The other day I had the need to plug a Ruckus Wireless access point (AP) directly into a FortiGate firewall. The client only needed one AP, and connecting directly into one of the ports on the FortiGate was the best design. Power over Ethernet was provided by an injector, which worked out great, and I did this in FortiOS 5.2.
However, the question came up on how to create the VLAN interface when directly connecting the device into FortiGate.
In this example I will create the VLAN on the internal switch, labeled “lan”, and control the VLAN from the Ruckus ZoneDirector controller, creating two separate logical interfaces: Internal and Staff-Wireless, my newly created VLAN. These two interfaces will require IPV4 policies to allow communication. If you have a lot of VLANs, it may be a great idea to utilize Zones in your firewall to reduce the number of policies.
VLAN Creation in FortiGate
First, let’s create the VLAN for “Staff-Wifi” VLAN 200. You can just create:
Then put in the needed information:
The below shows the status of the interface:
Notice the VLAN ID – right click the column settings and enable it.
That’s it! The Ruckus AP will tag “Staff-Wireless” traffic as VLAN 200. So, when the FortiGate sees the VLAN tag of 200 on any ports in the LAN switch, it will be treated as Staff-Wifi, thus getting all of its network and policies.
To make the AP work correctly, it needs to be plugged directly into the FortiGate or a switch behind it that has the VLAN created and that VLAN would need to be tagged on both the AP and uplink to FortiGate.
Below shows the advanced options of my Ruckus ZoneDirector:
Remember that the VLAN 200 is being tagged for Staff-Wifi. AP management traffic is untagged, so it would be on my “LAN” switch network.