<div>
Your diagram is pretty helpful. &nbsp;In that regard, I presume that T10 on the Fortigate is intended to be the connection to the WiFi controller? &nbsp;That's not explicit (as T10 and T30 on the WiFi controller could be independent.... perhaps).<br />
<br />
I'm not clear what this means:<br />

<blockquote>
DHCP server on LAN 10.0.1.0 will subnet 10.0.99.0 will start DHCP negoitation with the wifi client,<br />
through the trunk -&gt; PoE Switch -&gt; WiFi Controller -&gt; Wifi client.<br />

</blockquote>
Does this mean:DHCP server on the Sonicwall / LAN 10.0.10.0 WITH subnet 10.0.99.0 ???? Well one might *presume* /24 but you don't say so maybe it's 10.0.9.0???<br />
Whether the WiFi Controller has a DHCP server running is unclear. &nbsp;I suspect NOT, eh?<br />
<br />

<blockquote>
After DHCP negotiation, the PoE switch should have the MAC address Wifi client and the correct port (ie the port connecting to the controller) . Am I corect ? 
</blockquote>
Yes. &nbsp;That sounds correct.<br />
<br />

<blockquote>
When wifi client access any servers 10.0.1.0 behind Sonicwall, it will go through <br />
&nbsp; wifi client -&gt; Wifi Controller -&gt; PoE Switch -&gt; Fortigate -&gt; PoE Switch Sonicwall, correct ?
</blockquote>
Yes. That sounds correct.<br />
<br />

<blockquote>
How does server in network 10.0.1.0 return to the Wifi client (10.0.99.0) ? How does Sonicwall know that the client is behind the Controller ?
</blockquote>
 Since the 10.0.99.0 subnet is also on the Sonicwall, it seems that a route on the Sonicwall from 10.0.1.0 to 10.0.99.0 would do it. &nbsp;Imagine if there were wired clients on the Sonicwall on VLAN30 with subnet 10.0.99.0. &nbsp;And, imagine if you wanted them to talk to clients on 10.0.1.0? &nbsp;There would be a route between those two VLANs.<br />
<br />
I may be missing something in the motivation here that leads to this architecture. &nbsp;It appears you're trying to provide wireless access to both 172.16.172.0 AND 10.0.99.0. &nbsp;Is that right?<br />
I can understand that maybe you want the wireless clients to be isolated but then you don't seem to be intending to do that.<br />
<br />
Tell us what the big picture objectives are and perhaps there can be a suggestion.
</div>


<div>
The Window DHCP server on LAN subnet 10.0.1.0 can also provide IP leasing for 10.0.99.0. The intention of the design &nbsp;is to allow wifi client to access the LAN server through wireless network.<br />
<br />
Sonicwall has defined 10.0.99.1 on X2 (VLAN 30). The return packet from server to wifi client will go to Sonicwall. Sonicwall know 10.0.99.0 subnet is connected to X2 and it will route the packet to the PoE switch. &nbsp;The PoE switch should have wif client mac address , which is the port connecting to the Wifi controller. Hence the MAC address table of PoE switch provide the information to route the packet from Sonicwall back to the Wifi controller and finally returns to the wifi client.<br />
<br />
Am I correct ?<br />
<br />
Thx<br />
<a href="https://filedb.experts-exchange.com/incoming/2016/07_w30/1107151/Sonicwall01.png" target="_blank" class="file-inline" title="Sonicwall02 (11 KB)"><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 512 512"><path d="M67.508 468.467c-58.005-58.013-58.016-151.92 0-209.943l225.011-225.04c44.643-44.645 117.279-44.645 161.92 0 44.743 44.749 44.753 117.186 0 161.944l-189.465 189.49c-31.41 31.413-82.518 31.412-113.926.001-31.479-31.482-31.49-82.453 0-113.944L311.51 110.491c4.687-4.687 12.286-4.687 16.972 0l16.967 16.971c4.685 4.686 4.685 12.283 0 16.969L184.983 304.917c-12.724 12.724-12.73 33.328 0 46.058 12.696 12.697 33.356 12.699 46.054-.001l189.465-189.489c25.987-25.989 25.994-68.06.001-94.056-25.931-25.934-68.119-25.932-94.049 0l-225.01 225.039c-39.249 39.252-39.258 102.795-.001 142.057 39.285 39.29 102.885 39.287 142.162-.028A739446.174 739446.174 0 0 1 439.497 238.49c4.686-4.687 12.282-4.684 16.969.004l16.967 16.971c4.685 4.686 4.689 12.279.004 16.965a755654.128 755654.128 0 0 0-195.881 195.996c-58.034 58.092-152.004 58.093-210.048.041z"/></svg>Sonicwall01.png</a>
</div>


