the WAN interface and LAN2 will work as the LAN interface.
Bridging a LAN port with the WAN port
Bridging a LAN port with the WAN port enables the FortiAP unit to be used as a hub which is also an access point.
In this configuration:
- The LAN port and the WAN port work together as a layer-2 bridge.
- Wired clients are allowed to access the LAN port directly and send/receive data throughout the WAN port without authentication.
- Wired client traffic has the same VLAN ID as that of the WAN port, that is, it has no VLAN tag when
AP_MGMT_VLAN_IDis0(by default), or it is tagged with the same VLAN ID as the currentAP_MGMT_VLAN_IDvalue (range 1 to 4094). - Wired LAN clients are in the same subnet as the FortiAP itself. If wired clients use DHCP address mode, they can get IP addresses assigned by a DHCP server behind the WAN port.
Example configuration:
config wireless-controller wtp-profile
edit "FAP231G-LAN"
config platform
set type 231G
end
set wan-port-mode wan-lan
config lan
set port-mode bridge-to-wan
end
next
end
For configuration instructions, see Configuring FortiAP LAN ports.
Bridging a LAN port with an SSID
Bridging a LAN port with an SSID on the same FortiAP combines traffic from both sources to provide a single broadcast domain for wired and wireless users.
In this configuration:
- The LAN port and the SSID interface work together as a layer-2 bridge.
- The SSID security mode or wireless authentication does not apply to wired clients accessing the LAN port. Wired clients are allowed by default, or undergo MAC-address based authentication configured per LAN port. For information on configuring MAC address authentication, see MAC Authentication for LAN port hosts
- Wired client traffic follows the VLAN ID assignment of the SSID interface. For static VLANs, wired client traffic has no VLAN tag when the SSID VLAN ID is 0 (by default), or it is tagged with the SSID VLAN ID (range 1 to 4094).
- When the SSID traffic mode is Tunnel, wired LAN clients are in the same subnet of the SSID (or its subordinate VLAN) interface on the FortiGate. If wired clients use DHCP address mode, they can get IP addresses from the DHCP server as configured under the SSID (or sub VLAN) interface in the FortiGate.
- When the SSID traffic mode is Bridge, wired client traffic (with or without a VLAN tag) is bridged locally to the FortiAP WAN port, while the WAN port works as a trunk port. If wired clients use DHCP address mode, they can get IP addresses assigned by a DHCP server behind the WAN port (no VLAN tag) or the corresponding VLAN segment (VLAN tagged).
Example configuration:
config wireless-controller vap
edit "ssid-tunnel"
set ssid "ssid-tunnel"
set security wpa3-sae
set sae-password ********
next
edit "ssid-bridge"
set ssid "ssid-bridge"
set security wpa3-sae
set sae-password ********
set local-bridging enable
set vlanid 100
next
end
config wireless-controller wtp-profile
edit "FAP23JF-LAN"
config platform
set type 23JF
end
config lan
set port1-mode bridge-to-ssid
set port1-ssid "ssid-tunnel"
set port2-mode bridge-to-ssid
set port2-ssid "ssid-bridge"
end
next
end
The "port1" LAN traffic has no VLAN tag and is sent to the FortiGate through a CAPWAP-data tunnel the same way as the "ssid-tunnel" SSID traffic.
The "port2" LAN traffic is bridged to the local network out of the FortiAP WAN port and has VLAN ID 100 tagged. From the perspective of wired clients, the vlanid setting carried by a local-bridging SSID is the most useful information for their local traffic bridging and VLAN ID tagging purposes, especially when the required VLAN is different from the FortiAP's own AP_MGMT_VLAN_ID.
For configuration instructions, see Configuring FortiAP LAN ports.
Configuring FortiAP LAN ports
You can configure FortiAP LAN ports for APs through a FortiAP Profile. A profile applies to APs that are the same model and share the same configuration. If you have multiple models or different configurations, you might need to create several FortiAP Profiles. You can also override FortiAP Profile configurations by editing the individual AP directly.
