FortiAP Bridge and Tunnel Mode

An access point is a useful thing. It allows us to stay in contact with the network even at greater distances, but it's the setting that matters. Bridge mode and tunnel mode sound nice, but what is their difference and what do each mode do? Learn everything you need to know about setting your FortiAPs in this article.

What is Bridge/Tunnel Mode?

When you set up a Fortinet access point, you can choose between two modes, Tunnel or Bridge Mode. By default, Tunnel Mode is set. In Tunnel Mode, either wireless or wired networks are kept in a separate network. To use all ports, Bridge Mode must be enabled, which allows the FortiAP to share the same subnet with wireless and wired networks. The bridge-like connection of the system gives the bridge mode its name.

What are the advantages and disadvantages of tunnel and bridge mode?

As already mentioned, not all channels are available in tunnel mode, due to its strict division between LAN and WLAN connections. However, it also provides stronger protection against attackers. Depending on which system they attack, one of the lines is still available for secured traffic. In bridge mode, this protection is deactivated due to the connection of the gateways, but in addition to using all channels, you can also manage more access points, which allows for more extensive use.

How do I set up my new FortiAP in Bridge Mode?

To do this, go to Network in your FortiGate and then to Interfaces, where you then expand a LAN access. Set the access manually and enter the IP address and the network mask. Check the box "CAPWAP" under the option Administrative Access. Use a PING to test whether your system can already be routed. Activate the DHCP server and under Networked Devices the Device Detection and Active Scanning. Then connect your FortiGate unit to the access point via LAN. You will find the FortiAP listed in WiFi & Switch Controller, under the Managed FortiAPs item. Since you usually take a new access point for this procedure, the column shows you that the device is not yet authorised. By default, new FortiAPs are added to this list but not authorised, but this can be remedied with a simple right-click. To do this, select the corresponding AP and confirm the authorisation in the field that appears. Initially, the access point will disappear from the list, but if you reload the page after a few minutes, the FortiAP will reappear in the list with the desired setting. Next, you need to check that the firewall in your access point's system is up to date. If your system shows that a new version is available, it is best to download it directly from FortiGuard itself.

Now we come to the actual setup of the bridge mode. To do this, you need to create a new SSID in WiFi &Switch Controller under SSID. Set the Traffic Mode to AP Bridge Mode to open a local bridge mode in this access point. Name the FortiAP and set the Security Mode to your desired setting. Make sure you use a secure key consisting of a number, upper and lower case letters and special characters.

After that, you only need to make your access point available for wireless Internet access. To do this, select Policies & Objects, under IPv4 Policy you must create a new policy. Enter the SSID of your newly created AP in the Incoming Interface and the interface of your FortiGate to the network cable in the Outgoing Interface. Finally, confirm that the name recognition (NAT) should be activated.