Sonicwall01.png

<div>
I have checked the route<br />
<br />
1. Fortigate don't have any route for 10.0.99.0 subnet<br />
2. In Sonicwall, there is no a route for 10.0.99.0 which is point to interface X2:30, which is connect the Sonicwall back to PoE Switch.<br />
<br />
So, can I say that return packet is based on the PoE switch using the MAC-address table. I can see the MAC address of the wifi client (of course, not the IP address)..<br />
<br />
Thx
</div>


<div>
Hi There,<br />
<br />
Could you place the output of the below:<br />
<br />
i)<br />
#Sh ip route from the PoE switch<br />
ii)<br />
Routing table of the sonicwall and the fortigate<br />
iii)<br />
Trace from the client to Shoretel server and Vice versa.<br />
<br />
Also confirm the significance of 10.0.99.x subnet.
</div>


<div>
There seems to be some misunderstanding. &nbsp;As I see things now (albeit with imperfect information):<br />
<br />

<blockquote>
1. Fortigate don't have any route for 10.0.99.0 subnet
</blockquote>
That may be unfortunate. &nbsp;I don't see that it can hurt anything; so why not?<br />
<br />

<blockquote>
2. In Sonicwall, there is no a route for 10.0.99.0 which is point to interface X2:30, which is connect the Sonicwall back to PoE Switch.
</blockquote>
So the trunk VLAN 1,30 is on X2. &nbsp;Is that right? &nbsp;At any rate, if 10.0.99.0 is &quot;known&quot; by the Sonicwall then it must have a route. &nbsp;If all the route does is go to the gateway &nbsp;(via 0.0.0.0 the default route) . &nbsp;Is the gateway for the Sonicwall the Fortigate or the PoE Switch? You have still not said if the switch is Level2 or Level3 mode.... &nbsp;Once more, if there's no route in the Sonicwall for 10.0.99.0 AND no route in the gateway then there's no path and packets will be dropped. &nbsp;The MAC address instance in the switch is normal but won't help.<br />
<br />

<blockquote>
So, can I say that return packet is based on the PoE switch using the MAC-address table. I can see the MAC address of the wifi client (of course, not the IP address)..
</blockquote>
No.
</div>


<div>
The switch is C2960X, guessing it is a L2. &nbsp;172.16.172.254 is Fortigate IP.<br />
<br />
<br />
POES1#sh ip route<br />
Default gateway is 172.16.172.254<br />
<br />
Host &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; Gateway &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; Last Use &nbsp; &nbsp;Total Uses &nbsp;Interface<br />
ICMP redirect cache is empty<br />
Y5POES1#
</div>


<div>
Hi there,<br />
<br />
Kindly share the remaining outputs as requested for in my previous post.
</div>


<div>
The fact that the switch has a gateway entry may be fairly meaningless in this discussion if it's a Layer 2 switch. &nbsp;It's likely there to support things like firmware updates, etc.<br />
<br />
Kindly share the outputs as requested by Ian Arakel.
</div>


