Setting up a guest VLAN on a Fortinet Fortigate 60E and Ubiquiti controller

Hi Mate,

i tried to create a VLAN for my guest network and follow the tutorial on the video,

but i was not able to tag my created profile in the ubiquiti controller as VLAN as it is diasble.

my equipments

-Fortinet Fortigate Firewall
-HP Switch

-Ubiquiti Controller and access point

do i need to create a VLAN on my HP switch?

thanks :slight_smile:

It’s likely you will need to define the VLAN in the HP switch so it will pass the traffic.

is this possible? because the AP would be also connected with my main network. i like to create the VLAN for the guest wifi.

We have 3 switches

DLink 48 Port Gigabit, POE, DGS-1210-52MP

DLINK 48 Port Gigabit DGS-1210-52

HP Switch 2920-48G 1000base switch

do i need to configure the VLAN in every switch or just the port where i would put the unifi controller?

Your AP device will need an IP on your main vlan, when guests connect to the AP they will get a wireless connection but no internet, which is correct. You’ll need to add a rule on your guest vlan to access the AP and the port running your captive portal if you are using one. All the other vlans ought to just work with your existing rules if you just map them to your SSIDs.

1 Like

i already setup all the profile and network in the firewall and AP. i think i just need to configure the switch side. what port in the switch should i choose as “tagged or untagged”?

I have almost the exact setup in my office. FortiGate >>> HP Switch >>> Ubiquiti AP. You will need to setup the VLAN tags on the port the AP in plugged in as well as the port plugged into the FortiGate. Once the VLAN ‘path’ is set then you can manage the guest VLAN from Fortigate. The only other thing I also do is have a user profile setup in the Ubiquiti controller that limits bandwidth to 50/50.

1 Like

Bro,

for example i have a VLAN_id =100 then the port which we will plugged the AP will set vlan_id = 100 and marked it as “tagged”? because i also have two AP.

This is the diagram. and i just found out that the dlink switch has an IP of 10.90.90.90 should i change to the same as 192…?

The IP of the Dlink shouldn’t cause any issues with routing, just harder to manage if you are on another network than it.

You need to ensure the VLAN path/network is complete all the way back to the router. I tried to circle in blue each port that should be tagged with VLAN 100 to allow traffic back to the router.

1 Like

should i also tag those port as untagge vlan id =1 ?

Untagged 1 is the default and yes you will need that for non-guest traffic over you APs