On my previous post I wrote about how an unmanaged layer 2 switch is possibly the culprit of AP failures. My solution is to connect the APs directly into the Fortigate firewall. Since our topology is simple it only requires a simple solution. This post I will walk through that solution step by step.

There is already an offical document from Fortinet on how to do so. However, it only explains how to connect 1 AP to the Fortigate. If you are trying to connect dozens of APs directly into the Fortigate, it makes no sense to use a seperate subnet and DHCP server for each interface the AP is connecting to. Still, the document provides some great information and it’s a good idea to read them as I won’t be covering how to create a WiFi SSID interface or FortiAP Profile.

Assuming we have 2 APs connecting to Fortigate port2 and port3:

1.	On the FortiGate unit, go to Network > Interfaces.
2.	Edit the interface that the FortiAP unit connects to.
3.	Make sure that Role is LAN.
4.	In Addressing mode, select Manual.

Following the official document, for port2 and port3 step 1 - 4 are the same. But we won’t configure an IP address or DHCP server on the individual interface.

Instead, the trick is to to create it on an additional Software Switch Interface. We will use 2 DHCP servers and subnets in this scenario, 192.168.100.0/24 for APs, and 192.168.200.0/24 for WiFi clients.

In the following example, we would use the subnet 192.168.100.0/24 as an example. The DHCP server here is to provide IP address for the APs, not the WiFi clients.

1.	Go to Network > Interfaces > Create New and select Interface
2.	Enter the Name
3.	Select the Type **Software Switch** and Role LAN
4.	Under Address section, enter the IP/Netmask: 192.168.100.1/24.
5.	For *Interface members*, select the interfaces the APs are connecting to. In this case, it's port2 and port3
6.	Under Administrative access section, be sure to check *Security Fabric Connection* as this option enables CAPWAP protocol
7.	Enable the *DHCP Server* Option, enter the Address range: 192.168.100.2-192.168.100.254 as well as the Netmask 255.255.255.0

Next, we will create a VLAN interface with VLAN ID 101 as well as a DHCP server in order to provide IP address for the WiFi clients.

1.	Go to Network > Interfaces > Create New and select Interface
2.	Enter the Name
3.	Select the Type VLAN and Role LAN
4.	For interface, select the Software Switch Interface above
5.	Enter the VLAN ID with 101
6.	Under Address section, enter the IP/Netmask: 192.168.200.1/24
7.	Enable the *DHCP Server* Option, enter the Address range: 192.168.200.2-192.168.200.254 as well as the Netmask 255.255.255.0

So, now that we have a DHCP server on VLAN101, how do we assign the client to VLAN101 so that they can contact the DHCP server and get an IP successfully?

1.	Go to Network > Interfaces
2.	Edit the WiFi SSID interface that the FortiAP is using
3.	Under WiFi Settings, Change *Optional VLAN ID* to 101

This is it. Last but not least, you may want to create a firewall policy to allow the WiFi clients to access the internet. Just a few things to note:

  • The Incoming interface would be the VLAN interface, not the Software Switch Interface
  • The Software Switch Interface and the subnet for the APs, 192.168.100.0/24, do not need to be allowed for clients to access the internet