Skip to main content
FortiMike
FortiMike
New Member
January 28, 2022
Solved

FortiGate DHCP Server and Relay on SVI

  • January 28, 2022
  • 3 replies
  • 6487 views

Hello

 

Is it possible for a FortiGate to both act as the DHCP server and relay?

 

The reason I would want this is because I have a NAC solution that would use the relay information to profiling the endpoint and the endpoint also needs to get an IP address from the FortiGate DHCP server.

 

I have tested this in a Lab, but I am getting this error:

FORTINET-FW (CISCO-CORP-LAN) # set dhcp-relay-service enable

FORTINET-FW (CISCO-CORP-LAN) # set dhcp-relay-ip 10.0.1.51

FORTINET-FW (CISCO-CORP-LAN) # set dhcp-relay-agent-option enable

FORTINET-FW (CISCO-CORP-LAN) # show
config system interface
edit "CISCO-CORP-LAN"
set vdom "root"
set dhcp-relay-service enable
set ip 10.100.100.1 255.255.255.0
set allowaccess ping
set device-identification enable
set role lan
set snmp-index 7
set dhcp-relay-ip "10.0.1.51"
set interface "port4"
set vlanid 100
next
end

FORTINET-FW (CISCO-CORP-LAN) # next
dhcp server 2 of type Ethernet already exists on this interface, cannot add relay!
object set operator error, -76 discard the setting
Command fail. Return code 1

config system dhcp server

edit 2
set dns-service default
set default-gateway 10.100.100.1
set netmask 255.255.255.0
set interface "CISCO-CORP-LAN"
config ip-range
edit 1
set start-ip 10.100.100.50
set end-ip 10.100.100.254
next
end
next

 

Regards

Best answer by akristof

Hello,

 

As your test shown, you can have only one option, server or relay.

https://docs.fortinet.com/document/fortigate/6.0.0/handbook/709255/dhcp-servers-and-relays

"An interface can't provide both a server and a relay for connections of the same type (regular or IPsec)."

 

Moderator note/edit: This is no longer the case as of FortiGate v7.0.5. FortiGate v7.0.5 and higher versions now support having both a server and a relay for connections of the same type. See this document.

- @Stephen_G

3 replies

akristof
Staff
akristofAnswer
Staff
January 28, 2022

Hello,

 

As your test shown, you can have only one option, server or relay.

https://docs.fortinet.com/document/fortigate/6.0.0/handbook/709255/dhcp-servers-and-relays

"An interface can't provide both a server and a relay for connections of the same type (regular or IPsec)."

 

Moderator note/edit: This is no longer the case as of FortiGate v7.0.5. FortiGate v7.0.5 and higher versions now support having both a server and a relay for connections of the same type. See this document.

- @Stephen_G

Debbie_FTNT
Staff & Editor
Debbie_FTNT
Staff & Editor
January 28, 2022

Hey Mike,

perhaps if you elaborate a bit as to what you're trying to achieve?
A DHCP relay makes sense if you want the DHCP requests to be relayed from the FortiGate interface to a different DHCP server which handles the actual IP assignment. A DHCP server on the FortiGate interface makes sense if you want the FortiGate to assign an IP.

Having two DHCP servers assign IPs to the same client (the FortiGate plus whatever DHCP server is reached through relay) would cause significant issues in my eyes.

Do you want FortiGate to forward its DHCP information to another server for monitoring/profiling information?

-> I'm not certain that's possible
Or do you want the NAC to act as DHCP server, and just have FortiGate forward DHCP requests to the NAC?

-> in this case, create DCHP server configuration on your NAC solution, scrap the DHCP server on the FortiGate interface, and just set up a relay

FortiMike
FortiMikeAuthor
New Member
February 2, 2022

The FortiGate will be the DHCP server.

The NAC solution will use the DHCP relay information to profile/classify an endpoint. The NAC server would never reply with an address assignment. It would just profile the device as an Apple Smartphone, Windows endpoint or Kali Linux laptop or something like that.

 

The only solution, for now,  is to have a separate DHCP server and then create two DHCP relays on the FortiGate, one to the NAC, and one to the actual DHCP server.

tom78587
tom78587
Explorer
July 28, 2023

On Fortigate 7.0.5, you can set an interface as both DHCP server and relay.

https://docs.fortinet.com/document/fortigate/7.0.5/administration-guide/783526/dhcp-server

 

 

    ebilcari
    Staff
    ebilcari
    Staff
    July 30, 2023

    and it looks like it's added to help in this particular type of setup :)
    A FortiGate interface can be configured to work in DHCP server mode to lease out addresses, and at the same time relay the DHCP packets to another device, such as a FortiNAC to perform device profiling.

    Emirjon
    Terms & ConditionsAccessibility statement