Skip to main content
dwdino
dwdino
New Member
January 18, 2017
Question

DHCP Issues

  • January 18, 2017
  • 1 reply
  • 3636 views

Deploying a Fortigate 60D-POE and found a few issues with DHCP as we transition from our Juniper SSG.

 

1) Every Reserved IP must have a pool behind it.

2) Because of #1 we must create multiple pools.

3) Limited to a max of 3 IP pools per interface/subnet.

 

We do a lot of IP segmentation to assist with our firewall policy like the following:

 

.40-.50 are assigned to group 1 and they are allowed access to X,Y

.60-.70 are assigned to group 2 and they are allowed access to Z

.90-.100 are assigned to group 3 and they are allowed access to scheduled Z

.110-.120 are the general pool to which any visitor can connect and they are allowed to site 1.

 

I am unable to find a clean way of setting this up. If I make a class C pool, I then have to block out a whole lot of addresses.

 

Any ideas?

    1 reply

    emnoc
    emnoc
    New Member
    January 18, 2017

    Just set a firewall address as a range  and allow those ranges

     

     

    e.g

     

    config firewall address     edit "group1"         set type iprange         set start-ip 10.10.1.10         set end-ip 10.10.10.20     next   edit "group2"         set type iprange         set start-ip 10.10.1.11         set end-ip 10.10.10.21     next

     edit "group3"         set type iprange         set start-ip 10.10.1.30         set end-ip 10.10.10.40     next

    end

     

    config firewall policy     edit 10         set srcintf "lan"         set dstintf "wan1"         set srcaddr "group1"         set dstaddr "selected-targets1"         set action accept         set schedule "always"         set service "HTTP" "HTTPS" "PING" "DNS" "custom_group111"         set nat enable     next    edit 11         set srcintf "lan"         set dstintf "wan1"         set srcaddr "group2"         set dstaddr "selected-targets2"         set action accept         set schedule "always"         set service "HTTP" "HTTPS" "PING" "DNS" "custom_group121"         set nat enable     next

       edit 12         set srcintf "lan"         set dstintf "wan1"         set srcaddr "group3"         set dstaddr "selected-targets3"         set action accept         set schedule "always"         set service "ALL"         set nat enable     next

     

     

    And then in dhcp-server set static  assignments.

     

     

    Alternatively and smarter, you could deploy a  id-policy and use "user id" to select what he/she has access and ignore the ip_address assignment.

     

    YMMV on what you want and trying todo.

     

     

    ;)

     

     

     

    Ken

     

    Terms & ConditionsAccessibility statement