Improve macOS Wi-Fi Roaming with FortiGate Tunnel Mode SSID

Fortinet: Improving macOS Roaming with Tunnel Mode SSID in FortiGate: VLAN Tagging Limitation

Summary:

This article outlines how configuring Tunnel Mode SSIDs in FortiGate enhances macOS Wi-Fi roaming performance. It also explains the design limitation of using VLAN tagging when the FortiGate uplink to the core switch is configured as a Layer 3 routed port.

Issue:

macOS devices often face unreliable Wi-Fi roaming and session persistence when SSIDs are configured in Bridge Mode. These limitations can result in frequent disconnections and degraded user experience, especially in multi-AP environments.

Resolution:

Fortinet recommends reconfiguring the SSID to Tunnel Mode, which routes all wireless client traffic back through the FortiGate, enabling:

  • Centralized policy enforcement

  • Improved session continuity

  • Seamless roaming across multiple access points

This configuration particularly improves roaming behavior on Apple macOS devices.

Design Limitation Identified:

When using Tunnel Mode SSIDs, VLAN tagging is only supported if the FortiGate uplink is operating in Layer 2 (trunk) mode. If the FortiGate is connected to the core switch using a routed (Layer 3) port, the following limitations apply:

  • VLAN subinterfaces cannot be created on the FortiGate interface.

  • VLAN tagging for Tunnel Mode SSID traffic is not possible.

  • All wireless client traffic is treated as untagged, limiting segmentation capabilities.

Technical Note:
Tunnel Mode SSIDs require the FortiGate to tag and route traffic based on VLAN mappings. This is only possible when the interface supports 802.1Q trunking.

Recommended Solutions:

1. Convert FortiGate Uplink to Trunk Mode (Layer 2):

  • Change the FortiGate’s uplink port to a switch mode or software switch (trunk).

  • Create VLAN subinterfaces on the FortiGate.

  • Assign SSIDs to VLANs via Tunnel Mode for proper network segmentation.

2. Use Tunnel Mode Without VLAN Tagging:

  • Continue using Tunnel Mode SSIDs without VLAN mapping.

  • All client traffic is routed through a single interface.

  • Useful in simplified or temporary setups where segmentation is not critical.

Conclusion:

Tunnel Mode SSIDs significantly enhance wireless roaming for macOS devices in Fortinet-managed networks. However, VLAN tagging requires trunk (Layer 2) uplinks to function correctly. Routed uplinks limit this capability, and organizations should plan the network topology accordingly to support both segmentation and optimized client experience.