Description
This article describes the distinction between SSIDs in Local Bridge and Tunnel modes.
Scope
FortiAP 5.x or earlier.
FortiOS 6.x or earlier.
Solution
Client traffic comparison
Bridge Mode (Local Bridge):
- How it Works: In Bridge mode, the SSID is like a bridge between the wireless and wired networks. It allows wireless devices to be part of the same network as wired devices. See how to configure one Bridge SSID on FortiGate here:Technical Tip: How to create a new Bridge SSID with its VLAN dedicated for users. In bridged mode, the AP sends the client's traffic to the edge switch port servicing the AP. Then, the traffic gets switched and/or routed to the wired network until it reaches its destination. The allowed VLAN should be configured on the edge switch as needed.
- What does work:
- All devices, wired and wireless, are in the same local network.
- Devices can easily communicate with each other.
- Useful for simple, flat network setups.
- What does not work:
- Traffic from wireless devices still needs to go through the local network router.
- Limited control over wireless traffic, which can impact performance and security.
- Not ideal for large or complex networks.
- While performing client debugs on FortiGate (diagnose wireless-controller wlac sta_filter <mac> 255) the output will only show the authentication process, leaving unknown the DHCP messages. This traffic can be sniffed by running a debug on the VLAN interface.
- Performance: Good for small networks, but as the network grows, it can become congested and less efficient. If the network is not congested, it will be able to handle a higher latency compared to tunnel mode.
Tunnel Mode:
- How it works: In Tunnel mode, the SSID creates a separate network (like a tunnel) for wireless devices. All wireless traffic is encapsulated, encrypted (if configured), then sent to the central device (FortiGate) for processing. In fact, a new interface will be created on FortiGate with the SSID name. This will behave as a FortiGate VLAN. See how to configure one Tunnel SSID on FortiGate here:Defining a wireless network interface (SSID). Only the management VLAN can be configured on the edge switch.
- What does work:
- Enhanced security: All traffic is inspected and controlled at the FortiGate.
- Better isolation: Wireless devices are separated from the wired network.
- Easier to manage: Granular control over traffic and policies.
- Ideal for larger, more complex networks.
- What does not work:
- Devices on the wireless network cannot directly communicate with devices on the wired network without going through the central firewall.
- Performance: Generally delivers better security for larger and more secure network setups. Latency may be slightly higher than usual: due to the flow, the traffic must pass through FortiGate.
Recommendation:
- If it is needed simplicity and all devices on the same network, bridge mode can work well for smaller setups.
- For larger networks with stricter security and traffic control requirements, tunnel mode is recommended. It allows for better management, security, and scalability.
It is important to choose the mode that best suits the network's needs and security requirements. If unsure, reach out to the local Sales Engineer to design the solution that best suits the need or create a new ticket with the Technical Assistance Center through FortiCare.