Configuring FortiAP LAN ports using profiles
FortiAP profiles apply configurations to multiple APs of the same model.
To configure FortiAP LAN ports - GUI:
- If your FortiAP unit has LAN ports, but no WAN ports, enable LAN port options in the CLI. See Configuring a port to WAN-LAN operation mode.
- Go to WiFi and Switch Controller > FortiAP Profiles.
- Edit the default profile for your FortiAP model or select Create New.
- If you are creating a new profile, enter a Name and select the correct Platform (model).
- Select SSIDs.
- In the LAN Port section, set Mode to Bridge to and select an SSID or WAN Port as needed.
On some models with multiple LAN ports, you can set Mode to Custom and configure the LAN ports individually. Enable each port that you want to use and select an SSID or WAN Port as needed.
- Select OK.
Be sure to select this profile when you authorize your FortiAP units.
To configure FortiAP LAN ports - CLI:
In this example, the default FortiAP-23JF profile is configured to bridge LAN port1 to the office SSID and to bridge the other LAN ports to the WAN port.
config wireless-controller wtp-profile
edit "FAP23JF-default"
config platform
set type 23JF
end
config lan
set port1-mode bridge-to-ssid
set port1-ssid "office"
set port2-mode bridge-to-wan
set port3-mode bridge-to-wan
end
next
end
In this example, the default FortiAP-231G profile is configured to bridge the LAN port to the office SSID.
config wireless-controller wtp-profile
edit "FAP231G-default"
config platform
set type 231G
end
set wan-port-mode wan-lan
config lan
set port-mode bridge-to-ssid
set port-ssid "office"
end
next
end
Configuring individual FortiAP LAN ports
For an individual AP, you can override the FortiAP profile settings by editing device configurations directly.
To override FortiAP Profile LAN port configurations - GUI:
- Go to WiFi and Switch Controller > Managed FortiAPs.
- Select the FortiAP unit from the list and select Edit.
- Select the FortiAP Profile, if this has not already been done.
- In the LAN Port section, select Override.
The options for Mode are shown. - Set Mode to Bridge to and select an SSID or WAN Port as needed.
On some models with multiple LAN ports, you can set Mode to Custom and configure the LAN ports individually. Enable and configure each port that you want to use. - Select OK.
To override FortiAP Profile LAN port configurations - GUI:
In this example, a FortiAP unit's configuration overrides the FortiAP Profile to bridge the LAN port to the office SSID.
config wireless-controller wtp
edit "FP231GTF22000022"
set admin enable
set wtp-profile "FAP231G-default"
set override-wan-port-mode enable
set wan-port-mode wan-lan
set override-lan enable
config lan
set port-mode bridge-to-ssid
set port-ssid "office"
end
next
end
Verifying wired clients connected to FortiAP LAN ports
Once the FortiGate and FortiAP have WAN-LAN operation and LAN Port Mode options configured, you can verify and collect data about connected wired clients such as their mode of connection, Tx/Rx rate, authentication status, and OS details. The information is displayed in the FortiGate CLI using diagnose wireless-controller wlac -c lan-sta.
|
The FortiAP LAN1 port must be connected to the FortiGate. The FortiAP LAN2 port must be connected to the wired clients, either directly to the LAN2 port or through a switch connected to LAN2. |
# diagnose wireless-controller wlac -c lan-sta
-------------------------------LAN STA 1----------------------------
LAN STA mac : 00:24:9b:79:df:48 (0-1.1.1.2:5246)
pId : 0 BR-TO-TUN-SSID Example_SSID
vlan : 0
macauth : No
ip : 95.1.1.2 ARP 48 seconds
ip6 : fe80::ddaa:41b0:4633:30dd ARP 4945 seconds 666 pkts
host info : VAN-301127-PC1
vci info : MSFT 5.0
os info : Windows
uplink : 226.00bps 33637 pkts 7221244 bytes 9 seconds
downlink : 31.00bps 29085 pkts 15442358 bytes 9 seconds
-------------------------------Total 1 LAN STAs----------------------------