<div>
10.0.99.0 is the subnet for wifi client connecting to internal LAN server through Radius authentication, Thx<br />
<a href="https://filedb.experts-exchange.com/incoming/2016/07_w30/1107535/Dump1.txt" target="_blank" class="file-inline" title="Dump1 (202 bytes)"><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 512 512"><path d="M67.508 468.467c-58.005-58.013-58.016-151.92 0-209.943l225.011-225.04c44.643-44.645 117.279-44.645 161.92 0 44.743 44.749 44.753 117.186 0 161.944l-189.465 189.49c-31.41 31.413-82.518 31.412-113.926.001-31.479-31.482-31.49-82.453 0-113.944L311.51 110.491c4.687-4.687 12.286-4.687 16.972 0l16.967 16.971c4.685 4.686 4.685 12.283 0 16.969L184.983 304.917c-12.724 12.724-12.73 33.328 0 46.058 12.696 12.697 33.356 12.699 46.054-.001l189.465-189.489c25.987-25.989 25.994-68.06.001-94.056-25.931-25.934-68.119-25.932-94.049 0l-225.01 225.039c-39.249 39.252-39.258 102.795-.001 142.057 39.285 39.29 102.885 39.287 142.162-.028A739446.174 739446.174 0 0 1 439.497 238.49c4.686-4.687 12.282-4.684 16.969.004l16.967 16.971c4.685 4.686 4.689 12.279.004 16.965a755654.128 755654.128 0 0 0-195.881 195.996c-58.034 58.092-152.004 58.093-210.048.041z"/></svg>Dump1.txt</a><br />
<a href="https://filedb.experts-exchange.com/incoming/2016/07_w30/1107536/Dump2-Sonicwall.png" target="_blank" class="file-inline" title="Dump2 (34 KB)"><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 512 512"><path d="M67.508 468.467c-58.005-58.013-58.016-151.92 0-209.943l225.011-225.04c44.643-44.645 117.279-44.645 161.92 0 44.743 44.749 44.753 117.186 0 161.944l-189.465 189.49c-31.41 31.413-82.518 31.412-113.926.001-31.479-31.482-31.49-82.453 0-113.944L311.51 110.491c4.687-4.687 12.286-4.687 16.972 0l16.967 16.971c4.685 4.686 4.685 12.283 0 16.969L184.983 304.917c-12.724 12.724-12.73 33.328 0 46.058 12.696 12.697 33.356 12.699 46.054-.001l189.465-189.489c25.987-25.989 25.994-68.06.001-94.056-25.931-25.934-68.119-25.932-94.049 0l-225.01 225.039c-39.249 39.252-39.258 102.795-.001 142.057 39.285 39.29 102.885 39.287 142.162-.028A739446.174 739446.174 0 0 1 439.497 238.49c4.686-4.687 12.282-4.684 16.969.004l16.967 16.971c4.685 4.686 4.689 12.279.004 16.965a755654.128 755654.128 0 0 0-195.881 195.996c-58.034 58.092-152.004 58.093-210.048.041z"/></svg>Dump2-Sonicwall.png</a><br />
<a href="https://filedb.experts-exchange.com/incoming/2016/07_w30/1107537/Dump3-Fortigate.png" target="_blank" class="file-inline" title="Dump3 (13 KB)"><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 512 512"><path d="M67.508 468.467c-58.005-58.013-58.016-151.92 0-209.943l225.011-225.04c44.643-44.645 117.279-44.645 161.92 0 44.743 44.749 44.753 117.186 0 161.944l-189.465 189.49c-31.41 31.413-82.518 31.412-113.926.001-31.479-31.482-31.49-82.453 0-113.944L311.51 110.491c4.687-4.687 12.286-4.687 16.972 0l16.967 16.971c4.685 4.686 4.685 12.283 0 16.969L184.983 304.917c-12.724 12.724-12.73 33.328 0 46.058 12.696 12.697 33.356 12.699 46.054-.001l189.465-189.489c25.987-25.989 25.994-68.06.001-94.056-25.931-25.934-68.119-25.932-94.049 0l-225.01 225.039c-39.249 39.252-39.258 102.795-.001 142.057 39.285 39.29 102.885 39.287 142.162-.028A739446.174 739446.174 0 0 1 439.497 238.49c4.686-4.687 12.282-4.684 16.969.004l16.967 16.971c4.685 4.686 4.689 12.279.004 16.965a755654.128 755654.128 0 0 0-195.881 195.996c-58.034 58.092-152.004 58.093-210.048.041z"/></svg>Dump3-Fortigate.png</a><br />
<a href="https://filedb.experts-exchange.com/incoming/2016/07_w30/1107538/dump4-tracert-to-Radius.txt" target="_blank" class="file-inline" title="Dump4 (154 bytes)"><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 512 512"><path d="M67.508 468.467c-58.005-58.013-58.016-151.92 0-209.943l225.011-225.04c44.643-44.645 117.279-44.645 161.92 0 44.743 44.749 44.753 117.186 0 161.944l-189.465 189.49c-31.41 31.413-82.518 31.412-113.926.001-31.479-31.482-31.49-82.453 0-113.944L311.51 110.491c4.687-4.687 12.286-4.687 16.972 0l16.967 16.971c4.685 4.686 4.685 12.283 0 16.969L184.983 304.917c-12.724 12.724-12.73 33.328 0 46.058 12.696 12.697 33.356 12.699 46.054-.001l189.465-189.489c25.987-25.989 25.994-68.06.001-94.056-25.931-25.934-68.119-25.932-94.049 0l-225.01 225.039c-39.249 39.252-39.258 102.795-.001 142.057 39.285 39.29 102.885 39.287 142.162-.028A739446.174 739446.174 0 0 1 439.497 238.49c4.686-4.687 12.282-4.684 16.969.004l16.967 16.971c4.685 4.686 4.689 12.279.004 16.965a755654.128 755654.128 0 0 0-195.881 195.996c-58.034 58.092-152.004 58.093-210.048.041z"/></svg>dump4-tracert-to-Radius.txt</a>
</div>


