Bridging Physical and Wireless

Interfaces with Software Switch

Configuration Example

Introduction

Introduced in FortiOS 3.0 MR6, software switch is a type of interface that can be configured to form a bridge
between two or more physical or wireless FortiGate interfaces. Once the physical and wireless interfaces are
added to a software switch interface, they become interface members, and as such they cannot longer be
accessed as individual interfaces. For most part, a software switch interface functions like a normal interface: it
can be configured with a single IP address, it can be added to a zone, and it can be used in the definition of
firewall policies. It should be noted however that software switches interfaces have some limitations, as described
in “Deployment Considerations”.

This document illustrates the steps to configure a software switch interface to bridge a physical and a wireless
interface, forming a single broadcast domain (Layer 2 segment). This configuration is useful in environments
where applications require physical and wireless users to be in the same Layer 2 segment. While, using a software
switch interface is a viable solution, it is critical to understand the security and performance implications that derive
from bridging physical and wireless interfaces into a single broadcast domain. These are discussed next in
“Deployment Considerations”.

Deployment Considerations
The following are important aspects that should be understood prior to using a software switch interface to bridge
physical and wireless interfaces:
• Bridging a physical and wireless interface merges two broadcast domains into one, making the scenario
more vulnerable to broadcast and multicast storms.
• Bridging a physical and wireless interface goes against the general security best common practice of
keeping the wireless and wired infrastructures separated. Connecting physical and wireless segments
together implies traffic may be forwarded between the two media types, increasing the chances for
interception, redirection and replay attacks.
• Traffic handled by a software switch interface is CPU-processed and not hardware-accelerated.
• Software switch member interfaces cannot be monitored by HA or be used as heart beat devices.
Requirements
A FortiWiFi or FortiGate appliance running FortiOS 3.0 MR6 or later is required to configure a software switch
interface.

This configuration example uses a FortiGate 50B (FortiOS 4.0 MR3-build0441) and FortiAP 220B (v4.0- build212).
The same configuration procedure has been successfully tested with a FortiWiFi 60C (FortiOS 4.0 MR3-build0441)
and FortiAP 220A (v4.0-build214).

Network Diagram
The diagram below illustrates the network topology used. The wan2 physical interface of the FG-50B connects to
the Internet, while the internal physical interface connects to a physical switch in the internal network
(192.168.40.5/24). The FortiAP connects to the same internal switch serving the internal users. Wireless is
configured with an SSID Interna_Wifi.

Figure 1 – Network Diagram

Configuration Procedure
The configuration procedure includes the following steps:
• Create software switch interface
• Configure DHCP server and scope to be shared by the wired and wireless devices
• Configure the necessary firewall policies for the wired and wireless users
• Verify configuration is working as expected

Note: The configuration procedure in this example assumes that the wireless interface and SSID have been
already configured, and that the FortiAP is configured and connected to the wireless controller on the FortiGate
appliance.

Figure 2 – FortiGate Interfaces (before Software Switch configuration)

Step 1 – Create Software Switch Interface

The first step is to create the software switch interface, assign it an interface name and configure an IP address.
Using the web-based manager go to System > Network > Interface and click on Create New.

Note: Only physical and wireless interfaces that are not been used can be associated to the software switch.

Figure 2 shows the software interface configuration used in our example, called “InternalNetwork”. The software
switch interface is associated to the “Interna_Wifi” wireless interface and the “internal” physical interface. The
software interface is configured with a static IP address of “192.168.50.1”. Administrative access is enabled for
HTTPS, PING and SSH.
Figure 3 – Software Switch Interface

The same configuration can be done by using FortiOS CLI:

config system switch-interface

edit InternalNetwork
set type switch
set member Interna_Wifiinternal
end

config system interface

editInternalNetwork
setip 192.168.50.1 255.255.255.0
setallowaccess ping https ssh
set type switch
end
Step 2 – Configure a DHCP Server

Create a DHCP server and address scope to be shared by wired and wireless users. Associate the DHCP server
to the software switch interface you configured in the previous step. Using the web-based manager go to System >
Network >DHCP Server and click on Create New.

This configuration is shown in the figure below. A DHCP pool of IP addresses is defined as 192.168.50.10-
192.168.50.200, and the default gateway is set to the IP address assigned to the software switch interface, which
is 192.168.50.1

Figure 4 – DHCP Server

The same steps but using FortiOS CLI:

config system dhcp server

edit 0
set default-gateway 192.168.50.1
setdns-service default
set interface InternalNetwork
configip-range
edit 0
set start-ip 192.168.50.10
set end-ip 192.168.50.200
next
end
setnetmask 255.255.255.0
end

Step 3 – Configure Firewall Policy

The appropriate firewall policies need to be configured in order to allow wired and wireless users to access the
Internet or other resources. Using the web-based manager go to Firewall>Policy and click on Create New.

In this example a firewall policy is defined allowing any traffic from the internal network (Network_192.168.50.0) to
any destination on the wan2 interface connecting towards the Internet. NAT is also enabled as shown in Figure 4.

Figure 5 – Firewall Policy

The same configuration but this time using FortiOS CLI:

config firewall policy

edit 0
setsrcintf InternalNetwork
setdstintf wan2
setsrcaddr Network_192.168.50.0
setdstaddr all
set action accept
set schedule always
set service ANY
setnat enable
next
end

Step 3 – Verify Configuration

At this point wired and wireless users should be able to communicate, and to access the Internet.

A simple way to verify if the software switch interface configuration is working as expected is to check the DHCP
lease table. Both wired and wireless users should be given IP addresses in the same subnet, 192.168.50.0/24 in
our example.

In order to see the DHCP lease table using the web-based manager go to System >Monitor>DHCP Monitor.
Figure 6 – DHCP Monitor
Using FortiOS CLI use the following command:

executedhcp lease-list [interface_name]

Related Information

For more information on how to configure and troubleshoot FortiGate and FortiWifi appliances, please visit:
http://docs.fortinet.com/fgt.html

Copyright© 2010 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, and FortiGuard®, are registered trademarks of Fortinet, Inc., and other
Fortinet names herein may also be trademarks of Fortinet. All other product or company names may be trademarks of their respective owners.
Performance metrics contained herein were attained in internal lab tests under ideal conditions. Network variables, different network
environments and other conditions may affect performance results, and Fortinet disclaims all warranties, whether express or implied, except to
the extent Fortinet enters a binding contract with a purchaser that expressly warrants that the identified product will perform according to the
performance metrics herein. For absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinet’s
internal lab tests. Fortinet disclaims in full any guarantees. Fortinet reserves the right to change, modify, transfer, or otherwise revise this
publication without notice, and the most current version of the publication shall be applicable. Certain Fortinet products are licensed under U.S.
Patent No. 5,623,600.