Skip to main content
hannq
hannq
Explorer
November 13, 2024
Solved

Seeking Guidance on Configuring DHCP Relay for VLAN Interface with Different Subnet

  • November 13, 2024
  • 3 replies
  • 3558 views

Hello Fortinet Community,

I am currently working with a FortiGate firewall 61F v7.2.6 setup where I have a VLAN switch interface named bgroup0 with a physical connection to internal3. The IP address assigned to bgroup0 is 192.168.1.1/24, and it is connected to an Aruba switch.

The goal is to have new devices that connect via LAN cable to the Aruba switch send DHCP requests to the bgroup0 interface. However, for security purposes, I would like these devices to receive IP addresses from a different subnet, such as 192.168.2.0/24. I initially tried using a secondary IP, but due to subnet conflicts, this did not work as intended.

I am considering configuring DHCP Relay on the bgroup0 interface to forward these DHCP requests to another DHCP server(internal2 or internal5) that is configured to assign IP addresses in the 192.168.2.0/24 range. However, I am uncertain about the exact configuration steps required to achieve this.

Could anyone provide guidance or confirm if this approach is feasible? Specifically, I would appreciate assistance with the necessary commands to configure DHCP relay on the bgroup0 interface, as well as any potential considerations or best practices to ensure smooth operation.

 

Thank you very much for your support and assistance!

1.png2.png
Best answer by dingjerry_FTNT

Hi @hannq ,

 

There is no special command for DHCP Relay.  Actually, as per your screenshots, you already configured the DHCP Relay on bgroup0 pointing to 192.168.9.1 which is the interface internal2.

 

However, it seems that interface internal2 does not have DHCP configurations with 192.168.2.0/24 subnet.

 

Another thing is that you need a firewall policy allowing traffic between bgroup0 and internal2.

 

The concept of DHCP Relay is that it is pointing to another DHCP server which has the IP of the DHCP Relay setting.

3 replies

dingjerry_FTNT
Staff
dingjerry_FTNTAnswer
Staff
November 13, 2024

Hi @hannq ,

 

There is no special command for DHCP Relay.  Actually, as per your screenshots, you already configured the DHCP Relay on bgroup0 pointing to 192.168.9.1 which is the interface internal2.

 

However, it seems that interface internal2 does not have DHCP configurations with 192.168.2.0/24 subnet.

 

Another thing is that you need a firewall policy allowing traffic between bgroup0 and internal2.

 

The concept of DHCP Relay is that it is pointing to another DHCP server which has the IP of the DHCP Relay setting.

dingjerry_FTNT
Staff
dingjerry_FTNT
Staff
November 13, 2024

This Youtube video might give you the idea how to configure DHCP Relay on FortiGate:

 

Configure Fortigate Interface Using DHCP Relay With Windows Server 

hannq
hannqAuthor
Explorer
November 13, 2024

Thank you very much for your help! I watched the video on configuring a DHCP server with Windows Server, and it provided some useful insights.

I’d like to clarify my setup and see if you could offer further guidance. My goal is to set up DHCP relay from one interface (e.g., bgroup0) to another interface (internal2). I’ve already configured a DHCP range on internal2 to assign IP addresses, and I’ve created a firewall policy to allow communication between these interfaces.

However, it’s still not working as expected. internal2 is not assigning IP addresses to devices connecting through bgroup0. Could you help me troubleshoot this issue or suggest any additional settings I might need to check?

Thank you again for your assistance!

dingjerry_FTNT
Staff
dingjerry_FTNT
Staff
November 13, 2024

Hi @hannq ,

 

Please capture some pcap using the following CLI command:

 

diag sniffer packet any 'host 192.168.9.1 and (port 67 or port 68)' 6

 

Then try to reproduce the issue to get some packet captures.

 

Please attach the outputs as a TEXT file so I can convert them for further investigation.

 

And please provide the relevant firewall policies as well.

sw2090
SuperUser
sw2090
SuperUser
November 13, 2024

"Another thing is that you need a firewall policy allowing traffic between bgroup0 and internal2." 

What for? DHCP Relaying means the incoming request terminates on the FGT and gets proxied to the destination. This doesn't need any policy.

Terms & ConditionsAccessibility statement