WiFi network with external DHCP service


In this example, you use an external DHCP server to assign IP addresses to your WiFi clients.

The DHCP server assigns IP addresses in the range of to The server is attached to Port 13 of the FortiGate and has an IP address of

1. Configure the FortiGate network interface for the DHCP server

Go to System > Network > Interfaces and edit Port13.

The external DHCP server is on the network, so put the interface on that network.

2. Create the SSID

Go to WiFi Controller > WiFi Network > SSID and configure your wireless network.

The DHCP server assigns IP addresses on the network, so configure the SSID address on this network.

Enable DHCP Server, then expand Advanced and change the mode to Relay. Enter the external DHCP server IP address.

Set up security and authentication for your SSID.

In this case, WPA2 Enterprise authentication allows access only to members of the employees user group.

3. Create the security policies

Create a policy to allow the WiFi network to communicate with the DHCP Server on Port 13.

The source and destination networks are directly visible to each other, so NAT is not required.

Create a policy to allow WiFi clients to connect to the Internet on wan1.

4. Connect and authorize the FortiAP unit

Configure the network interface where the FortiAP will be connected.

Go to WiFi Controller > Managed Access Points > Managed FortiAPs. The FortiAP is listed, with a yellow question mark beside it because the device is not authorized.

Highlight the FortiAP unit on the list and select Authorize. A grey checkmark is now shown beside the FortiAP, showing that it is authorized but not yet online.

Go to WiFi Controller > WiFi Network > FortiAP Profiles and edit the profile, adding your SSID to each radio.


WiFi devices can connect to the Internet. You can see them in the client monitor (WiFi Controller > Monitor > Client Monitor). Note the IP addresses assigned by the external DHCP server.

For further reading, check out the Deploying Wireless Networks in the FortiOS 5.2 Handbook.

Jonathan Coles

Jonathan Coles

Technical Writer at Fortinet
Jonathan Coles is part of the FortiOS Technical Documentation team in Ottawa. He has a B.A. in English from the University of Waterloo and an Electronics Technologist diploma from Conestoga College. Long ago at another company he convinced a documentation manager that he could write. After writing about telephone PBXs, text search software, cell tower planning software, and some less memorable things, he joined Fortinet around the time that FortiOS 3.0 was released.
Jonathan Coles

Latest posts by Jonathan Coles (see all)

  • Was this helpful?
  • Yes   No
The FortiAP may not appear until a few minutes have passed.
  • bob

    tnx for that just as a small update , once i tested apparently for some reason dhcp server is not transmitting packets to my fgt . so i replicated the setup using a 60D unit inetad of my 100D with a test dhcp server and i had the same result effect. so my question is is there anything that needs to be done on the DHCP server or options to be enabled on the vlan scopes . that could be recommended?

  • bob

    already did , rep stayed remotely more than 4 hours Plus .. couldn’t get it done and told that its a switching problem which believe is BS since we tested all possible routed and end client can connect to the access points then get kicked out or the i changes to 169.245…..

    • bdickie

      I am sorry to hear that. We will get someone on the team to review the recipe. The only other suggestion I would have is to ask a question on our forums,

  • bob

    This doesn’t work in my setup i got a dhcp server with around 10 vlan subnets the access points are connected and i set up the dhcp severer for relay mode , however the clients connected to access points are not getting ips . Any advise ?

  • selvaraj manoharan

    Hi Team,
    We plan to set up a vpn tunnel between H.O and Branch office, hence we decided to purchase fortigate product to establish the connection.

    Requirement is : From H.O we need to connect US network for server support., once we establish the connection in branch and head office. Hence, suggest me the steps to proceed further.