Dump2-Sonicwall.png

Dump1.txt

Dump3-Fortigate.png

dump4-tracert-to-Radius.txt

<div>
<div class="content wysiwyg-content">
WiFi Controller has setup a Radius server 10.0.1.120 behind Sonicwall.<br />
<br />
Wifi client assigned with VLAN30 need to authenticated through Radius 10.0.1.120.<br />
For WiFi controller routing to network 10.0.1.0, it need to route through Fortigate and then to Sonicwall.<br />
<br />
DHCP server on LAN 10.0.1.0 will subnet 10.0.99.0 will start DHCP negoitation with the wifi client,<br />
through the trunk -&gt; PoE Switch -&gt; WiFi Controller -&gt; Wifi client.<br />
<br />
After DHCP negotiation, the PoE switch should have the MAC address Wifi client and the correct port (ie the port connecting to the controller) . Am I corect ?<br />
<br />
When wifi client access any servers 10.0.1.0 behind Sonicwall, it will go through <br />
&nbsp; wifi client -&gt; Wifi Controller -&gt; PoE Switch -&gt; Fortigate -&gt; PoE Switch Sonicwall, correct ?<br />
<br />
How does server in network 10.0.1.0 return to the Wifi client (10.0.99.0) ? How does Sonicwall know that the client is behind the Controller ?<br />
<br />
Thx<br />
<a href="https://filedb.experts-exchange.com/incoming/2016/07_w29/1107063/Diagram.png" target="_blank" class="file-inline" title="Network (15 KB)"><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 512 512"><path d="M67.508 468.467c-58.005-58.013-58.016-151.92 0-209.943l225.011-225.04c44.643-44.645 117.279-44.645 161.92 0 44.743 44.749 44.753 117.186 0 161.944l-189.465 189.49c-31.41 31.413-82.518 31.412-113.926.001-31.479-31.482-31.49-82.453 0-113.944L311.51 110.491c4.687-4.687 12.286-4.687 16.972 0l16.967 16.971c4.685 4.686 4.685 12.283 0 16.969L184.983 304.917c-12.724 12.724-12.73 33.328 0 46.058 12.696 12.697 33.356 12.699 46.054-.001l189.465-189.489c25.987-25.989 25.994-68.06.001-94.056-25.931-25.934-68.119-25.932-94.049 0l-225.01 225.039c-39.249 39.252-39.258 102.795-.001 142.057 39.285 39.29 102.885 39.287 142.162-.028A739446.174 739446.174 0 0 1 439.497 238.49c4.686-4.687 12.282-4.684 16.969.004l16.967 16.971c4.685 4.686 4.689 12.279.004 16.965a755654.128 755654.128 0 0 0-195.881 195.996c-58.034 58.092-152.004 58.093-210.048.041z"/></svg>Diagram.png</a>
</div>
</div>


Diagram.png

WiFi Controller has setup a Radius server 10.0.1.120 behind Sonicwall.

Wifi client assigned with VLAN30 need to authenticated through Radius 10.0.1.120.
For WiFi controller routing to network 10.0.1.0, it need to route through Fortigate and then to Sonicwall.

DHCP server on LAN 10.0.1.0 will subnet 10.0.99.0 will start DHCP negoitation with the wifi client,
through the trunk -> PoE Switch -> WiFi Controller -> Wifi client.

After DHCP negotiation, the PoE switch should have the MAC address Wifi client and the correct port (ie the port connecting to the controller) . Am I corect ?

When wifi client access any servers 10.0.1.0 behind Sonicwall, it will go through 
  wifi client -> Wifi Controller -> PoE Switch -> Fortigate -> PoE Switch Sonicwall, correct ?

How does server in network 10.0.1.0 return to the Wifi client (10.0.99.0) ? How does Sonicwall know that the client is behind the Controller ?

Thx

Routing question between wifi / firewall and switch

A switch is a device that filters and forwards packets of data between LAN segments. Switches operate at the data link layer or the network layer of the Open Systems Interconnection (OSI) Reference Model and therefore support any packet protocol. LANs that use switches to join segments are called switched LANs or, in the case of Ethernet networks, switched Ethernet LANs. A hub is a connection point for devices in a network. Hubs are commonly used to connect segments of a LAN. A hub contains multiple ports; when a packet arrives at one port, it is copied to the other ports so that all segments of the LAN can see all packets.

Switches / Hubs

A router is a networking device that forwards data packets between computer networks. Routers perform the "traffic directing" functions on the Internet. The most familiar type of routers are home and small office cable or DSL routers that simply pass data, such as web pages, email, IM, and videos between computers and the Internet. More sophisticated routers, such as enterprise routers, connect large business or ISP networks up to the powerful core routers that forward data at high speed along the optical fiber lines of the Internet backbone. Though routers are typically dedicated hardware devices, use of software-based routers has grown increasingly common.

Routers

Hardware-based firewalls provide more sophisticated protection for inbound and outbound traffic than the simple Windows software firewall or the basic NAT firewalls found in routers. These devices implement techniques such as stateful packet inspection, deep packet inspection, and content filtering; and may include built-in antivirus and anti-malware protection.